* RE: SystemTap / kprobes to watch for other probes?
@ 2006-12-21 23:56 Stone, Joshua I
0 siblings, 0 replies; 3+ messages in thread
From: Stone, Joshua I @ 2006-12-21 23:56 UTC (permalink / raw)
To: Nathan DeBardeleben, systemtap
On Thursday, December 21, 2006 10:56 AM, Nathan DeBardeleben wrote:
> Something I was wondering about is whether it would be possible to
> write a SystemTap script that watched for other kprobes to be
> inserted and to log them somehow. I'm a bit concerned about the
> security implications of having kprobes turned on in the kernel and
> the fact that if someone were able to insert a probe they could
> basically hide themselves by hiding their module in the module list
> and doing assorted other nefarious things. If there was a way to
> write a probe that was always inserted which just logged when a
> another probe was inserted I thought that might be a neat thing.
>
> Any thoughts on this?
Seems like you would want a probe on register_kprobe (and the variants:
kretprobe, jprobe, etc.). Currently most of the kprobes infrastructure
is blocked from being probed itself. This was done in a rather
heavy-handed way, and there's a bugzilla addressing this:
bz #2003: permit kprobes on more kprobe infrastructure
http://sources.redhat.com/bugzilla/show_bug.cgi?id=2003
Anil notes that the registration/unregistration control flows are
probably safe from recursion, so they're good candidates to have the
probing restriction lifted.
Now, IANASG (security-guru), but if you're on a machine where an
untrusted module is allowed to load into the kernel, haven't you already
lost the security battle? Using kprobes might make it easier for
rootkits to hide themselves, but couldn't they also hide your logging
output?
Some other thoughts:
* You'd have to make sure that your monitoring kprobes were loaded
before the malicious ones -- what if someone set their module to load on
the next reboot?
* A particularly nasty author might find a way to unregister all
existing probes before inserting their own.
* Perhaps a more secure logger could be statically added to the
registration functions. While you're changing the kernel, you can make
sure that your logging callpath isn't intercepted by adding the
'__kprobes' decorator.
* You could add the '__kprobes' decorator to functions that you don't
want nefarious modules to probe and circumvent, like module enumeration.
Josh
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: SystemTap / kprobes to watch for other probes?
2006-12-21 19:47 Nathan DeBardeleben
@ 2006-12-22 10:36 ` James Dickens
0 siblings, 0 replies; 3+ messages in thread
From: James Dickens @ 2006-12-22 10:36 UTC (permalink / raw)
To: Nathan DeBardeleben; +Cc: systemtap
On 12/21/06, Nathan DeBardeleben <ndebard@lanl.gov> wrote:
> Something I was wondering about is whether it would be possible to write
> a SystemTap script that watched for other kprobes to be inserted and to
> log them somehow. I'm a bit concerned about the security implications
> of having kprobes turned on in the kernel and the fact that if someone
> were able to insert a probe they could basically hide themselves by
> hiding their module in the module list and doing assorted other
> nefarious things. If there was a way to write a probe that was always
> inserted which just logged when a another probe was inserted I thought
> that might be a neat thing.
>
> Any thoughts on this?
>
Sorry as with all security issues on Linux and Unix boxes, once the
user has root the game is over, you could monitor all you like, but
the bad guy can remove your monitoring module, or remove the log
files or pick any other method to break into the system.
James Dickens
uadmin.blogspot.com
> --
> -- Nathan
> Correspondence
> ---------------------------------------------------------------------
> Nathan DeBardeleben, Ph.D.
> Los Alamos National Laboratory
> Parallel Tools Team
> High Performance Computing Environments
> phone: 505-667-3428
> email: ndebard@lanl.gov
> ---------------------------------------------------------------------
>
>
^ permalink raw reply [flat|nested] 3+ messages in thread
* SystemTap / kprobes to watch for other probes?
@ 2006-12-21 19:47 Nathan DeBardeleben
2006-12-22 10:36 ` James Dickens
0 siblings, 1 reply; 3+ messages in thread
From: Nathan DeBardeleben @ 2006-12-21 19:47 UTC (permalink / raw)
To: systemtap
Something I was wondering about is whether it would be possible to write
a SystemTap script that watched for other kprobes to be inserted and to
log them somehow. I'm a bit concerned about the security implications
of having kprobes turned on in the kernel and the fact that if someone
were able to insert a probe they could basically hide themselves by
hiding their module in the module list and doing assorted other
nefarious things. If there was a way to write a probe that was always
inserted which just logged when a another probe was inserted I thought
that might be a neat thing.
Any thoughts on this?
--
-- Nathan
Correspondence
---------------------------------------------------------------------
Nathan DeBardeleben, Ph.D.
Los Alamos National Laboratory
Parallel Tools Team
High Performance Computing Environments
phone: 505-667-3428
email: ndebard@lanl.gov
---------------------------------------------------------------------
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2006-12-21 22:27 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2006-12-21 23:56 SystemTap / kprobes to watch for other probes? Stone, Joshua I
-- strict thread matches above, loose matches on Subject: below --
2006-12-21 19:47 Nathan DeBardeleben
2006-12-22 10:36 ` James Dickens
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).