5

I just finished writing a linux security module which verifies the integrity of executable files at the start of their execution (using digital signatures). Now I want to dig a little bit deeper and want to check the files' integrity during run-time (i.e. periodically check them - since I am mostly dealing with processes that get started and run forever...) so that an attacker is not able to change the file within main memory without being identified (at least after some time).

The problem here is that I have absolutely no clue how I can check the file's current memory image. My authentication method mentioned above makes use of a mmap-hook which gets called whenever a file is mmaped before its execution, but as far as I know the LSM framework does not provide tools for periodical checks.

So my question: Are there any hints how I shoudl start this? How I can read a memory image and check its integrity?

Thank you

Chris
  • 2,030
  • 1
  • 16
  • 22
  • How do you propose to handle applications that create and store variables in their heap, stack space, malloc'ed memory and suchlike? – fpmurphy Apr 07 '11 at 13:35
  • Well since this part of memory is dynamic, I assume there is no good way of verifying this part once the program is running. I'll probably have to stick to the fixed sections and make sure that an attacker did not alter anything in there – Chris Apr 07 '11 at 13:43
  • Is your security module residing in the HLOS or kernel? For kernel, make sure your address is contiguous by using kmalloc instead of vmalloc. – Ursa Major Jan 09 '14 at 00:13
  • @Chris - It is really a nice idea. I am more interested in how you have implemented "Checking integrity (checksum or hash) of file before executing ?". I am trying to implement similar kind of thing but did not get any way yet. – jigar137 Jan 08 '21 at 07:05

1 Answers1

2

I understand what you're trying to do, but I'm really worried that this may be a security feature that gives you a warm fuzzy feeling for no good reason; and those are the most dangerous kinds of security features to have. (Another example of this might be the LSM sitting right next to yours, SElinux. Although I think I'm in the minority on this opinion...)

The program data of a process is not the only thing that affects its behavior. Stack overflows, where malicious code is written into the stack and jumped into, make integrity checking of the original program text moot. Not to mention the fact that an attacker can use the original unchanged program text to his advantage.

Also, there are probably some performance issues you'll run into if you are constantly computing DSA inside the kernel. And, you're adding that much more to long list of privileged kernel code that could be possibly exploited later on.

In any case, to address the question: You can possibly write a kernel module that instantiates a kernel thread that, on a timer, hops through each process and checks its integrity. This can be done by using the page tables for each process, mapping in the read only pages, and integrity checking them. This may not work, though, as each memory page probably needs to have its own signature, unless you concatenate them all together somehow.

A good thing to note is that shared libraries only need to be integrity checked once per sweep, since they are re-mapped across all the processes that use them. It takes sophistication to implement this though, so maybe have this under this "nice-to-have" section of your design.

If you disagree with my rationale that this may not be a good idea, I'd be very interested in your thoughts. I ran into this idea at work a while ago, and it would be nice to bring fresh ideas to our discussion.

Jeremy Powell
  • 3,426
  • 2
  • 21
  • 29
  • Thank you for your thoughts, I did a bit of research the last days, and it indeed seems not to be a reasonable security feature. You already named one reason (bufferoverflow attacks can make use of already existent code without changing it), furthermore such a system would need higher privileges than the kernel to run effectively and therefore all exisiting solutions depend either on hardware (e.g.TPM module) or on a virtual machine where the integrity check runs as a VMM – Chris Apr 09 '11 at 12:07
  • The TPM is 1 approach to set a RoT (Root of trust), there are other ways. You have to becareful as well, as TPM's version in TCG is now 2.0, but to date, a larger part of the market is still doing 1.2, though 2.0 would be a better option. – Ursa Major Jan 09 '14 at 00:12