Name: kv-assessment-tool
Owner: Hewlett Packard Enterprise
Description: null
Created: 2016-06-02 19:01:26.0
Updated: 2017-04-18 17:58:08.0
Pushed: 2016-06-15 20:01:41.0
Homepage: null
Size: 26
Language: C
GitHub Committers
User | Most Recent Commit | # Commits |
---|
Other Committers
User | Most Recent Commit | # Commits |
---|
This is a work in progress. Please see the TODO file for pending enhancements.
kva-tool is an interactive commandline application designed as a research tool to explore kernel insecurities.
The first offering is a Linux kernel module (mmsearch) which demonstrates how to scan any process's memory heap for information of interest.
We are looking for other contributors to add modules and tests illustrating concerning behaviors.
Our hope is to prompt a broader discussion as to how better to secure a unix kernel be it Linux or other.
In the end, we aspire to evolve this into a regression tool to assess the security state of any running kernel.
Ideas and improvements welcome.
git clone the kv-assessment-tool repo
install the linux-headers package for the kernel version running on the build system
This is required to build the kernel module
install libprocps3-dev package
This is required to access process information
run make from top level directory
lkm-mmsearch
descr: loads the mmsearch kernel module
rkm-mmsearch
descr: unloads the mmsearch kernel module
mmsearch-pid <proc_id>
descr: searches a given process's memory space
depends on mmsearch kernel module
pagemapinfo <proc_id>
descr: outputs process virtual memory addresses
map
procinfo <proc_id>
descr: displays detailed process information
proclist
descr: displays the set of running processes
(akin to ps)
sysinfo
descr: reports system infomration
quit
descr: to exit
it must be run in a root shell. It cannot be run using 'sudo'.
the code must be checked out and compiled on the system under test.
the application must be run from the sources base directory as illustrated above.
mmsearch-pid walks the memory space of any process and searches for a credit card number.
The commandline 'mmsearch-pid
The search is restricted to the process's heap regions. Other regions such as vdso, stack, anonymous are omitted.
This kernel module was originally designed to demonstrate the effectiveness of the proposed XPFO patch set. See:
[[RFC PATCH] Add support for eXclusive Page Frame Ownership (XPFO)](https://lkml.org/lkml/2016/2/26/516)
credit-card-app is a C application which allocates a chunk of memory into which credit card information is copied.
To run the application:
start mmearch/test/credit-card-app in the foreground
Example output…
hlinux-devel:~/dsr_src/kernel-vulnerability-tests$ mmsearch/test/credit-card-app
ing as pid: 1188
oc operation 0 ptr val: 0x1e30010
Identify the process id of the running application, then invoke the mmsearch-pid command line option from kva-tool.
Alternatively you can send the pid number to the kernel module with
this command 'echo
@hlinux-devel:/home/dsr/dsr_src/kernel-vulnerability-tests# kva-tool/kvat
ing as PID 1192
tool> mmsearch-pid 1188
ompletion, check dmesg output...
55.871206] mmsearch: module verification failed: signature and/or required key missing - tainting kernel
55.872605] mmsearch_init: task(1192) task_struct_ptr(ffff88013a6e0000)
71.864242] mmsearch_pid_store: mmsearch pid: 1188
71.864255] process_vm_area_list: vm_start(1e30000) vm_end(1e32000) bytes copied(0x2000)
71.864256] dump_vma_flags: rw-p
71.864257] dump_page_table_flags: PTE(80000000b8707067) USER(1) PRES(1) PCD(0) RW(1) ACCESSD(1)
71.864258] attack_run: dereferencing address(ffff8800b8707010): 3333 444444 55555 1234 0910 Frodo Baggins [1]
71.864306] process_vm_area_list: vm_start(1e32000) vm_end(1e52000) bytes copied(0x20000)
71.864307] dump_vma_flags: rw-p
71.864454] buffer_search: no data found
71.864457] mmsearch_pid_store: search complete for pid: 1188
Alternatively to view the search result you can read from the mmsearch_pid via the following command: 'cat /sys/kernel/mmsearch_pid/mmsearch_pid'
If a kernel thread/process is passed in, the following error is reported:
99.373518] mmsearch_pid_store: mmsearch pid: 3711
99.373533] mmsearch_pid_store: 3711 is a kernel thread
99.373535] mmsearch_pid_store: search complete for pid: 3711
el threads are skipped because they do not have access to
space memory. A kernel thread process sets mm_struct to NULL.
The objective of kva-tool is to provide the tools to interrogate a system under one umbrella.
Command takes as input the id of a running linux process.
Example output:
tool> procinfo 9722
ching for info on pid: 9722
nning address of text segment: 0x400000
ng address of text segment: 0x60c6c0
ess of bottom of stack: 0x7ffe52993440
ess kernel stack pointer: 0x7ffe52992200
ess kernel instruction pointer: 0x7fe5f8875da3
tool>
Lists the /proc/[pid]/maps information.
Example output:
tool> pagemapinfo 8946
edit-card-app(8946)
0000 (4 KB) r-xp (08:01 21238394) /home/david/tmp/kernel-vulnerability-tools/mmsearch/test/credit-card-app
0000 (4 KB) r--p (08:01 21238394) /home/david/tmp/kernel-vulnerability-tools/mmsearch/test/credit-card-app
1000 (4 KB) rw-p (08:01 21238394) /home/david/tmp/kernel-vulnerability-tools/mmsearch/test/credit-card-app
5000 (8 KB) rw-p (00:00 0) [heap]
7000 (128 KB) rw-p (00:00 0) [heap]
24287000 (1768 KB) r-xp (08:01 2361750) /lib/x86_64-linux-gnu/libc-2.19.so
24441000 (2048 KB) ---p (08:01 2361750) /lib/x86_64-linux-gnu/libc-2.19.so
24641000 (16 KB) r--p (08:01 2361750) /lib/x86_64-linux-gnu/libc-2.19.so
24645000 (8 KB) rw-p (08:01 2361750) /lib/x86_64-linux-gnu/libc-2.19.so
24647000 (20 KB) rw-p (00:00 0)
2464c000 (140 KB) r-xp (08:01 2361736) /lib/x86_64-linux-gnu/ld-2.19.so
24845000 (12 KB) rw-p (00:00 0)
2486b000 (12 KB) rw-p (00:00 0)
2486e000 (4 KB) r--p (08:01 2361736) /lib/x86_64-linux-gnu/ld-2.19.so
2486f000 (4 KB) rw-p (08:01 2361736) /lib/x86_64-linux-gnu/ld-2.19.so
24870000 (4 KB) rw-p (00:00 0)
5a910000 (132 KB) rw-p (00:00 0) [stack]
5a9fe000 (8 KB) r-xp (00:00 0) [vdso]
ffffff600000 (4 KB) r-xp (00:00 0) [vsyscall]
ed: 4328 KB writable/private: 332 KB shared: 0 KB
Lists system information of interest.
Example output:
tool> sysinfo
essor: x86_64
ase: 3.13.0-71-generic
ion: #114-Ubuntu SMP Tue Dec 1 02:34:22 UTC 2015
l ram: 25264107520
ram: 21985210368
l swap: 25750925312
swap: 25750925312
current processes: 723
l high memory size: 0
high memory: 0
ry units size (bytes): 1
Lists the set of current running processes.
Example output:
tool> proclist
1 init: 808 45 119
2 kthreadd: 0 0 1
3 ksoftirqd/0: 0 0 27
4 kworker/0:0: 0 0 560
5 kworker/0:0H: 0 0 0
6 kworker/u64:0: 0 0 2266
8 rcu_sched: 0 0 957
9 rcuos/0: 0 0 1282
10 rcuos/1: 0 0 42
11 rcuos/2: 0 0 47
12 rcuos/3: 0 0 38
13 rcuos/4: 0 0 42
14 rcuos/5: 0 0 36
15 rcuos/6: 0 0 31
16 rcuos/7: 0 0 31
17 rcuos/8: 0 0 443
18 rcuos/9: 0 0 23
19 rcuos/10: 0 0 24
20 rcuos/11: 0 0 144
...