Kernel Hardening by Recovering Kernel Stack Frame in Linux Operating System

Transcription

1 Kernel Hardening by Recovering Kernel Stack Frame in Linux Operating System Kernel Hardening by Recovering Kernel Stack Frame in Linux Operating System Department of Computer engineering, Dong-eui University doi: /ijact.vol1.issue1.9 Abstract The kernel hardening function is necessary in terms of kernel stability to reduce the system error or panic due to the kernel code error that is made by program developer. But, the traditional kernel hardening method is difficult to implement and consuming high cost. The suggested kernel hardening function that makes high availability system by changing the panic() function of inside kernel code guarantees normal system operation by recovering the incorrect address of the kernel stack frame. We experimented the kernel hardening function at the network module of the Linux by forcing panic code and confirmed the proposed design mechanism of kernel hardening is working well by this experiment. Keywords Linux O.S, Kernel Hardening, Stack Recovery 1.Introduction The Linux O.S is open source so that it can be changed kernel source code. Therefore, the Linux kernel source code is available as an Embedded system. An enterprise uses the Linux O.S as a web server, file server, and DB server. However, many people can change the kernel source code [1, 2, 3] that makes error status. It will halt system abnormally and corrupting data [13, 14]. The Unix O.S has generally hierarchical structure as HW, kernel, and application program. Each layer occurs several kinds of fault. Therefore, independent fault management module must be supported [2, 5]. The kernel hardening is a properly good mechanism against a panic in a kernel fault. The kernel hardening reduces error code through testing kernel code appropriate or not[1, 3, 5, 6, 11, 12]. This feature guarantees reliable system as making high reliable system by not stopping error case. The previous kernel hardening mechanism provides fault tolerance. The fault tolerance provides system availability by supporting dual resources in several resources. Therefore, the fault tolerance requires much cost and difficulty to implementation. But, the suggesting kernel hardening is simple mechanism that makes easy implementation in O.S. This paper proposes kernel hardening for a recoverable error in the Linux O.S. When a panic occurs in kernel, the wrong address is kept into the register. The suggesting kernel hardening recoveries a wrong address to a normal address of the stack frame. The kernel hardening module decides recovery or not. If a wrong address is recoverable, the module recoveries a normal address. Otherwise, the module proceeds existing procedure. This corrects a portion of a kernel including the panic() function within a kernel, and etc. Therefore, it can enhance system availability with the low cost. For the experiment of the mode of proposing in the network module. It provoked with panic phenomenon. The operation of being restored the stack value in which it becomes wrong with the normal value was confirmed. In chapter 2, the research related to the kernel hardening is looked into. The kernel hardening function of proposing in chapter 3 is introduced. In chapter 4, the kernel hardening function of being proposed at the network module is implemented and the result of experimenting is explained. Finally, in chapter 5, it concludes. Table 1. The kernel hardening of the CGE version. 1) Code reviews The part in which an error is generated through the code review technique is looked for. 2) Panic Removal After inspecting the Standard Linux Code, it determines whether the process will be or ordered with kill if a system is ordered with abort or not. 3) Fault Injection Testing It inspects whether to there be no whether there is the capability in which a kernel can be restored about an error in case of being Software or not. 2. Related Studies 64

2 International Journal of Advancements in Computing Technology Volume 1, Number 1, September 2009 MontaVista commercially sells the kernel hardening function is built in Linux operation system of the CGE (Carrier Grade Edition) version in which [9]. CGE of MontaVista classifies the kernel hardening function like Table 1 as 3 branch areas. If the kernel hardening of MontaVista entries into the panic routine when the specific process came in into the panic routine after reappraising a code, a system is normally implemented. Presently, if it is the process in which the process gives an affect to a system, the panic() function is performed and it becomes system with pause. If the Linux operation system kernel code is the case by the wrong of a user including the error of a programmer, and etc., a system is not stopped and only the process presently a kill and a system is normally implemented. And of MontaVista includes a review toward the kernel panic of all condition [4, 10] that the system error is generated by the determination toward the conformance of a system. Therefore, the availability function of a canal is weak, on the other hands, the terms of management about the canal problem is the strong operating system [2, 5, 14]. 3. Implementation the Kernel Hardening If "panic" is generated within the Linux kernel, the existing Linux kernel becomes the state where a system cannot make the operation in which it is any more normal. In case "panic" is generated, by restoring registry values in which the kernel hardening function proposed in this paper is abnormal in the kernel stack in-frame in which "panic" is generated to the normal value a kernel is normally operable. In an in-kernel, if "panic" is generated, in case of being the address type, the address in which it becomes wrong is stored to the cr2 register. By restoring this address the normal kernel action is possible. In this way, by being restored the kernel stack frame about the calculation in which it becomes wrong the normal operation develops as possible. The kernel hardening function of implementing in the Linux operation system was implemented in the network module. Recently, the stable kernel action in which we use of the Linux network function is required Therefore, the kernel hardening function proposed in this paper was implemented in the ip_rcv() function of the ip_input.c kernel source code in order to guarantee the stable kernel service of the network function within the Linux kernel. 3.1 Developing Hardening in the panic() Process. The kernel hardening function of implementing in the Linux operation system was developed in the network module. Recently, the stable kernel action of the Linux network function is required. Therefore, the kernel hardening function proposed in this paper was implemented in the ip_rcv() function of the ip_input.c kernel source code in order to guarantee the stable kernel service of the network function within the Linux kernel. In case a user performs the ping instruction, and etc., it is the operated function. In order to find the pathway in which it approaches in the telnet connection, in order to be generated with a kernel with panic by firstly using Loopback, the function like the next Figure 1. was inserted in the linux/net/ipv4/ip_input.c. static int harden_count; // The arbitrary static parameter value the situation before a panic becomes is confirmed. harden_count++; printk("ip_rcv() -> %d\n", harden_count); if(harden_count > 150) { aa = ; printk("aa=%d", *aa); // The page fault is compulsively generated by the reference about the page region in which it becomes wrong and a panic is caused. else { printk("harden_count=%d\n", harden_count); Figure 1. The function within the ip rcv() for the force panic occurence. A panic is compulsively generated like Figure 1. within the ip rcv() function. The stack information is outputted around the /linux/kernel/panic.c source code so that a panic can seek out the generated process with the reverse order. In the function within a fault.c, the good area, the bad area, no context, and the printk door toward each part of the do sigbus were chopped and we confirmed. The good area, the bad area, no context, and the do sigbus. ( good_area : ) The part handles the faulty address generated in the process address field. ( bad_area : ) The part handles the faulty address generated in the process address outside. ( no_context : ) The part is an interrupt or is the part in which it manages the exception in which it is generated when the kernel Sseure practices. ( do_sigbus : ) The part places the semaphore in which it obtains. It includes the address in which it causes an error in the cr2 field in the thread structure of the process. In (no context :) part within the do page fault() function, Figure 2. is the final step of the panic processing. 65

3 Kernel Hardening by Recovering Kernel Stack Frame in Linux Operating System if (address < PAGE_SIZE) printk(kern_alert "Unable to handle kernel NULL pointer dereference"); else printk(kern_alert "Unable to handle kernel paging request"); printk(" at virtual address %08lx\n",address); asm ("movl %%cr3,%0" : "=r" (page)); printk(kern_alert "current->tss.cr3 = %08lx, %%cr3 = %08lx\n", tsk->tss.cr3, page); page = ((unsigned long *) va(page))[address >> 22]; printk(kern_alert "*pde = %08lx\n", page); if (page & 1) { page &= PAGE_MASK; address &= 0x003ff000; page = ((unsigned long *) va(page))[address >> PAGE_SHIFT]; printk(kern_alert "*pte = %08lx\n", page); die("oops", regs, error_code); do_exit(sigkill); Figure 2. The end system arrangement step within the panic(). In no context part, Figure 2. shows the final step of the panic processing. This part is the final process stage of the panic processing. Figure 3. is the part in which it actually calls out no context. ()) if (in_interrupt() mm == &init_mm) //printk("in_interrupt()=%d",in_interrupt //printk("address = %x \m", address); goto no_context; Figure 3. The operation of no context part in the panic(). Figure 3. the part is shown in the panic situation where it produces and it moves by no context part. It can confirm to be the condition that a teeth goes to no context part with the value of in interruput(). If the address value is outputted between the if statement in which it goes to no context in order to confirm this since we gave 10+10, that is, 20 which is decimal address value to the char pointer aa, we can confirm that the hexadecimal number 0x14 is outputted. We can confirm to be the address value in which this value sets up in a pointer. 3.2 The Kernel Hardening Development in the Network Module. By using the recovery function of the kernel stack to the network module, this paper develops the kernel hardening function. Figure 4. in, the call progress at the ip_input.c, that is the network module for embodying in this paper, is shown. Figure 4. The kernel stack rehabilitation process in the ip_rcv() function among the network module. The panic in which we arbitrarily produce is the phenomenon that it occurs by the reference about the memory area except the area in which the kernel area processes. The first working was progressed so that the process could find the pathway in which a panic goes through the do page fault() function of the./arch/i386/mm/fault.c. By determining the area about the address as the occurence of the exceptional case this goes through the Page Fault Exception Handler in which it processes. It is the function in which it passes in the part in which no context level of the do page fault() function causes a panic. In this function, the interrupt handling routine of in interrupt() function is gone through. In the do page fault() function, the following assembly command is practiced. asm ("movl %%cr2,%0)":"=r" (address)); In this assembly command, the address has the address in which immediately, we set up and it becomes wrong. As to this address, there is a related with the cr2 register. Moreover, when a panic was generated, the process of confirming stack values is needed. This is the process of confirming when the 66

4 International Journal of Advancements in Computing Technology Volume 1, Number 1, September 2009 program is performed even about executing any kind of routine through values piled up in a stack. Right line, the stack value is traced when a panic arose. This is put through the stack value where there was through an option in the system panic to see with symbol, that is the UNIX command called "nm -n" this, and it can know the route in which a panic is generated. The later process generated with the panic this. An interrupt is generated in the address in which it becomes wrong within the Linux kernel. The die() function is called out from no context part of the do page fault() function if an interrupt is generated. In the die() function, the show register() function is called out. The show register() function calls out the show stack() function. In this show stack() function, the cr2 register value of a problem can be confirmed. The address of a stack can confirm the part in which it is like the address through as to we, with a teeth. It is restored this address with the normal value. If it is restored the mis path call progress within a stack with the normal process, the normal system operation is possible. The next Figure 5. shows the source code of the show stack() function. int show_stack(unsigned long * esp) { unsigned long *stack; int i; unsigned long address; SS1: if(esp==null) SS2: esp=(unsigned long*)&esp; SS3: stack = esp; SS4: asm ("movl %%cr2,%0":"=r" (address)); SS5: for(i=0; i < kstack_depth_to_print; i++) { SS6: if (((long) stack & (THREAD_SIZE-1)) == 0) SS7: break; SS8: if (i && ((i % 8) == 0)) SS9: printk("\n "); SS10: if(*stack == address) { SS11: *stack = kmalloc(8, GFP_KERNEL); SS12: printk("change Value of Stack addr = SS13: 0x%x!!!!!!!!!!!!!!!\n", *stack); SS14: return 1; SS15: SS16: printk("addr %08lx : ", stack); SS17: printk("%08lx ", *stack++); SS18: SS19: printk("\n"); SS20: return 0; Figure 5. The show stack() function source code. In the Linux kernel, Figure 5. shows the show stack() function for implementing the hardening function through the recovery of the kernel stack. In Figure 5., the address information in which it enters into the cr2 register is stored the address variable in (SS4 sentence). The address variable is the variable in which a panic puts in the generated value. In case there is the value in which it coincides with the address parameter value among the value in a stack, if this value is changed to the normal value, the operation of the Linux kernel is normally made. The e-process is the process to the SS15 sentence in the SS10 sentence of Figure Experiment The system environment for implementing the kernel hardening function in the Linux operation system the Intel CPU 450MHz processor and RAM used 128Mbyte. And the system, that is 256KByte, the mainboard cache used the operating system of Linux RedHat 9.0 base. The Linux kernel version used Moreover, the GNU tool was used for the program development. The that we develop from chapter 3 content of the show stack() function was actually used and an experiment was carried out. This experiment is the experiment for confirming whether the content that it develops from this paper is normally operated or not. It is the show stack() function called in the ip_rcv() function like Figure 6.. ip_rcv() { show_stack(sp); /* The aa value confirmation. */. Figure 6. The experiment in which we use the show stack() function. As follows, the structure of the register stored in a stack for the system call is defined in the asmi386/ptrace.h header file. struct pt_regs{ long ebx,ecx,edx,esi,edi,ebp,eax; int xds, xes,orig_eax,eip,xds,eflags,esp,xss; Figure 7. The information data structure of being stored in a stack. 67

5 Kernel Hardening by Recovering Kernel Stack Frame in Linux Operating System In this paper, by using the value of the esp register, the kernel hardening is implemented. The Ju So-gap in which the specific local variable has Charyedaero enters into Staek if we use through the show stack() function. The address of the local variable at the ip_rcv() is looked into. The location of the stack in which the local variable called the aa in which it generates the page fault has is looked for. A kernel is performed in order to makes induce the panic in which it is compulsory in an in-kernel for the actual experiment. A system is caused a panic by the address in which the aa has. It normally again comes back till a fault.c by assigning the address (memory) in which it is normal about the new aa variable. asm ("movl %%esp,%0":"=r" (sp)); printk(" iph=0x%x, &bb=0x%x, aa=0x%x, sp=0x%x\n", iph, &bb, aa, sp); show_stack(sp); asm ("popl %%eax\n\t": : ); asm ("movl %%eax,%0":"=r" (check)); asm ("movl %%esp,%0":"=r" (sp)); printk(" check=0x%x, sp=0x%x\n", check, sp); asm ("pushl %%eax\n\t": : ); Figure 8. It is normally restored the abnormal address. Figure 8. Ikeonaes the esp register value with a variable called a sp. And by using the show stack (sp) function, the stack recovery is attempted. Next, the normal stack information is arranged. By doing like Figure 8 it is restored the value of the abnormal stack with the normal stack value. This is the procedure of confirming the kernel hardening function through the recovery about the proposed in this paper. As to, the fault tolerance system is simply developed. 5. Conclusions The phenomenon that a system is stopped due to the calculation in which it becomes wrong in the Linux operation system kernel or the program in which it becomes wrong occurs. It can be said to be this kind of a phenomenon the system panic. In case a panic is generated in the Linux kernel, it is very important that the normal system operation becomes by restoring the address value in which it is normal about a panic due to the address in which it becomes wrong. In case "panic" is generated, by restoring registry values in which the kernel hardening function proposed in this paper is abnormal in the kernel stack in-frame in which "panic" is generated to the normal value the normal operation is possible. In an in-kernel, if "panic" is generated, in case of being the address type, the address in which it becomes wrong is stored to the cr2 register. By this address can be restored, restoring the normal operation is possible. The kernel hardening function of implementing in Linux O.S was implemented in the network module. The compulsory panic induction situation is comprised of the network module. It is restored in case a panic was generated. This paper designs the kernel hardening function that it is restored about the error in which it is recoverable in the Linux operation system. Many users use the Linux operation system and the function proposed in this paper will much more be able to stabilize the Linux kernel. And as to, the task that implements the proposed in this paper in the Linux kernel and that it modularizes is needed. An use is possible to be easy with time of time when a user wants through the modularization of the kernel hardening function. 6. References [1] G.B.Adams III, and H.J.Siegel, The Extra Stage Cube: A Fault-Tolerant Interconnection Network for Supersystems, pp IEEE Trans. on Comput. Vol. C-31, No.5 May [2] Beck, Linux Kernel Programming, pp. 2-5, ADDISON WESLEY,2002. [3] Jeffery Oldham & Alex Samuel, Advanced Linux Programming, pp , Mark Mitchell, [4] John Mehaffey, Montavista Linux Carrier GradeEdition[WHITE PAPER], Montavista Software Inc., April 8, [5] Tim Udalll, "kernel Hardening Guidelines", Sequoia, [6] SILBERSCHATZ&GALVIN&GAGNE, Operating System Concepts(6th), JOHNWILEY&SONGS INC [7] Ivan Buetler, Compass Security Hardening Solaris", SunMicro System, [8] John Mehaffey, "MontaVista Linux Carrier Grade Edition Version 2.1: The Foundation for Next-Generation Carrier Grade Applications", Montavista Software Inc., [9] Michael Beck,Mirko Dziadzka,Ulrich Kunitz and Harald Bohme, Linux Kernel Internals, Addison-Wesley,1997. [10] The Linux Online, [11] Gary Nutt, Kernel Projects for Linux, Addison Wesley Longman, [12] A.Rubini&J.Corbet, Linux Device Driver(2nd), O'Relly, [13] BOVET & CESATI, OREILLY, Understanding the Linux Kernel, pp , [14] gn/designfault.html,

6 International Journal of Advancements in Computing Technology Volume 1, Number 1, September 2009 Seung-Ju, Jang received a B.Sc. degree in Computer Science and Statistics, and M.Sc. degree, and his Ph.D. in Computer Engineering, all from Busan National University, in 1985, 1991, and 1996, respectively. He is a member of IEEE and ACM. He has been Professor in the Department of Computer Engineering at Dongeui University since He was a member of ETRI(Electronic and Telecommunication Research Institute) in Daejon, Korea, from 1987 to 1996, and developed the National Administration Multiprocessor Minicomputer during those years. His current research interests include fault-tolerant computing systems, distributed systems in the UNIX Operating Systems, multimedia operating systems, embedded system, security system, and parallel algorithms. 69