Anti-rootkit Linux Kernel Module
The goal of the project is to explore kernel security by implementing an anti-rootkit solution. We will look at key kernel components (security-wise) and see how rootkits could abuse them. Defense mechanisms such as AppArmor and SELinux are out of scope for this project.
Target for the final solution is kernel version >=4.0. However, to demonstrate the basics first, we start off with older kernel versions and see how they've evolved. Versions 2.4 and 2.6 are described pretty well in the literature mentioned below. They lack security features present in newer versions which makes our demonstations much easier.
For the people who are not sure what a rootkit is, Wikipedia (link) provides a good introduction.
Interesting papers:
- A. Baliga, V. Ganapathy and L. Iftode. "Detecting Kernel-Level Rootkits Using Data Structure Invariants." IEEE Transactions on Dependable and Secure Computing 8.5 (2011): 670-84. doi: 10.1109/TDSC.2010.38.
- Teh Jia Yew, Khairulmizam Samsudin, Nur Izura Udzir, and Shaiful Jahari Hashim. "Rootkit Guard (RG) - An Architecture for Rootkit Resistant File-system Implementation Based on TPM." Pertanika Journal of Science & Technology 21.2 (2013): 507-20. Web.
Books:
- "Linux Kernel Internals" by: M. Beck, H. Böhme, M. Dziadzka, U. Kunitz, R. Magnus, D. Verworner
- "Understanding the Linux Kernel" by: Daniel P. Bovet, Marco Cesati
- "Linux Device Drivers" by: Jonathan Corbet, Alessandro Rubini, Greg Kroah-Hartman
And too many internet resources to list them all. Official kernel documentation included.
Another repository explaining kernel hacking (and rootkits):
Another anti-rootkit project:
Other online resources:
- kernel source code browser
- lectures and labs on the Linux kernel
- The Linux Kernel documentation
- TLDP website
- LWN website
- Automotive Grade Linux documentation
We dig into the kernel in steps, each named after the concept explored in that part. Steps consist of demonstrative "attack" and "defense" kernel modules. The obvious assumption is that when we defend, we need the "defense" module to be loaded before the "attack" one. Further explanations for each step should be given in proper README files.
GPLv3 unless stated otherwise.