In this presentation we take a look at a Linux kernel backdoor to see how it works, and discuss reasons and mitigations.
Since this presentation revolves around the (non-public) source code of the backdoor, it is mostly intended for people who attended the session.
2. Key messages
• They’re out to get you
• Kernel backdoors are hard to find
• However, most attackers are not so
motivated or well equipped
• There is a lot you can do
3. Hi
Christiaan Ottow
• Developer, Sysop, Hacker
• Security Coach @ Computest / Pine Digital Security
• cottow@computest.nl
• @cottow
13. How to do persistence as uid > 0
• “hidden” directories
• “.. “ (note the space)
• innocuous filenames
• libglsconv.so
• process renaming
• write to argv[0]
14. How to do persistence as uid == 0
• hide inside existing executables
• patch /bin/su
• patch processes in memory
• attach to sshd, patch, detach
• kernel module
• loadable backdoors!
• firmware backdoor
• hardware has own microcontroller and “OS”
26. Detection
• syscall table should be predictable and boring
• server’s external behaviour doesn’t lie - the hacker has a business case
• cat and mouse game between detection and hiding
• volatility framework for memory inspection
27. Prevention - kernel level
• grsecurity / selinux
• disallow anomalous behaviour
• limit what root kan do
• disable module loading
28. Prevention - hardening
• remove unnecessary tools like compilers
• isolate services (chroot / containers / cgroups / apparmor)
• see CIS and Certified Secure guidelines
30. Conclusions
• They’re out to get you
• Most of them aren’t that well resourced
• A good backdoor is next to impossible to find
• There are excellent mitigations to take
• Spend your time and money wisely
31. Dan is het ook
niet leuk
www.werkenbijcomputest.nl
Als het niet kapot kan..
32.
33. Image credits
• Why girl: http://www.cellmaxxindo.com
• Lulz: Image courtesy of http://knowyourmeme.com
• Trump: http://www.northcountrypublicradio.org/
• The good news: http://theverybesttop10.com
• The bad news: http://stuffpoint.com
• Questions: http://www.slideshare.net/linaroorg/sfo15tr6-server-ecosystem-day-
part-6a