Linux Shell, 1 LKM Journal of Software /2002/13(01) Vol.13, No.1

Transcription

1 /2002/13(01) Journal of Software Vol13, No1 Linux Shell, ( ) wld@mailcnniscgovcn; bxfang@mailcnniscgovcn http//wwwhiteducn Unix Shell Linux Shell ; ;Linux TP316 A Internet,, [1,2] Unix Shell,, ; Unix, ; system() exec() C,shell ;, Linux bash shell,, Linux Shell, Linux (loadable kernel module), shell, exec 1 LKM 11 LKM Linux, Linux 20, LKM LKM Linux LKM, LKM init_module() cleanup_module(), 4 (a), insmod ;(b) ;(c), ;(d) init_module() LKM Linux LKM ( ), ; (1970 ), ; (1960 )

2 Linux Shell 81 LKM [3,4], 12 shell Unix, Unix shell, fork() exec() exec (exec, execve(), execve()), Unix sys_open ( sys/syscallh) 0x80, ( eax ) sys_call_table[], sys_call_table[] Linux sys_call_table[] ( sys/syscallh); sys_call_table[x] (X, NR_name SYS_name name );, sys_call_table[x] 13,,, shell execve() LKM, Linux ( ), get_user() memcpy_fromfs()( asm/segmenth ),, copy_to_user(), [4] 2 LKM shell, LKM LKM proc /proc,, LKM mknod /dev/cmdlog, MAJOR_NO, LKM LKM execve() execve() /dev/cmdlog FIFO execve() shell, FIFO ; /dev/cmdlog,/dev/cmdlog FIFO ; FIFO, 3,LKM, 21 init_module() cleanup_module() LKM init_module() module_register_chrdev() ( ) execve() execve() file_operations cmdlog_handler

3 82 Journal of Software 2002,13(1) cleanup_module() execve() int init_module() register_chrdev(major_no, cmdlog,&cmdlog_handler); /* orig_execve=sys_call_table[sys_execve]; /* SYS_execve execve sys_call_table[sys_execve]=new_execve; /* new_execve return(0); int cleanup_module() sys_call_table[sys_execve]=orig_execve; /* execve unregister_chrdev(major_no, cmdlog ); /* return(0); 22 root (!suser() ) ( cmdlog_release()) memcpy_tofs() copy_to_user() /dev/cmdlog cmdlog_read() int cmdlog_read(struct file *f, char *buf, size_t buflen, loff_t *offset) char tmp[maxname+128]; if (!suser()) return( 1); /* root memset(tmp,0,maxname+128); /* has FIFO if (!has) interruptible_sleep_on(&wp);signal_pending(current); if (!access_ok(verify_write,buf,buflen)) return( 1); /* buf sprintf(tmp, %d%d%d%d%s,has->start_time,has->uid,has->euid,has->gid,has->p_comm); strncat(tmp,has->cmd,maxname 2);strcat(tmp, \n ); copy_to_user(buf,tmp,buflen); /* buf /* 23 new_execve execve(), shell int new_execve(struct pt_regs r) /* execve() char*cp,*filename=null;char ch; int ret=0,i=0;j=0; lock_kernel(); /*, kmalloc() struct lognode*ln=(struct lognode*)kmalloc((sizeof(struct lognode),gfp_hernel); ln->cmd=(char*)kmalloc(maxname,gfp_kernel); /*, shell

4 Linux Shell 83 filename=(char*)getname((char*)rebx);ln->next=null; /* /* shell memcpy(ln->cmd,filename,maxname-1);i=strlen(ln->cmd); /*, get_user() char**cmdargv=(char**)recx;get_user(*cp,++cmdargv); while ((cp!=null)&&(i<maxname 2)) ln->cmd[i++]= ; while (1) /* get_user(ch, cp+j); if ((ch!=null)&&(i<maxname 2)) ln->cmd[i++]=ch;j++; else break; j=0;get_user(cp,++cmdargv); /* /* memset(ln->p_comm,0,16);strcpy(ln->p_comm,current->p_opptr->comm,16); ln->uid=current->uid;ln->euid=current->euid; ln->current->gid=current->gid; ; ln->start_time=current_time; /*, linux/timexh ret=do_execve(filename,(char**)regsecx,(char**)regsedx,&regs); / * shell putname(filename);unlock_kernel(); return(ret); current task_struct,,linux20 linux/schedh, 22 asm/segmenth 3 31 Shell LKM todaytimeuideuidgidparentcmd shell vivie cron ( 1) Table 1 Comparison of capabilities between two logging systems 1 Executing process of Viviesh Extended log records Shell records [test1]$ bash/viviesh Normal user viviesh/bin/cat [test1]$/viviesh viviesh/usr/bin/cc-o/tmp/sh/tmp/shc make shell ( ) compile shell viviesh/bin/chmod755/tmp/makesh /viviesh make execute viviesh/bin/cp-f/etc/sendmailcf/tmp/send mailcftmp1 (failed to hack sendmailcf make cron file input cron file ( ) viviesh/usr/bin/crontab/tmp/cronfile sendmail/tmp/makesh Y-a-d test1 detect the attack if the program is wait for 1 minute makesh/bin/chown root/tmp/sh renamed ) execute shell makesh/bin/chgrp root/tmp/sh makesh/bin/chmod 4755/tmp/sh viviesh/tmp/sh bash#(becomes root) viviesh/bin/sh euid=0&cmd=/bin/sh Viviesh, Shell

5 84 Journal of Software 2002,13(1) cron Unix RedHat Linux 42,50,51,60 Vivie cron root sendmail root viviesh http//wwwrootshellcom/ shell root 32, ((6*60*60>todaytime) (todaytime<22*60*60)) root shell root shell (euid==0)&&((cmd==/bin/bash) (cmd==/bin/csh) (cmd==/bin/sh)) 31 vivie cron suid root 4 (uid!=0)&&(euid==0) LKM Shell shell exec, ; root ; ; ; LKM /dev/cmdlog References [1] Liu, Mei-lan, Yao, Jing-song Audit trail and intrusion detection Computer Engineering and Applications, 1999,35(7)12~15 [2] Durst, R, Champion, T, Witten, B, et al Testing and evaluating computer intrusion detection systems Communications of the ACM, 1999,42(7)53~61 [3] Halflife Linux TTY hijacking Phrack Magazine, 1997,7(50)5~5 [4] Plaguez Weakening the Linux kernel Phrack Magazine, 1998,8(52)18~18 [1],1999,35(7)12~15 An Extension to Security Auditing Mechanism of Linux Shell WANG Li-dong, FANG Bin-xing (School of Computer Science and Technology, Harbin Institute of Technology, Harbin , China) wld@mailcnniscgovcn; bxfang@mailcnniscgovcn http//wwwhiteducn Abstract Command history records generated by Unix shell is one of the important sources of system auditing information But command history does not include sufficient information for intrusion detection and the history records can be easily modified by user themselves With Linux loadable kernel module technique and system call interception, an extension to security auditing mechanism of Linux shell is implemented in this paper, and then some examples are given for security monitoring with the new mechanism Key words security; audit; Linux loadable kernel module Received April 12, 2000; accepted July 31, 2000