General Instructins Assignment #5: Rtkit ECE 650 Fall 2018 See curse site fr due date Updated 4/10/2018, changes nted in green 1. Yu will wrk individually n this assignment. 2. The cde fr this assignment shuld be develped and tested using a Linux Virtual machine that yu may create at the fllwing lcatin: https://vm-manage.it.duke.edu/vm_manage Select fllwing image: Ubuntu 16.04 Other envirnments, unfrtunately due t cmplexity, will nt be supprted. 3. Yu must fllw this assignment spec carefully, and turn in everything that is asked (and in the prper frmats, as described). Due t the large class size, this is required t make grading mre efficient.
Overview In this assignment, yu will implement a prtin f Rtkit functinality t gain: 1. Hands-n practice with kernel prgramming 2. A detailed understanding f the peratin f system calls within the kernel 3. Practice with frk/exec t launch child prcesses 4. An understanding f the types f malicius activities that attackers may attempt against a system (particularly against privileged systems prgams). Our assumptin will be that via a successful explit f a vulnerability, yu have gained the ability t execute privileged cde in the system. Yur attack cde will be represented by a small prgram that yu will write, which will (amng a few ther things, described belw) lad a kernel mdule that will cnceal the presence f yur attack prgram as well as sme f its malicius activities. The specific functinality required f the attack prgram and kernel mdule (as well as helpful hints abut implementing this functinality) are described next. Tips n Wrking with the Virtual Machine When yu create yur virtual machine and lg-in fr the first time, yu will ntice there may be few prgrams installed (e.g. n gcc, emacs, vim, etc.). Yu can dwnlad yur chice f sftware easily using the cmmand: sud apt-get install <package name>. Fr example: sud apt install build-essential emacs Detailed Submissin Instructins Yur submissin will include 3 (and nly 3) files: 1. sneaky_md.c The surce cde fr yur sneaky mdule with functinality as described belw. 2. sneaky_prcess.c The surce cde fr yur sneaky (attack) prgram with functinality as described belw. 3. Makefile A makefile that will cmpile sneaky_prcess.c int sneaky_prcess, and will cmpile sneaky_md.c int sneaky_md.k. In mst cases, this will simply be the example Makefile prvided with the skeletn mdule example cde. Yu will submit a single zip file named hw5.zip t yur sakai drpbx lcatin, e.g.: zip hw5.zip sneaky_md.c sneaky_prcess.c Makefile
Attack Prgram Yur attack prgram (named sneaky_prcess.c) will give yu practice with executing system calls by calling relevant APIs (fr prcess creatin, file I/O, and receiving keybard input frm standard input) frm a user prgram. Yur prgram shuld perate in the fllwing steps: 1. Yur prgram shuld print its wn prcess ID t the screen, with exactly fllwing message (the print cmmand in yur cde may vary, but the printed text shuld match): printf( sneaky_prcess pid = %d\n, getpid()); 2. Yur prgram will perfrm 1 malicius act. It will cpy the /etc/passwd file (used fr user authenticatin) t a new file: /tmp/passwd. Then it will pen the /etc/passwd file and print a new line t the end f the file that cntains a username and passwrd that may allw a desired user t authenticate t the system. Nte that this wn t actually allw yu t authenticate t the system as the sneakyuser, but this step illustrates a type f subversive behavir that attackers may utilize. This line added t the passwrd file shuld be exactly the fllwing: sneakyuser:abc123:2000:2000:sneakyuser:/rt:bash 3. Yur prgram will lad the sneaky mdule (sneaky_md.k) using the insmd cmmand. Nte that when lading the mdule, yur sneaky prgram will als pass its prcess ID int the mdule. Yu may reference the fllwing page fr an understanding f hw t pass arguments t a kernel mdule upn lading it: http://www.tldp.rg/ldp/lkmpg/2.6/html/x323.html 4. Yur prgram will then enter a lp, reading a character at a time frm the keybard input until it receives the character q (fr quit). Then the prgram will exit this waiting lp. Nte this step is here s that yu will have a chance t interact with the system while: 1) yur sneaky prcess is running, and 2) the sneaky kernel mdule is laded. This is the pint when the malicius behavir will be tested. 5. Yur prgram will unlad the sneaky kernel mdule using the rmmd cmmand 6. Yur prgram will restre the /etc/passwd file (and remve the additin f sneakyuser authenticatin infrmatin) by cpying /tmp/passwd t /etc/passwd. Recall that a prcess can execute a new prgram by: 1) using frk() t create a child prcess and 2) the child prcess can use sme flavr f the exec*() system call t execute a new prgram. Yu will want yur parent attack prcess t wait n the new child prcess (e.g. using the waitpid( ) call) after each frk() f a child.
Sneaky Kernel Mdule (a Linux Kernel Mdule LKM) Yur sneaky kernel mdule will implement the fllwing subversive actins: 1. It will hide the sneaky_prcess executable file frm bth the ls and find UNIX cmmands. Fr example, if yur executable file named sneaky_prcess is lcated in /hme/userid/hw5: a. ls /hme/userid/hw5 shuld shw all files in that directry except fr sneaky_prcess. b. cd /hme/userid/hw5; ls shuld shw all files in that directry except fr sneaky_prcess c. find /hme/userid -name sneaky_prcess shuld nt return any results 2. In a UNIX envirnment, every executing prcess will have a directry under /prc that is named with its prcess ID (e.g /prc/1480). This directry cntains many details abut the prcess. Yur sneaky kernel mdule will hide the /prc/<sneaky_prcess_id> directry (nte hiding a directry with a particular name is equivalent t hiding a file!). Fr example, if yur sneaky_prcess is assigned prcess ID f 500, then: a. ls /prc shuld nt shw a sub-directry with the name 500 b. ps -a -u <yur_user_id> shuld nt shw an entry fr prcess 500 named sneaky_prcess (since the ps cmmand lks at the /prc directry t examine all executing prcesses). 3. It will hide the mdificatins t the /etc/passwd file that the sneaky_prcess made. It will d this by pening the saved /tmp/passwd when a request t pen the /etc/passwd is seen. Fr example: a. cat /etc/passwd shuld return cntents f the riginal passwrd file withut the mdificatins the sneaky prcess made t /etc/passwd. 4. It will hide the fact that the sneaky_mdule itself is an installed kernel mdule. The list f active kernel mdules is stred in the /prc/mdules file. Thus, when the cntents f that file are read, the sneaky_mdule will remve the cntents f the line fr sneaky_md frm the buffer f read data being returned. Fr example: a. lsmd shuld return a listing f all mdules except fr the sneaky_md Yur verall submissin will be tested by cmpiling yur kermel mdule and sneaky prcess, running the sneaky prcess, and then executing cmmands as described abve t make sure yur mdule is perfrming the intended subversive actins.
Helpful Hints and Tips fr Implementing sneaky_md.c This assignment shuld nt require a tremendus amunt f cde. Fr example, in my sample slutin, the sneaky_prcess.c file has apprximately 120 lines f cde, and the sneaky_md.c file has apprximately 200 lines. Yu can inspect the system calls that are made by a cmmand using the strace UNIX cmmand, e.g. strace ls. Fr these subversive actins in the sneaky kernel mdule, yu will need t hijack (and pssibly mdify the cntents being returned by) system calls. Fr #1 and #2, read up n the getdents system call (get directry entries): int getdents(unsigned int fd, struct linux_dirent *dirp, unsigned int cunt). I wuld highly recmmend reading the man getdents page (including cde sample). It will fill in an array f struct linux_dirent bjects, ne fr each file r directry fund within a directry. Yu shuld als place the fllwing struct definitin at the tp f yur sneaky_md.c cde t make sure that the struct linux_dirent is interpreted crrectly: struct linux_dirent { u64 d_in; s64 d_ff; unsigned shrt d_reclen; char d_name[bufflen]; }; Fr #2, yu can knw the sneaky_prcess pid by using the mdule_param( ) technique described here: http://www.tldp.rg/ldp/lkmpg/2.6/html/x323.html Fr #3, yu shuld check ut the pen system call (as in the skeletn kermel mdule psted). Nte that if, say, yu wanted t pass a new string filename t the pen system call functin, that string has t be in user space and nt smething defined in yur kernel space mdule. Yu can use the cpy_t_user( ) functin t achieve that: cpy_t_user(vid user *t, cnst vid *frm, unsigned lng nbytes) Hint, fr the user buffer, culd yu use the character buffer passed int the pen( ) call? Fr #4, yu may want t check ut the read system call. If there are pieces f the skeletn mdule cde that yu are interested t understand mre deeply, please ask n piazza! I d be glad t give detailed descriptins. Have fun with this assignment! Try ut ther sneaky actins, if yu d like, nce yu get the hang f it.