BOFH meets SystemTap: rootkits made trivial
This is a modal window.
The media could not be loaded, either because the server or network failed or because the format is not supported.
Formal Metadata
Title |
| |
Title of Series | ||
Number of Parts | 64 | |
Author | ||
License | CC Attribution 2.0 Belgium: You are free to use, adapt and copy, distribute and transmit the work or content in adapted or unchanged form for any legal purpose as long as the work is attributed to the author in the manner specified by the author or licensor. | |
Identifiers | 10.5446/45895 (DOI) | |
Publisher | ||
Release Date | ||
Language |
Content Metadata
Subject Area | ||
Genre | ||
Abstract |
|
00:00
SoftwareFreewareKernel (computing)Level (video gaming)Group actionPhysical systemSoftware developerWordLattice (order)FacebookGoodness of fitTouch typingSource codeComputer animation
01:22
Online helpInheritance (object-oriented programming)Operator (mathematics)SpacetimeComputer fileTap (transformer)Directory serviceComputer animation
02:22
Hill differential equationDescriptive statisticsPhysical systemThermodynamisches SystemNetwork topologySoftware frameworkCodeInfinityLibrary (computing)Figurate numberMereologyMathematicsCartesian coordinate systemPoint (geometry)FrictionInjektivitätRootkitKernel (computing)Source codeComputer animation
03:38
Convex hullPhysical systemRootkitDemo (music)MereologyTap (transformer)Thermodynamisches SystemPresentation of a groupInformation securityMultiplication signLevel (video gaming)
04:44
Module (mathematics)Kernel (computing)Latent heatScripting languageTap (transformer)TelecommunicationPhysical systemWaveContrast (vision)Formal languageEndliche ModelltheorieComputer animation
05:23
EmailFunction (mathematics)Scripting languageScripting languageFunction (mathematics)Endliche ModelltheorieModule (mathematics)Kernel (computing)Source code
05:55
Drop (liquid)Group actionReal numberPoint (geometry)Physical systemCodeMereologyScheduling (computing)Kernel (computing)Line (geometry)Thermodynamisches SystemFunctional (mathematics)System callComputer fileReading (process)Computer animation
07:09
Physical systemTouch typingFunctional (mathematics)Product (business)Kernel (computing)Nichtlineares GleichungssystemScripting languageSource codeComputer animation
08:15
Physical systemScripting languageComputer programmingProgramming languageType theoryPresentation of a groupVarianceFlow separationFormal languageMultiplication signStatisticsBuildingGroup actionFunctional (mathematics)Library (computing)Computer animation
09:12
Process (computing)String (computer science)Kernel (computing)Function (mathematics)Thread (computing)String (computer science)Kernel (computing)Physical systemThread (computing)Different (Kate Ryan album)Process (computing)UsabilityFunctional (mathematics)Computer programmingCASE <Informatik>Point (geometry)Letterpress printingFraction (mathematics)Ocean currentComputer configurationPointer (computer programming)Computer animation
10:46
Principal ideal domainPoint (geometry)Pattern languageCodeScripting languageVariable (mathematics)CASE <Informatik>Physical systemPrincipal ideal domainGraph (mathematics)Staff (military)Machine codeInjektivitätProcess (computing)Type theoryModule (mathematics)Scripting languageDefault (computer science)Variable (mathematics)Endliche ModelltheorieDirectory serviceLatent heatSoftware developerTouchscreenPoint (geometry)Chaos (cosmogony)Pay televisionComputer animation
12:15
Embedded systemCodeVariable (mathematics)Physical systemProcess (computing)Crash (computing)Computer animation
12:44
Function (mathematics)OvalConvolutionFraction (mathematics)TelecommunicationLibrary (computing)Lipschitz-StetigkeitProper mapParameter (computer programming)Right angleData conversionWeb applicationPerfect groupFunctional (mathematics)Cartesian coordinate systemJava applet
13:34
Function (mathematics)Process (computing)Physical systemDeterminismSymbol tableMessage passingLibrary (computing)Point (geometry)InternetworkingEndliche ModelltheorieLatent heatMultiplication signType theoryVirtual machineSound effectVariable (mathematics)Right angleData conversionTouchscreenFrictionComputer animation
14:51
Data bufferFluid staticsJunction (traffic)Kernel (computing)Latent heatFunction (mathematics)Demo (music)Data managementVariable (mathematics)Functional (mathematics)Right angleFehlererkennungscodeTouch typingPhysical systemKernel (computing)PasswordVideo gameOpen setInheritance (object-oriented programming)MP3Point (geometry)Event horizonSoftware developerCASE <Informatik>Computer fileData structureRootkitScripting languageInformationError messageType theoryProduct (business)Computer animationSource code
18:10
Maxima and minimaPhysical systemFunctional (mathematics)TouchscreenComputer fileType theoryBitRight angleScripting languageComputer animationSource code
20:05
Kernel (computing)Function (mathematics)Event horizonKeyboard shortcutFluid staticsoutputCodeKey (cryptography)Escape characterAddress spacePoint (geometry)Distribution (mathematics)FamilyCondition numberObject (grammar)Table (information)InformationOcean currentFraction (mathematics)Physical systemNumberSymbol tableCodeState of matterKernel (computing)Type theoryStability theoryLecture/Conference
21:58
Function (mathematics)Kernel (computing)Modul <Datentyp>Revision controlMultiplication signStrategy gameTap (transformer)Formal languageElectronic mailing listProcess (computing)Module (mathematics)Line (geometry)Game theoryPhysical systemScripting languagePoint (geometry)Kernel (computing)MereologyString (computer science)Functional (mathematics)Patch (Unix)RoutingExecution unitPointer (computer programming)Java appletStress (mechanics)Proper mapStreaming mediaGastropod shellComputer programmingPersonal digital assistantPresentation of a groupTablet computerMUDGodEndliche ModelltheorieAuthoring systemPlanningRotationCodeComplex (psychology)
25:50
Thermodynamisches SystemFunction (mathematics)Fluid staticsDisk read-and-write headStrutModul <Datentyp>Electronic mailing listModulo (jargon)Physical systemBit rateCache (computing)Pattern languageModule (mathematics)RootkitMultiplication signFunctional (mathematics)Module (mathematics)Kernel (computing)Electronic mailing listDifferent (Kate Ryan album)Data storage deviceDescriptive statisticsEndliche ModelltheorieProcess (computing)Fluid staticsMessage passingGraph coloringSource codeComputer animation
26:26
Thermodynamisches SystemModul <Datentyp>Physical systemOvalModule (mathematics)Kernel (computing)Function (mathematics)Functional (mathematics)Endliche ModelltheorieEncryptionDigital photographyElectronic mailing listModule (mathematics)Computer animation
27:22
Function (mathematics)Modulo (jargon)Fluid staticsOvalThermodynamisches SystemWikiElectronic program guideSource codeScripting languageComputer fileMultiplication signPiElectronic program guideType theoryModule (mathematics)Physical systemStaff (military)Connected spaceEndliche ModelltheoriePower (physics)Web pageSource code
28:01
Scripting languageSample (statistics)Electronic program guideWikiOperator (mathematics)Physical systemWebsiteType theoryQuicksortPersonal digital assistantOperator (mathematics)Process (computing)Source codeComputer animation
28:28
Scripting languageOperator (mathematics)Lecture/Conference
Transcript: English(auto-generated)
00:00
Hi, I'm Adrian, and I'm going to talk about system tap, and how you can use it to do fun and questionable things. So just a word about it, I'm French, I'm female, and I like low level stuff, you know, the videos, the kernel stuff, and playing with the Lipsy and things like that.
00:25
So I ended up playing a lot with system tap for the last two years or so, and so that's why I came to think how to use it for doing interesting, potentially security-related stuff.
00:42
I'm not a developer myself, but I can write code, but I'm not really a developer, and I'm just a system tap leader. I'm not a VRF-H8-er, that's probably because I don't really have any leaders. I co-founded the free software user group on Facebook.
01:06
If you live in the Arong area, in Belgium, you probably want to check them out, it's a good place for a typical meeting. Yeah, I'm looking for trouble. Sorry we are full guys, I think we are full.
01:23
Way too much. So the bastard operator for now, so the VRF-H is the bastard operator for now, it's supposedly a fictional character. Yeah, we just enjoy abusing its users.
01:47
The typical story is the user calling the admin like, I don't have anymore space in my own directory, so I can fix that.
02:00
And you're actually in your own directory for you in the backup as well, so you don't have to worry about free space anymore. Yeah, that's also the bastard operator from help users, you know, just deleting their files. But we'll see some more subtle ways to allow users, and the bastard operator from help can use system tap.
02:28
System tap is, if you look at the website, you have a nice description explaining how system tap is a useful debugging and tracing tool that will help you to figure out both functional and performance issues.
02:49
And, but really I like to think of it as like a system-wide code detection framework. So yeah, if you start to think like that, that makes it really interesting.
03:03
But yeah, basically you can just say anywhere in the system I want this thing, I want to see what's approved just there. Or you can also say I want to actually change all these parts of the code here at any point in the system, be it kernel or application or library or whatever.
03:23
And you don't have to rebuild the whole application or the root kernel or the root entity. So yeah, that's pretty powerful, depending on the details about this. So this presentation specifically is about the BRFH finding a new toy in system tap.
03:47
And we see how the BRFH can use system tap to do things, to do interesting things. This is the security level, but this is not actually really breaking any security because the BRFH is root already,
04:05
and we are not crossing boundary or anything. Everything we are going to do here, you can already do it with the root, the root privileges. So you don't really need system tap for that.
04:22
But system tap makes things much easier, and we'll see some examples of that. So yeah, there are two parts really. I'll start explaining system tap and see what it can do. And then we'll see some examples with demos if I can manage to look at them more.
04:47
Questions so far? So system tap works, what it does really is you write the system tap script in a specific language,
05:03
and there's the tap binary that converts that into C. And the C is compiled into a kernel module, and the module is loaded, and the tap communicates with the module if it needs to.
05:22
So in practice, you end up with something like this. We run tap with dash b, so we can see actually what happens. So yeah, the script is parsed and analyzed, and it's translated into a temporary C file, and written nicely, and it's compiled into a kernel module that's loaded.
05:43
And if your script is actually doing some output, that would go there, and it would just be pretty obvious and forward. So system tap is all about looking into certain things.
06:03
So we want to probe specific parts of the system. So this is all about executing certain actions when something happens. So that's the place where we want to execute the action. It's called a probe point.
06:21
And so probe points, there are some examples of probe points. So you can get an idea of where you can tap into the system. So for example, you say, whenever there's a read system call starting, we are there to do something, or whenever we are returning from a closed system call,
06:43
or you can use wildcard and say, whenever we are entering any function in the floppy module, or you can say, whenever we are returning from any function in the socket.c file in the kernel, or whenever we are hitting line 2917 in the scheduler.
07:08
For more examples, you can also say, every 200 milliseconds, let's do something, or whenever, but it's not restricted to kernel as well, you can say,
07:21
whenever we are entering any function in LS, or whenever we are entering any function that has malloc in its name in the libc, you can do something. Or you can combine it with the code and say,
07:42
whenever we are entering any function in the kernel, that's committed to the name, or whenever we are returning from any function, that's connected to the node, and that will be a single, that will be aggregated in the script. And if you get into system type, just click the friendly manual,
08:05
and you will have much more details about all the products that are available. But that should give you an idea of what you can tap into. So, the system type programming language is kind of C, kind of old,
08:26
because just like you are executing actions, whenever we are hitting something, that's pretty old style, to how many facilities, but I'm not going to go too much in detail in this presentation about that,
08:42
but you have associative algorithms, you have aggregated statistical data, that's pretty useful if you are compiling, we are not talking about that today. And there are many, many other functions, both versioning within the language, and available as libraries, that's called TapSets,
09:01
that's really system type scripts that are reusable for programming. But if you want the full details, you need the manual. So, some examples of LPR function, to give you an idea, I think most of these are pretty obvious.
09:21
We give the PIV, so we know what process we are in, what thread we are in, what is the name of the current process. Prop-frank maybe can be detailed. As you have seen, we can use Y-carbs, and so when we give one prop point, that will really match multiple prop points,
09:41
and we can end up in any of multiple functions. In that case, prop-frank will tell you which function we are in. Bringback is pretty useful when you are doing stuff, so you are, oh, we ended up there. And WFH is probably more interested in things like
10:01
kernel string and user string too. You give it the pointer, and it will get the string, the address, and convert it into something usable within system type, in a safe way that you are not likely to difference some things that you shouldn't. Well, you probably shouldn't. Very principally, you should not try to system it.
10:23
And again, there are many more, but that's just an example to give you an idea. Questions so far? So, some nice examples. Yeah, the examples are coming. I think you need to have some idea what the examples are.
10:42
You need this to understand the examples. Yeah, some more stop options. So you have, by default, if you run a stop script, that will just trace everything on the system. If you say dash x, you will trace just the specific PID you want.
11:03
Dash C, so you can run just the specific process. Something we'll see, upper case L, so that will not run any script. You give it a prop point, and it will tell you what variables are available at that prop point.
11:23
And if you say wildcard, it will expand the wildcard and tell you what you are going to match. So that's what you do when you develop system type script. Upper case L is nice to, so the staff will just load the module and then it will kit, but the module will still be loaded.
11:41
So you won't have an IO, but the module will do what you want it to do, and it's more stilted because you don't have a process hanging around. So yeah, the graph is probably interested in doing that. And you have the dash G, which lets you,
12:01
by default system type will not allow you to change anything. It will just allow you to trace things and observe things. Dash G will allow you to change things and to actually inject C codes or whatever you like. So of course that's very easy to crash process and system
12:21
if you change the behavior of the system at one time matter. That's fine. Questions before the example?
12:40
Interesting path. So let's see how we can apply this. So this is an example of, you may know maybe leap purple. It's something that's been developed for Pitkin, and basically it's a library to,
13:04
it's an IM library, so you can take your friends on ICQ or IRC or Java or whatever to leap purple, and the application doesn't have to care about the typical leap purple and those stuff.
13:24
And every communication basically goes through that. It's a function in leap purple. It's a perfect conversation, right, with some arguments. I have no idea how most of these work out in Java, but doom and message are probably interesting.
13:43
It's obviously the person sending the message and the actual message. So we can use system type here to actually tap into the library leap purple and instrument the specific function, purple conversation, right,
14:00
and when we're in this function, we just say, we retrieve the sender of the message, the actual message, and we just print it. Yeah, I didn't have time to get the internet in my laptop, so I cannot really demo this one. I can show you at the end if you have time.
14:23
How do you get the who and message variables? How does it know that those are the second and third variables? Okay, that's because you have the debug symbols for that. Oh, I see, okay. So, yeah, it uses the debug symbols. You don't necessarily need the debug symbols installed on the machine. You have an instrument,
14:40
but you need to have some point when you build the system type model. I can give you more details about that if you like, but I'll just show it to you later. So, yeah, I cannot demo this one, because I don't have internet. It works. So, this one, yeah,
15:03
I'm probably going to skip this one, because it's not so interesting, and I don't have time, but this one is more interesting. So, let's say you are the image, and you don't like your user to play MP3 files, for whatever reason.
15:24
So, there is that function in the kernel called mayopen, and that function, you give it a path strict, yeah, and the kernel determines if that user has access or not,
15:48
and so the mayopen function returns zero if the user is allowed to access the file or something else otherwise. So, what we can do,
16:00
so, if you look at what system type we see for the mayopen function here, we are going to instrument the return of that function, and so you see here the variables that are available. That's using the debugging tools. And you see,
16:22
so, what we can see and change from system type at that point are the return value, obviously, the path, we are probably interested in doing that, the rest are, yeah, well, there are more things you can look into which you are interested in, but, most of them are noisier, for example.
16:41
So, the system type script you are going to write for a product is, you are just going to say, we are instrumenting after when that function is going to return, and, well, when that function returns,
17:00
we are going to let root do whatever it likes, so it's easier. Well, we are root after all. So, yeah, if the, if we are not root, and, we are not already disallowing access to the file, because the return value is zero,
17:24
and, if in the path MP3, so, this dname and is in this, there are system type provided functions, so dname will, so, here we are, the path script, we look into the dentry, and we get the actual name
17:41
of the file, and it's in this there, it's, yeah, like, to look at if MP3 exists in that file name, and if it's the case, well, we replace the return value with minus three to say information denied, but you can give another error code, if you like,
18:03
if you, like, confuse users a little more, you can say, so, I should be able to do more of this.
18:56
So, we have the system type script running there,
19:15
and we are a user, and, things,
19:20
we are instrumenting the may open function, but we can still create files, so, this works, but this won't. Nice. And, you see, we have the rights and stuff, is it possible for the user to rename the file?
19:42
Yes, the user is still able to work around this, of course, because, well, you are just instrumenting the may open, but, so you can still, yeah, use the entry, and, yeah, you can say, oh, it's really ogg file, or whatever, but, well, it's just a little bit.
20:14
What, how do distros have system type by default? By default, you have Fedora,
20:20
and all the red hat based distribution. So, are you saying that, by default, there's the toolkit for a red hat on all those? Yeah, that's just already installed, and, yeah, if you are good, you can do this kind of stuff pretty easily, on the old Fedora, on the old red hat based system,
20:41
and on the next stable Debian, and, probably others, I don't know. I think, Gen2, I'm not sure, you want to, you check the object state of system type on your distribution. What about debugging symbols?
21:02
What about, sorry? Debugging symbols on a normal, Yes, you need to debug symbols for what you are instrumenting at some point. So, for the kernel, you are going to need the, the debugging code for the kernel, that's usually shipped as another package, I don't, you're a regular kernel, in most distributions,
21:22
so, yeah, your distribution needs to have prepared for that, or you can rebuild your own kernel, but, people still rebuild their kernel. Another example, unless there are more questions. Is there any performance degradation because of this?
21:43
Well, depending what you are doing, for the example with mayopen, you are not going to notice anything. I mean, that's just one function, you are just going to, you have a simple condition, I mean,
22:00
you are referencing a pointer, a couple of times, doing a string comparison, and, yeah, checking the UID, and the return, and, I believe you already have in your register, this is not going to cost you any time. Now if you do more complex stuff,
22:20
but that's a different strategy. If you don't do any complex stuff in your functions, but you are just trying to plug into a lot of the kernel functions. Yeah, if you are going to plug into a lot of things that are going to be called a lot, you may, you may have problems. There are version safeties, I'm not going to detail here, so, basically,
22:41
system top notice that it's just going to be too costly, or it's it's taking more time doing that stuff than actually letting the kernel do whatever, it will just stop and say, okay, don't do that. Some kernels come with custom
23:01
modules that restrict this kind of rookie to run, like, you know, some kind of patch that can be proposed and that are applied automatically on the kernel, and that disallow, or is there no way to? Well, there are ways to not allow that,
23:20
but basically, you are going to, it's actually a feature that's a part of the kernel. It's basically based on key probes. So you can, when you build a kernel, you can say, I disabled key probes, and you will not be allowed to, well, you will not be able to do that. Well, not as easily. But, I don't see the point of a feature
23:41
restricting another feature if you are already in the kernel. No, I was just thinking of a guy hacking my system, then installing the rootkit, and how to make sure to Why? Should I run all processes encrypted or things like that? it's just Unix.
24:01
Once the guy has root, it's game over. You reinstall the version, that's all. The system that just makes things easier, you could already do that 10 years ago with your own shellcode and stuff. It's much harder. Five lines of code,
24:21
you can just say, do pretty arbitrary things to the system. There are two questions. Is it possible to use system that against C++ programs? Yes. You can do, my example is R for C, but that works as well for C++.
24:43
Note that there are things for Python, and Java, and Perl, and other languages. I'm just saying three minutes left, and I can give a very quick example of the,
25:02
that's not the most interesting one. In three minutes, I'm just going to say, oh, do you add system tap with system tap? Last time I did this presentation, I was asked, can you add system tap with system tap? Yes, actually you can. A couple of hours later, I came up with a script.
25:22
The list of modules, basically what you want to do is the module. The list of modules is stored as a list in the kernel, and you just need to move the modules around. When someone is going to look into the list,
25:41
you just move the modules you don't want to show in the list somewhere, and you get it back in whenever appropriate. This is the function. Here we are using it against a stand-up rule, because you are actually writing to in C.
26:03
Here you look at this letter, because I don't have time for detail, but basically we are using the kernel API to just mess with the list, and we are going to store the even modules in the list,
26:22
in the static list, and in the list function. All you actually use this is that in the module.c file, in the kernel, you have a function called mstart that is called whenever someone
26:40
tries to read mock modules, which is where the smart goes to see the list of modules. Whenever we are going to read that file, we inject the 180.
27:01
What you are doing here, we want to inject just after the mid-text, but before we actually do anything with the list, so that's why we do plus two here, and we just put the function we have written before to remove the modules.
27:23
And we did the opposite when the user closed the file. I don't have time for the actual demo, but basically whenever someone will open the file, it will not show
27:40
the modules you are hiding. So you are hiding system type and system type. And if you want to know more about this stuff, yeah, nice slides, and all the examples will be online in a couple of minutes at staff.doapage.crunch.de For system type itself, you probably won't, and if you are interested,
28:01
look at the beginner's guide on the system type website. There is a wiki as well. There is a lot of excellent documentation for system type. If you are not interested in system type, you are maybe interested in the Bastav operator from Hand Stories. I might not be looking for a job anymore,
28:23
but maybe still. Thank you.
Recommendations
Series of 7 media