25-08-2017, 09:32 PM
Design and Implementation of Secure Auditing System in Linux Kernel
2007-Design and Implementation of Secure Auditing System in Linux Kernel.pdf (Size: 142.9 KB / Downloads: 30)
INTRODUCTION
Audit is introduced into computer systems by imitating supervisory mechanism in society, which is mainly applied to
monitor system activities. As an important component of secure operating system, auditing system will record, inspect and
audit all the security activities of computer system. It is mainly used for the detection and prevention of intrusions on
computer systems by illegal users, and shows the error operations of legal users. In common Linux operating systems, log
mechanism executes the similar functions of auditing. However, there are obvious deficiencies in auditing granularity,
auditing security and auditing flexibility for log mechanism [1], [2].
DESIGN OF SECURE AUDITING SYSTEM
As the most important component of an operating system, kernel is basically responsible for process control, memory
addressing and management, system call, etc. The running states of Linux operating system are divided into user state and
kernel state. As far as user programs are concerned, they can make use of various system resources (files, directories, device,
etc.) only if they are trapped in kernel state with system call. After running done, these user programs then return to user
state. So we can set-up audit point in kernel based on this mechanism to record detailed events related to system running
status. The superiority of this auditing mechanism lies in: firstly, the whole audit information is generated in kernel.
Loadable Kernel Modules
Loadable Kernel Module (LKM) is a mechanism for operating systems to extend their functions. New additional kernel
codes can be directly executed by dynamically loading without recompiling kernel. Due to this, LKM is often used for
drivers of special devices. All LKM consist of two basic functions: “int init_module(void)” and “void
cleanup_module(void)”, the former is used for initialization of modules and the latter for cleanup. The loaded LKM is a
segment of code running in Kernel, and this allows it to access the most confidential parts of kernel. Hackers can make use
of LKM to achieve kernel-level (top level) intrusions, in the same way this technique can also be used for security facilities
of kernel-level [3].
System Call Hijacking
As the interface between applications and operating system kernel, system call returns execution results of user
processes that call special functions of operating system. When user processes execute certain system call, they will deliver
all their information to system calls. So we can hijack these system calls in kernel, get audit information from given
information of these system calls executed by user processes, and save these information to user space with device files. The
assemble instruction of “int 0x80” is applied to execute system calls in Linux. As the interface between user and Linux,
shell is responsible for interpretation and execution of users’ commands and programs. Parsing users’ commands is basic
operation of shell. Then related subprocesses are forked and executed by “execve()”. If the system call of “execve()” can be
hijacked, we will get audit information related to these commands executed by users.
Device Driver
The memory of Linux is divided into kernel space and user space. Generally, user process can’t access kernel space,
and kernel space also can’t access processes in user space. There are two methods for communications between LKM and
processes in user space: “proc” file system or device files. Because of tight relations between LKM and device driver, it is
more convenient with device driver.
We install a virtual hardware device (“hijacksyscalldev”) in the directory of “/dev” to deliver information between
kernel space and user space. When new command occurs in kernel, related information will be saved to virtual hardware
device with device driver. The device driver performs the function of open, close and read. Meanwhile, a read procedure is
created in user space, which is in charge of reading information of device file and saving it to user space. There are two
types of functions applied to information exchange between kernel space and user space: “copy_to_user()”,
“copy_from_uesr” and “put_user()”, “get_user()” (the definitions of these functions are provided in
“include/linux/sched.h”).