Undermining the Linux Kernel - Black Hat€¦ · • Non‐Modularity – Main suggested end all...
Transcript of Undermining the Linux Kernel - Black Hat€¦ · • Non‐Modularity – Main suggested end all...
![Page 1: Undermining the Linux Kernel - Black Hat€¦ · • Non‐Modularity – Main suggested end all way to stop kernel space rootkits (obviously this is a fail) – /dev/kmem was previously](https://reader036.fdocuments.us/reader036/viewer/2022081613/5fbd88c0b183ea5613751957/html5/thumbnails/1.jpg)
Undermining the Linux Kernel: Malicious Code Injec:on via /dev/mem
Anthony Lineberry
Black Hat Europe 2009
![Page 2: Undermining the Linux Kernel - Black Hat€¦ · • Non‐Modularity – Main suggested end all way to stop kernel space rootkits (obviously this is a fail) – /dev/kmem was previously](https://reader036.fdocuments.us/reader036/viewer/2022081613/5fbd88c0b183ea5613751957/html5/thumbnails/2.jpg)
Overview
• What is a rootkit?
• Why is protec:on difficult?
• Current protec:on mechanisms/bypasses
• Injec:on via /dev/mem
• Fun things to do once you’re in • Proposed solu:ons
![Page 3: Undermining the Linux Kernel - Black Hat€¦ · • Non‐Modularity – Main suggested end all way to stop kernel space rootkits (obviously this is a fail) – /dev/kmem was previously](https://reader036.fdocuments.us/reader036/viewer/2022081613/5fbd88c0b183ea5613751957/html5/thumbnails/3.jpg)
Part I
Rootkit?
![Page 4: Undermining the Linux Kernel - Black Hat€¦ · • Non‐Modularity – Main suggested end all way to stop kernel space rootkits (obviously this is a fail) – /dev/kmem was previously](https://reader036.fdocuments.us/reader036/viewer/2022081613/5fbd88c0b183ea5613751957/html5/thumbnails/4.jpg)
What is a rootkit?
• Way to maintain access (regain “root” aVer successful exploita:on)
• Hide files, processes, etc • Control ac:vity
– File I/O – Network
• Keystroke Logger
![Page 5: Undermining the Linux Kernel - Black Hat€¦ · • Non‐Modularity – Main suggested end all way to stop kernel space rootkits (obviously this is a fail) – /dev/kmem was previously](https://reader036.fdocuments.us/reader036/viewer/2022081613/5fbd88c0b183ea5613751957/html5/thumbnails/5.jpg)
Types of rootkits
• User‐Land (Ring 3) – Trojaned Binaries (oldest trick in the book)
• Binary patching • Source code modifica:on
– Process Injec:on/Thread Injec:on • PTRACE_ATTACH, SIGNAL injec:on
– Does not affect stability of system
![Page 6: Undermining the Linux Kernel - Black Hat€¦ · • Non‐Modularity – Main suggested end all way to stop kernel space rootkits (obviously this is a fail) – /dev/kmem was previously](https://reader036.fdocuments.us/reader036/viewer/2022081613/5fbd88c0b183ea5613751957/html5/thumbnails/6.jpg)
Types of rootkits
• Kernel‐Land (Ring 0) – Kernel Modules/Drivers
– Hot Patching memory directly! (we’ll get to that ;)
![Page 7: Undermining the Linux Kernel - Black Hat€¦ · • Non‐Modularity – Main suggested end all way to stop kernel space rootkits (obviously this is a fail) – /dev/kmem was previously](https://reader036.fdocuments.us/reader036/viewer/2022081613/5fbd88c0b183ea5613751957/html5/thumbnails/7.jpg)
Part II
Why are rootkits hard to defend against?
![Page 8: Undermining the Linux Kernel - Black Hat€¦ · • Non‐Modularity – Main suggested end all way to stop kernel space rootkits (obviously this is a fail) – /dev/kmem was previously](https://reader036.fdocuments.us/reader036/viewer/2022081613/5fbd88c0b183ea5613751957/html5/thumbnails/8.jpg)
Why so hard?
• Can control most everything in the system – System Calls cant be trusted
– Network traffic – Can possibly detect if you are trying to detect it
![Page 9: Undermining the Linux Kernel - Black Hat€¦ · • Non‐Modularity – Main suggested end all way to stop kernel space rootkits (obviously this is a fail) – /dev/kmem was previously](https://reader036.fdocuments.us/reader036/viewer/2022081613/5fbd88c0b183ea5613751957/html5/thumbnails/9.jpg)
Why so hard?
• Most modern rootkits live in the kernel
• Kernel is God – Imprac:cal to check EVERYTHING inside kernel
• Speed hits
– Built in security can be circumvented by more kernel code (if an afacker can get code in, game over)
![Page 10: Undermining the Linux Kernel - Black Hat€¦ · • Non‐Modularity – Main suggested end all way to stop kernel space rootkits (obviously this is a fail) – /dev/kmem was previously](https://reader036.fdocuments.us/reader036/viewer/2022081613/5fbd88c0b183ea5613751957/html5/thumbnails/10.jpg)
Part III
Current Rootkit Defense
![Page 11: Undermining the Linux Kernel - Black Hat€¦ · • Non‐Modularity – Main suggested end all way to stop kernel space rootkits (obviously this is a fail) – /dev/kmem was previously](https://reader036.fdocuments.us/reader036/viewer/2022081613/5fbd88c0b183ea5613751957/html5/thumbnails/11.jpg)
Current Defense
• Checking Tables in kernel (sys_call_table, IDT, etc) – Compares tables against known good – Can be bypassed by crea:ng duplicate table to use rather than modifying the main table
– Typical security cat and mouse game
![Page 12: Undermining the Linux Kernel - Black Hat€¦ · • Non‐Modularity – Main suggested end all way to stop kernel space rootkits (obviously this is a fail) – /dev/kmem was previously](https://reader036.fdocuments.us/reader036/viewer/2022081613/5fbd88c0b183ea5613751957/html5/thumbnails/12.jpg)
Current Defense
• Hashes/Code Signing – In kernel
• Hash cri:cal sec:ons of code • Require signed kernel modules
– In userland • Hashes of system binaries
– Tripwire, etc • Signed binaries • File System Integrity
![Page 13: Undermining the Linux Kernel - Black Hat€¦ · • Non‐Modularity – Main suggested end all way to stop kernel space rootkits (obviously this is a fail) – /dev/kmem was previously](https://reader036.fdocuments.us/reader036/viewer/2022081613/5fbd88c0b183ea5613751957/html5/thumbnails/13.jpg)
Current Defense
• Non‐Modularity – Main suggested end all way to stop kernel space rootkits (obviously this is a fail)
– /dev/kmem was previously used in a similar fashion, but read/write access has since been closed off in kernel mainline
![Page 14: Undermining the Linux Kernel - Black Hat€¦ · • Non‐Modularity – Main suggested end all way to stop kernel space rootkits (obviously this is a fail) – /dev/kmem was previously](https://reader036.fdocuments.us/reader036/viewer/2022081613/5fbd88c0b183ea5613751957/html5/thumbnails/14.jpg)
Part IV
Code Injec:on via /dev/mem
![Page 15: Undermining the Linux Kernel - Black Hat€¦ · • Non‐Modularity – Main suggested end all way to stop kernel space rootkits (obviously this is a fail) – /dev/kmem was previously](https://reader036.fdocuments.us/reader036/viewer/2022081613/5fbd88c0b183ea5613751957/html5/thumbnails/15.jpg)
What is /dev/mem?
• /dev/mem – Driver interface to physically addressable memory.
– lseek() to offset in “file” = offset in physical mem • EG: Offset 0x100000 = Physical Address 0x100000
– Reads/Writes like a regular character device
• Who needs this? – X Server (Video Memory & Control Registers)
– DOSEmu
![Page 16: Undermining the Linux Kernel - Black Hat€¦ · • Non‐Modularity – Main suggested end all way to stop kernel space rootkits (obviously this is a fail) – /dev/kmem was previously](https://reader036.fdocuments.us/reader036/viewer/2022081613/5fbd88c0b183ea5613751957/html5/thumbnails/16.jpg)
Hijacking the kernel
Kernel addressing is virtual. How do we translate to physical addresses?
![Page 17: Undermining the Linux Kernel - Black Hat€¦ · • Non‐Modularity – Main suggested end all way to stop kernel space rootkits (obviously this is a fail) – /dev/kmem was previously](https://reader036.fdocuments.us/reader036/viewer/2022081613/5fbd88c0b183ea5613751957/html5/thumbnails/17.jpg)
Address Transla:on
• Find a Page Table Directory (stored in cr3 register) – Pros:
• Guaranteed to be able to locate any physical page • Mi:gates page alloca:on randomiza:on situa:ons • Allows us to find physical pages of process user space
![Page 18: Undermining the Linux Kernel - Black Hat€¦ · • Non‐Modularity – Main suggested end all way to stop kernel space rootkits (obviously this is a fail) – /dev/kmem was previously](https://reader036.fdocuments.us/reader036/viewer/2022081613/5fbd88c0b183ea5613751957/html5/thumbnails/18.jpg)
Address Transla:on
• Find a Page Table Directory (stored in cr3 register) – Cons:
• Finding one is easier said than done • Heuris:c could be developed for loca:ng PTD in task struct, but there are easier ways.
![Page 19: Undermining the Linux Kernel - Black Hat€¦ · • Non‐Modularity – Main suggested end all way to stop kernel space rootkits (obviously this is a fail) – /dev/kmem was previously](https://reader036.fdocuments.us/reader036/viewer/2022081613/5fbd88c0b183ea5613751957/html5/thumbnails/19.jpg)
Address Transla:on
• Higher half GDT loading concept applies • Bootloader trick to use Virtual Addresses along with GDT in unprotected mode to resolve physical addresses. – Kernel usually loaded at 0x100000 (1MB) in physical memory
– Mapped to 0xC0100000 (3GB+1MB) Virtually
![Page 20: Undermining the Linux Kernel - Black Hat€¦ · • Non‐Modularity – Main suggested end all way to stop kernel space rootkits (obviously this is a fail) – /dev/kmem was previously](https://reader036.fdocuments.us/reader036/viewer/2022081613/5fbd88c0b183ea5613751957/html5/thumbnails/20.jpg)
Address Transla:on
0x40000000 GDT Base Address
0xC0100000 Kernel Virtual Address
+
0x00100000 Physical Address
=
![Page 21: Undermining the Linux Kernel - Black Hat€¦ · • Non‐Modularity – Main suggested end all way to stop kernel space rootkits (obviously this is a fail) – /dev/kmem was previously](https://reader036.fdocuments.us/reader036/viewer/2022081613/5fbd88c0b183ea5613751957/html5/thumbnails/21.jpg)
Address Transla:on
• Obviously over thinking that… • No need to wrap around 32bit address, just subtract. – 0xC0100000 – 0xC0000000 = 0x100000
• If page alloca:on randomiza:on existed, this trick would not be possible
![Page 22: Undermining the Linux Kernel - Black Hat€¦ · • Non‐Modularity – Main suggested end all way to stop kernel space rootkits (obviously this is a fail) – /dev/kmem was previously](https://reader036.fdocuments.us/reader036/viewer/2022081613/5fbd88c0b183ea5613751957/html5/thumbnails/22.jpg)
Hijacking the kernel
#define KERN_START 0xC0000000
int read_virt(unsigned long addr, void *buf, unsigned int len)
{
if(addr < KERN_START)
return -1;
/* addr is now physical address */
addr -= KERN_START;
lseek(memfd, addr, SEEK_START);
return read(memfd, buf, len);
}
![Page 23: Undermining the Linux Kernel - Black Hat€¦ · • Non‐Modularity – Main suggested end all way to stop kernel space rootkits (obviously this is a fail) – /dev/kmem was previously](https://reader036.fdocuments.us/reader036/viewer/2022081613/5fbd88c0b183ea5613751957/html5/thumbnails/23.jpg)
Useful structures
• Determine offset to important structures – IDT – sys_call_table – kmalloc()
• Where are they?
![Page 24: Undermining the Linux Kernel - Black Hat€¦ · • Non‐Modularity – Main suggested end all way to stop kernel space rootkits (obviously this is a fail) – /dev/kmem was previously](https://reader036.fdocuments.us/reader036/viewer/2022081613/5fbd88c0b183ea5613751957/html5/thumbnails/24.jpg)
IDT
• Interrupt Descriptor Table (IDT) – Table of interrupt handlers/call gates – 0x80’th handler entry = Syscall Interrupt
• What can we do with it? – Replace Interrupt Handlers
• Hardware: Network Cards, Disks, etc • SoVware: System Calls,
![Page 25: Undermining the Linux Kernel - Black Hat€¦ · • Non‐Modularity – Main suggested end all way to stop kernel space rootkits (obviously this is a fail) – /dev/kmem was previously](https://reader036.fdocuments.us/reader036/viewer/2022081613/5fbd88c0b183ea5613751957/html5/thumbnails/25.jpg)
IDTR
• IDTR holds structure with address of IDT – Get/Set IDTR with LIDT/SIDT assembly instruc:ons
– Unlike LIDT instruc:on, SIDT is not protected and can be executed from user space to get IDT address.
– Wont work in most VM’s • Hypervisors return bogus IDT address
![Page 26: Undermining the Linux Kernel - Black Hat€¦ · • Non‐Modularity – Main suggested end all way to stop kernel space rootkits (obviously this is a fail) – /dev/kmem was previously](https://reader036.fdocuments.us/reader036/viewer/2022081613/5fbd88c0b183ea5613751957/html5/thumbnails/26.jpg)
IDTR
Base Address (4 btyes) Limit (2 bytes)
IDTR Structure
struct { uint32_t base; uint16_t limit; } idtr;
__asm__(“sidt %0” : “=m”(idtr));
![Page 27: Undermining the Linux Kernel - Black Hat€¦ · • Non‐Modularity – Main suggested end all way to stop kernel space rootkits (obviously this is a fail) – /dev/kmem was previously](https://reader036.fdocuments.us/reader036/viewer/2022081613/5fbd88c0b183ea5613751957/html5/thumbnails/27.jpg)
IDT Entry
IDT Entry (8 bytes)
0 16 31
Low 16bits of Handler Address Code Segment Selector
Flags High 16bits of Handler Address
![Page 28: Undermining the Linux Kernel - Black Hat€¦ · • Non‐Modularity – Main suggested end all way to stop kernel space rootkits (obviously this is a fail) – /dev/kmem was previously](https://reader036.fdocuments.us/reader036/viewer/2022081613/5fbd88c0b183ea5613751957/html5/thumbnails/28.jpg)
IDT IDT
idtr.base
![Page 29: Undermining the Linux Kernel - Black Hat€¦ · • Non‐Modularity – Main suggested end all way to stop kernel space rootkits (obviously this is a fail) – /dev/kmem was previously](https://reader036.fdocuments.us/reader036/viewer/2022081613/5fbd88c0b183ea5613751957/html5/thumbnails/29.jpg)
IDT IDT
idtr.base
Entry for Syscall Interrupt
idtr.base + (0x80 * 8)
![Page 30: Undermining the Linux Kernel - Black Hat€¦ · • Non‐Modularity – Main suggested end all way to stop kernel space rootkits (obviously this is a fail) – /dev/kmem was previously](https://reader036.fdocuments.us/reader036/viewer/2022081613/5fbd88c0b183ea5613751957/html5/thumbnails/30.jpg)
IDT IDT
idtr.base
Entry for Syscall Interrupt
idtr.base + (0x80 * 8)
system_call()
![Page 31: Undermining the Linux Kernel - Black Hat€¦ · • Non‐Modularity – Main suggested end all way to stop kernel space rootkits (obviously this is a fail) – /dev/kmem was previously](https://reader036.fdocuments.us/reader036/viewer/2022081613/5fbd88c0b183ea5613751957/html5/thumbnails/31.jpg)
System Calls
• system_call() – Main entry point for system calls
• sys_call_table – Array of func:on pointers – sys_read(), sys_write(), etc
![Page 32: Undermining the Linux Kernel - Black Hat€¦ · • Non‐Modularity – Main suggested end all way to stop kernel space rootkits (obviously this is a fail) – /dev/kmem was previously](https://reader036.fdocuments.us/reader036/viewer/2022081613/5fbd88c0b183ea5613751957/html5/thumbnails/32.jpg)
System Calls
• Syscall Number stored in EAX register
call ptr 0x????????(eax,4)
– 0x???????? Is the address of sys_call_table • Opcode for instruc:on: FF 14 85 ?? ?? ?? ??
– Read in memory at system_call(), search for byte sequence “\xFF\x14\x85”. Next 4 following bytes are address of sys_call_table!
![Page 33: Undermining the Linux Kernel - Black Hat€¦ · • Non‐Modularity – Main suggested end all way to stop kernel space rootkits (obviously this is a fail) – /dev/kmem was previously](https://reader036.fdocuments.us/reader036/viewer/2022081613/5fbd88c0b183ea5613751957/html5/thumbnails/33.jpg)
Hijacking the kernel
• Now we can: – Find IDT – Find system_call() handler func:on – Use simple heuris:c to find address of sys_call_table
• What now? – Overwrite system calls with our own code!
![Page 34: Undermining the Linux Kernel - Black Hat€¦ · • Non‐Modularity – Main suggested end all way to stop kernel space rootkits (obviously this is a fail) – /dev/kmem was previously](https://reader036.fdocuments.us/reader036/viewer/2022081613/5fbd88c0b183ea5613751957/html5/thumbnails/34.jpg)
Hijacking the kernel
• Where do we put our code? – Kernel Memory Pool
• Traverse malloc headers looking for free blocks • Not atomic opera:on, cant guarantee we’ll beat kernel
– Certain “guard pages” in kernel – Allocate space in the kernel
• We can locate __kmalloc() inside the kernel and call that
![Page 35: Undermining the Linux Kernel - Black Hat€¦ · • Non‐Modularity – Main suggested end all way to stop kernel space rootkits (obviously this is a fail) – /dev/kmem was previously](https://reader036.fdocuments.us/reader036/viewer/2022081613/5fbd88c0b183ea5613751957/html5/thumbnails/35.jpg)
Hijacking the kernel
• Finding __kmalloc() – Use heuris:cs
push GFP_KERNEL push SIZE
call __kmalloc
– Find kernel symbol table • Search for “\0__kmalloc\0” in memory • Find reference to address of above sequence then subtract 4 bytes from loca:on
![Page 36: Undermining the Linux Kernel - Black Hat€¦ · • Non‐Modularity – Main suggested end all way to stop kernel space rootkits (obviously this is a fail) – /dev/kmem was previously](https://reader036.fdocuments.us/reader036/viewer/2022081613/5fbd88c0b183ea5613751957/html5/thumbnails/36.jpg)
Hijacking the kernel
• How can we allocate kernel memory from userspace? – Locate address of __kmalloc() in kernel space – Overwrite a system call with code to call __kmalloc()
– Call system call – Someone else could poten:ally call the same system call and cause system instability
![Page 37: Undermining the Linux Kernel - Black Hat€¦ · • Non‐Modularity – Main suggested end all way to stop kernel space rootkits (obviously this is a fail) – /dev/kmem was previously](https://reader036.fdocuments.us/reader036/viewer/2022081613/5fbd88c0b183ea5613751957/html5/thumbnails/37.jpg)
Func:on Clobbering sys_call_table
__NR_uname
sys_uname() Backup Buffer
push $0xD0 ;GFP_KERNEL push $0x1000 ; 4k mov 0xc0123456, %ecx call %ecx ret
__kmalloc stub
![Page 38: Undermining the Linux Kernel - Black Hat€¦ · • Non‐Modularity – Main suggested end all way to stop kernel space rootkits (obviously this is a fail) – /dev/kmem was previously](https://reader036.fdocuments.us/reader036/viewer/2022081613/5fbd88c0b183ea5613751957/html5/thumbnails/38.jpg)
Func:on Clobbering sys_call_table
__NR_uname
sys_uname() Backup Buffer
push $0xD0 ;GFP_KERNEL push $0x1000 ; 4k mov 0xc0123456, %ecx call %ecx ret
__kmalloc stub
100 bytes
![Page 39: Undermining the Linux Kernel - Black Hat€¦ · • Non‐Modularity – Main suggested end all way to stop kernel space rootkits (obviously this is a fail) – /dev/kmem was previously](https://reader036.fdocuments.us/reader036/viewer/2022081613/5fbd88c0b183ea5613751957/html5/thumbnails/39.jpg)
Func:on Clobbering sys_call_table
__NR_uname
sys_uname() Backup Buffer
push $0xD0 ;GFP_KERNEL push $0x1000 ; 4k mov 0xc0123456, %ecx call %ecx ret
__kmalloc stub
100 bytes
![Page 40: Undermining the Linux Kernel - Black Hat€¦ · • Non‐Modularity – Main suggested end all way to stop kernel space rootkits (obviously this is a fail) – /dev/kmem was previously](https://reader036.fdocuments.us/reader036/viewer/2022081613/5fbd88c0b183ea5613751957/html5/thumbnails/40.jpg)
Func:on Clobbering sys_call_table
__NR_uname
sys_uname() Backup Buffer
__kmalloc stub 100 bytes
![Page 41: Undermining the Linux Kernel - Black Hat€¦ · • Non‐Modularity – Main suggested end all way to stop kernel space rootkits (obviously this is a fail) – /dev/kmem was previously](https://reader036.fdocuments.us/reader036/viewer/2022081613/5fbd88c0b183ea5613751957/html5/thumbnails/41.jpg)
Hijacking the kernel
• Call sys_uname() unsigned long kernel_buf;
__asm__(“mov $122, %%eax \n”
“int $0x80 \n”
“mov %%eax, %0 ” :
“=r”(kernel_buf));
• Address of buffer allocated in kernel space returned by syscall in EAX register
![Page 42: Undermining the Linux Kernel - Black Hat€¦ · • Non‐Modularity – Main suggested end all way to stop kernel space rootkits (obviously this is a fail) – /dev/kmem was previously](https://reader036.fdocuments.us/reader036/viewer/2022081613/5fbd88c0b183ea5613751957/html5/thumbnails/42.jpg)
Part V
Fun things to do inside the kernel
![Page 43: Undermining the Linux Kernel - Black Hat€¦ · • Non‐Modularity – Main suggested end all way to stop kernel space rootkits (obviously this is a fail) – /dev/kmem was previously](https://reader036.fdocuments.us/reader036/viewer/2022081613/5fbd88c0b183ea5613751957/html5/thumbnails/43.jpg)
Hijacking the kernel
• Recap: – read/write anywhere in memory with /dev/mem
– sys_call_table – Kernel alloca:on capabili:es – Time to have fun!
![Page 44: Undermining the Linux Kernel - Black Hat€¦ · • Non‐Modularity – Main suggested end all way to stop kernel space rootkits (obviously this is a fail) – /dev/kmem was previously](https://reader036.fdocuments.us/reader036/viewer/2022081613/5fbd88c0b183ea5613751957/html5/thumbnails/44.jpg)
Hijacking the kernel
• What can we do? – Use our kernel buffers we allocated to store raw executable code.
– Overwrite func:on pointers in kernel with address of our allocated buffers • sys_call_table entries, page fault handler code
– Setup code to use Debug registers to “hook” system call table
![Page 45: Undermining the Linux Kernel - Black Hat€¦ · • Non‐Modularity – Main suggested end all way to stop kernel space rootkits (obviously this is a fail) – /dev/kmem was previously](https://reader036.fdocuments.us/reader036/viewer/2022081613/5fbd88c0b183ea5613751957/html5/thumbnails/45.jpg)
Hijacking the kernel
• What can we do with our injected code? – Anything most other rootkits can do.
• Hide files, processes, etc • Control network ac:vity
• Limita:ons – All injected code must usually be handwrifen assembly
– Some structures/func:ons can be difficult to locate in memory
![Page 46: Undermining the Linux Kernel - Black Hat€¦ · • Non‐Modularity – Main suggested end all way to stop kernel space rootkits (obviously this is a fail) – /dev/kmem was previously](https://reader036.fdocuments.us/reader036/viewer/2022081613/5fbd88c0b183ea5613751957/html5/thumbnails/46.jpg)
Part V
Solu:ons/Mi:ga:on
![Page 47: Undermining the Linux Kernel - Black Hat€¦ · • Non‐Modularity – Main suggested end all way to stop kernel space rootkits (obviously this is a fail) – /dev/kmem was previously](https://reader036.fdocuments.us/reader036/viewer/2022081613/5fbd88c0b183ea5613751957/html5/thumbnails/47.jpg)
Solu:ons
• Why does a legi:mate user process need access to read anything from above 16k in physical memory? – SELinux has created a patch to address this problem (RHEL and Fedora kernels are safe)
– Modifies mem driver to disallow lseeks past 16k
![Page 48: Undermining the Linux Kernel - Black Hat€¦ · • Non‐Modularity – Main suggested end all way to stop kernel space rootkits (obviously this is a fail) – /dev/kmem was previously](https://reader036.fdocuments.us/reader036/viewer/2022081613/5fbd88c0b183ea5613751957/html5/thumbnails/48.jpg)
Solu:ons
Mainline kernel has addressed this as of 2.6.26!
![Page 49: Undermining the Linux Kernel - Black Hat€¦ · • Non‐Modularity – Main suggested end all way to stop kernel space rootkits (obviously this is a fail) – /dev/kmem was previously](https://reader036.fdocuments.us/reader036/viewer/2022081613/5fbd88c0b183ea5613751957/html5/thumbnails/49.jpg)
Solu:ons
Mainline kernel has addressed this as of 2.6.26!
Sort of…
![Page 50: Undermining the Linux Kernel - Black Hat€¦ · • Non‐Modularity – Main suggested end all way to stop kernel space rootkits (obviously this is a fail) – /dev/kmem was previously](https://reader036.fdocuments.us/reader036/viewer/2022081613/5fbd88c0b183ea5613751957/html5/thumbnails/50.jpg)
Solu:ons
• Added func:ons in kernel
– range_is_alloc() • Checks each page in range of address space being accessed
– devmem_is_allowed() • Called by range_is_allowed() • Checks if address is within first 256 pages (1MB)
![Page 51: Undermining the Linux Kernel - Black Hat€¦ · • Non‐Modularity – Main suggested end all way to stop kernel space rootkits (obviously this is a fail) – /dev/kmem was previously](https://reader036.fdocuments.us/reader036/viewer/2022081613/5fbd88c0b183ea5613751957/html5/thumbnails/51.jpg)
Solu:ons
• So what’s the problem? – range_is_allowed() always returns true if CONFIG_STRICT_DEVMEM is turned off.
• Kernel defaults disables STRICT_DEVMEM by default – Even though it suggests saying “Y” if you are unsure…
![Page 52: Undermining the Linux Kernel - Black Hat€¦ · • Non‐Modularity – Main suggested end all way to stop kernel space rootkits (obviously this is a fail) – /dev/kmem was previously](https://reader036.fdocuments.us/reader036/viewer/2022081613/5fbd88c0b183ea5613751957/html5/thumbnails/52.jpg)
Ques:ons?