Assignment #5: Rootkit. ECE 650 Fall 2018

Similar documents
CSE 361S Intro to Systems Software Lab #2

Xilinx Answer Xilinx PCI Express DMA Drivers and Software Guide

ClassFlow Administrator User Guide

Ascii Art Capstone project in C

Upgrading Kaltura MediaSpace TM Enterprise 1.0 to Kaltura MediaSpace TM Enterprise 2.0

LAB 7 (June 29/July 4) Structures, Stream I/O, Self-referential structures (Linked list) in C

Project 4: System Calls 1

Please contact technical support if you have questions about the directory that your organization uses for user management.

Create Your Own Report Connector

The UNIVERSITY of NORTH CAROLINA at CHAPEL HILL

Technical Paper. Installing and Configuring SAS Environment Manager in a SAS Grid Environment

INSTALLING CCRQINVOICE

COP2800 Homework #3 Assignment Spring 2013

Project 3 Specification FAT32 File System Utility

Adverse Action Letters

The UNIVERSITY of NORTH CAROLINA at CHAPEL HILL

Faculty Textbook Adoption Instructions

Getting Started with the Web Designer Suite

Summary. Server environment: Subversion 1.4.6

Technical Paper. Installing and Configuring SAS Environment Manager in a SAS Grid Environment with a Shared Configuration Directory

These tasks can now be performed by a special program called FTP clients.

Kaltura MediaSpace TM Enterprise 2.0 Requirements and Installation

Dear Student, Here is a sample of how the immunization process will work for Fall 2018:

Element Creator for Enterprise Architect

MyUni Adding Content. Date: 29 May 2014 TRIM Reference: D2013/ Version: 1

Tips For Customising Configuration Wizards

The Reporting Tool. An Overview of HHAeXchange s Reporting Tool

Campuses that access the SFS nvision Windows-based client need to allow outbound traffic to:

Entering an NSERC CCV: Step by Step

Assignment 10: Transaction Simulation & Crash Recovery

Getting Started with the SDAccel Environment on Nimbix Cloud

Secure File Transfer Protocol (SFTP) Interface for Data Intake User Guide

Uploading Files with Multiple Loans

McGill University School of Computer Science COMP-206. Software Systems. Due: September 29, 2008 on WEB CT at 23:55.

Date: October User guide. Integration through ONVIF driver. Partner Self-test. Prepared By: Devices & Integrations Team, Milestone Systems

BI Publisher TEMPLATE Tutorial

Reading and writing data in files

Element Creator for Enterprise Architect

UiPath Automation. Walkthrough. Walkthrough Calculate Client Security Hash

Eastern Mediterranean University School of Computing and Technology Information Technology Lecture2 Functions

OO Shell for Authoring (OOSHA) User Guide

OATS Registration and User Entitlement Guide

Project #1 - Fraction Calculator

Integrating QuickBooks with TimePro

Using CppSim to Generate Neural Network Modules in Simulink using the simulink_neural_net_gen command

Managing Your Access To The Open Banking Directory How To Guide

Lab 4. Name: Checked: Objectives:

Using the Swiftpage Connect List Manager

CLIC ADMIN USER S GUIDE

Sircon User Guide A Guide to Using the Vertafore Sircon Self-Service Portal

VISITSCOTLAND - TOURS MANAGEMENT SYSTEM Manual for Tour Operators

MANAGING FORWARDING ACCOUNTS

Click Studios. Passwordstate. RSA SecurID Configuration

Interfacing to MATLAB. You can download the interface developed in this tutorial. It exists as a collection of 3 MATLAB files.

html o Choose: Java SE Development Kit 8u45

Dashboard Extension for Enterprise Architect

Test Pilot User Guide

TRAINING GUIDE. Lucity Mobile

UiPath Automation. Walkthrough. Walkthrough Calculate Client Security Hash

Proper Document Usage and Document Distribution. TIP! How to Use the Guide. Managing the News Page

WordPress Overview for School Webmasters

Systems & Operating Systems

Municode Website Instructions

SmartPass User Guide Page 1 of 50

IFSP PDF Upload/Download Guidance

Wave IP 4.5. CRMLink Desktop User Guide

User Guide. ACE Data Source. OnCommand Workflow Automation (WFA) Abstract PROFESSIONAL SERVICES

Using the Swiftpage Connect List Manager

Setting up the ncipher nshield HSM for use with Kerberized Certificate Authority

OASIS SUBMISSIONS FOR FLORIDA: SYSTEM FUNCTIONS

INSERTING MEDIA AND OBJECTS

TUTORIAL --- Learning About Your efolio Space

PowerTeacher Classroom Management Tool Quick Reference Card

The screenshots/advice are based on upgrading Controller 10.1 RTM to 10.1 IF6 on Win2003

CREATING A DONOR ACCOUNT

RISKMAN REFERENCE GUIDE TO USER MANAGEMENT (Non-Network Logins)

Procurement Contract Portal. User Guide

InformationNOW Letters

Lab 0: Compiling, Running, and Debugging

Export and Import Course Package

HW4 Software version 3. Device Manager and Data Logging LOG-RC Series Data Loggers

Creating a TES Encounter/Transaction Entry Batch

Your New Service Request Process: Technical Support Reference Guide for Cisco Customer Journey Platform

ONTARIO LABOUR RELATIONS BOARD. Filing Guide. A Guide to Preparing and Filing Forms and Submissions with the Ontario Labour Relations Board

Area Governors Module

Model WM100. Product Manual

CSCI L Topics in Computing Fall 2018 Web Page Project 50 points

CIS 118 Intro to LINUX Class Exercise Week 3. UNIX/LINUX filesystem (see Filesystem Hierarchy Standard): /

Preparation: Follow the instructions on the course website to install Java JDK and jgrasp on your laptop.

Lab 1 - Calculator. K&R All of Chapter 1, 7.4, and Appendix B1.2

ECE 545 Project Deliverables

Arius 3.0. Release Notes and Installation Instructions. Milliman, Inc Peachtree Road, NE Suite 1900 Atlanta, GA USA

MediaTek LinkIt Development Platform for RTOS Memory Layout Developer's Guide

VMware AirWatch Certificate Authentication for Cisco IPSec VPN

DS-5 Release Notes. (build 472 dated 2010/04/28 08:33:48 GMT)

Using UB Stream and UBlearns

Using MeetingSquared on your ipad or iphone

REFWORKS: STEP-BY-STEP HURST LIBRARY NORTHWEST UNIVERSITY

BANNER BASICS. What is Banner? Banner Environment. My Banner. Pages. What is it? What form do you use? Steps to create a personal menu

ROCK-POND REPORTING 2.1

Transcription:

General Instructins Assignment #5: Rtkit ECE 650 Fall 2018 See curse site fr due date Updated 4/10/2018, changes nted in green 1. Yu will wrk individually n this assignment. 2. The cde fr this assignment shuld be develped and tested using a Linux Virtual machine that yu may create at the fllwing lcatin: https://vm-manage.it.duke.edu/vm_manage Select fllwing image: Ubuntu 16.04 Other envirnments, unfrtunately due t cmplexity, will nt be supprted. 3. Yu must fllw this assignment spec carefully, and turn in everything that is asked (and in the prper frmats, as described). Due t the large class size, this is required t make grading mre efficient.

Overview In this assignment, yu will implement a prtin f Rtkit functinality t gain: 1. Hands-n practice with kernel prgramming 2. A detailed understanding f the peratin f system calls within the kernel 3. Practice with frk/exec t launch child prcesses 4. An understanding f the types f malicius activities that attackers may attempt against a system (particularly against privileged systems prgams). Our assumptin will be that via a successful explit f a vulnerability, yu have gained the ability t execute privileged cde in the system. Yur attack cde will be represented by a small prgram that yu will write, which will (amng a few ther things, described belw) lad a kernel mdule that will cnceal the presence f yur attack prgram as well as sme f its malicius activities. The specific functinality required f the attack prgram and kernel mdule (as well as helpful hints abut implementing this functinality) are described next. Tips n Wrking with the Virtual Machine When yu create yur virtual machine and lg-in fr the first time, yu will ntice there may be few prgrams installed (e.g. n gcc, emacs, vim, etc.). Yu can dwnlad yur chice f sftware easily using the cmmand: sud apt-get install <package name>. Fr example: sud apt install build-essential emacs Detailed Submissin Instructins Yur submissin will include 3 (and nly 3) files: 1. sneaky_md.c The surce cde fr yur sneaky mdule with functinality as described belw. 2. sneaky_prcess.c The surce cde fr yur sneaky (attack) prgram with functinality as described belw. 3. Makefile A makefile that will cmpile sneaky_prcess.c int sneaky_prcess, and will cmpile sneaky_md.c int sneaky_md.k. In mst cases, this will simply be the example Makefile prvided with the skeletn mdule example cde. Yu will submit a single zip file named hw5.zip t yur sakai drpbx lcatin, e.g.: zip hw5.zip sneaky_md.c sneaky_prcess.c Makefile

Attack Prgram Yur attack prgram (named sneaky_prcess.c) will give yu practice with executing system calls by calling relevant APIs (fr prcess creatin, file I/O, and receiving keybard input frm standard input) frm a user prgram. Yur prgram shuld perate in the fllwing steps: 1. Yur prgram shuld print its wn prcess ID t the screen, with exactly fllwing message (the print cmmand in yur cde may vary, but the printed text shuld match): printf( sneaky_prcess pid = %d\n, getpid()); 2. Yur prgram will perfrm 1 malicius act. It will cpy the /etc/passwd file (used fr user authenticatin) t a new file: /tmp/passwd. Then it will pen the /etc/passwd file and print a new line t the end f the file that cntains a username and passwrd that may allw a desired user t authenticate t the system. Nte that this wn t actually allw yu t authenticate t the system as the sneakyuser, but this step illustrates a type f subversive behavir that attackers may utilize. This line added t the passwrd file shuld be exactly the fllwing: sneakyuser:abc123:2000:2000:sneakyuser:/rt:bash 3. Yur prgram will lad the sneaky mdule (sneaky_md.k) using the insmd cmmand. Nte that when lading the mdule, yur sneaky prgram will als pass its prcess ID int the mdule. Yu may reference the fllwing page fr an understanding f hw t pass arguments t a kernel mdule upn lading it: http://www.tldp.rg/ldp/lkmpg/2.6/html/x323.html 4. Yur prgram will then enter a lp, reading a character at a time frm the keybard input until it receives the character q (fr quit). Then the prgram will exit this waiting lp. Nte this step is here s that yu will have a chance t interact with the system while: 1) yur sneaky prcess is running, and 2) the sneaky kernel mdule is laded. This is the pint when the malicius behavir will be tested. 5. Yur prgram will unlad the sneaky kernel mdule using the rmmd cmmand 6. Yur prgram will restre the /etc/passwd file (and remve the additin f sneakyuser authenticatin infrmatin) by cpying /tmp/passwd t /etc/passwd. Recall that a prcess can execute a new prgram by: 1) using frk() t create a child prcess and 2) the child prcess can use sme flavr f the exec*() system call t execute a new prgram. Yu will want yur parent attack prcess t wait n the new child prcess (e.g. using the waitpid( ) call) after each frk() f a child.

Sneaky Kernel Mdule (a Linux Kernel Mdule LKM) Yur sneaky kernel mdule will implement the fllwing subversive actins: 1. It will hide the sneaky_prcess executable file frm bth the ls and find UNIX cmmands. Fr example, if yur executable file named sneaky_prcess is lcated in /hme/userid/hw5: a. ls /hme/userid/hw5 shuld shw all files in that directry except fr sneaky_prcess. b. cd /hme/userid/hw5; ls shuld shw all files in that directry except fr sneaky_prcess c. find /hme/userid -name sneaky_prcess shuld nt return any results 2. In a UNIX envirnment, every executing prcess will have a directry under /prc that is named with its prcess ID (e.g /prc/1480). This directry cntains many details abut the prcess. Yur sneaky kernel mdule will hide the /prc/<sneaky_prcess_id> directry (nte hiding a directry with a particular name is equivalent t hiding a file!). Fr example, if yur sneaky_prcess is assigned prcess ID f 500, then: a. ls /prc shuld nt shw a sub-directry with the name 500 b. ps -a -u <yur_user_id> shuld nt shw an entry fr prcess 500 named sneaky_prcess (since the ps cmmand lks at the /prc directry t examine all executing prcesses). 3. It will hide the mdificatins t the /etc/passwd file that the sneaky_prcess made. It will d this by pening the saved /tmp/passwd when a request t pen the /etc/passwd is seen. Fr example: a. cat /etc/passwd shuld return cntents f the riginal passwrd file withut the mdificatins the sneaky prcess made t /etc/passwd. 4. It will hide the fact that the sneaky_mdule itself is an installed kernel mdule. The list f active kernel mdules is stred in the /prc/mdules file. Thus, when the cntents f that file are read, the sneaky_mdule will remve the cntents f the line fr sneaky_md frm the buffer f read data being returned. Fr example: a. lsmd shuld return a listing f all mdules except fr the sneaky_md Yur verall submissin will be tested by cmpiling yur kermel mdule and sneaky prcess, running the sneaky prcess, and then executing cmmands as described abve t make sure yur mdule is perfrming the intended subversive actins.

Helpful Hints and Tips fr Implementing sneaky_md.c This assignment shuld nt require a tremendus amunt f cde. Fr example, in my sample slutin, the sneaky_prcess.c file has apprximately 120 lines f cde, and the sneaky_md.c file has apprximately 200 lines. Yu can inspect the system calls that are made by a cmmand using the strace UNIX cmmand, e.g. strace ls. Fr these subversive actins in the sneaky kernel mdule, yu will need t hijack (and pssibly mdify the cntents being returned by) system calls. Fr #1 and #2, read up n the getdents system call (get directry entries): int getdents(unsigned int fd, struct linux_dirent *dirp, unsigned int cunt). I wuld highly recmmend reading the man getdents page (including cde sample). It will fill in an array f struct linux_dirent bjects, ne fr each file r directry fund within a directry. Yu shuld als place the fllwing struct definitin at the tp f yur sneaky_md.c cde t make sure that the struct linux_dirent is interpreted crrectly: struct linux_dirent { u64 d_in; s64 d_ff; unsigned shrt d_reclen; char d_name[bufflen]; }; Fr #2, yu can knw the sneaky_prcess pid by using the mdule_param( ) technique described here: http://www.tldp.rg/ldp/lkmpg/2.6/html/x323.html Fr #3, yu shuld check ut the pen system call (as in the skeletn kermel mdule psted). Nte that if, say, yu wanted t pass a new string filename t the pen system call functin, that string has t be in user space and nt smething defined in yur kernel space mdule. Yu can use the cpy_t_user( ) functin t achieve that: cpy_t_user(vid user *t, cnst vid *frm, unsigned lng nbytes) Hint, fr the user buffer, culd yu use the character buffer passed int the pen( ) call? Fr #4, yu may want t check ut the read system call. If there are pieces f the skeletn mdule cde that yu are interested t understand mre deeply, please ask n piazza! I d be glad t give detailed descriptins. Have fun with this assignment! Try ut ther sneaky actins, if yu d like, nce yu get the hang f it.

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback