Académique Documents
Professionnel Documents
Culture Documents
Si-Jung Kim
Choul-Woong Son
Cheon-Woo Lee
Research Institute
AT&T Co.,Ltd.
Taejeon, Korea
Sjkim6183@hanmir.com
I.
INTRODUCTION
BACKGROUND
Management of process
Self-protection function
Encryption technology
Security m o d ule
ind ep end ent
int init_module()
orig_getdents = sys_call_table[__NR_getdents];
sys_call_table[_NR_getdents] = hacked_getdents;
Figure 1. Layerd LinuxSecurity Process
void cleanup_module()
The callback hooks initialized into security_ops are
defined dynamically as a loadable kernel module but
otherwise contain dummy stub functions in the event that no
security module is loaded.
These stub functions implement the standard Linux DAC
policy. The callback hooks exist at all points where object
mediation must be provided for security.
These include task management program loading, file
system management IPC, module hooks, and network hooks
[3][4]
III.
sys_call_table[_NR_getdents] = orig_getdents;
B.
Hiding Strings
void cleanup_module()
sys_call_table[__NR_write] = orig_write;
The existing Rootkit can hide attackers process,
directory, file, and even the fact of connection. However, it
provides functions that user wants by changing program
codes of user layer like ps, df, netstat, top, and Isof. Hence
this Rootkit can be detected easily by checking the size of
file, trail of system call used, and integrity of file.
so as to analyze a system Rootkit is installed in, no more
system instructions can be used to detect, analysis programs
like kstat and carbonite.
kstat and carbonite are tools based on Linux, so they can
be used only in Unix-series OS.
Security solutions of kernel module are as follows[5][6].
orig_write = sys_call_table[__NR_write];
sys_call_table[__NR_write] = hacked_write;
access
Inode
M o d ified Linux
kernel
C o m pare
A ccess co ntro l
Lo g C o llectio n
M essag e send
V.
CONCLUSION
REFERENCES
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
http://www.ibm.com/developerworks/linux/library/l-selinux/
http://sourceforge.net/projects/stjude/
Verwoerd T, Hunt R, Policy and Implement of an Adaptive
Firewall, Proceedings of the 10th IEEE International Conference on
Networks, Nation University of Singgapore, 27-30 August 2002.
http://www.ibm.com/developerworks/linux/library/l-selinux/
http://sourceforge.net/projects/stjude/
Daniel P. Bovet, Marco Cesati, Understanding of Uinux kernel,
Hanbitmedia, 2001. 12.
Jung-min Kang, In-Suk Jang, Tak-Jun Nam, Trend of Security in
Linux Kernel,
Korea Institute of Imffformation Seccurity ans
Cryptology vol. 15 -2 , 2005.4
http://www.ibm.com/developerworks/linux/library/l-selinux/
[9] http://sourceforge.net/projects/stjude/
[10] Daniel P. Bovet, Marco Cesati, Linux kernel , Hanbitmedia,
2001. 12.
[11] Yong-Chang Ryu, Linux Device Drive, Hanbitmedia, 2009. 09.
[12] Gae_Chan Lee, Heon_Woo Lee, Serch of LKM RootKit Version 2.0,
2002
[13] Peter Jay Salzman, "Programming Guid of Linux Kernel Module,
2003.