Using ebpf to detect rootkit vulnerabilities

Now , Cloud native platforms are increasingly based on eBPF Security detection technology . This technology creates secure Hook Hook probe to monitor internal functions and obtain important data , So as to support the monitoring and analysis of the application runtime .Tracee Is used for Linux Open source project for runtime security and forensics , It's based on eBPF Realization , Therefore, the effect of safety monitoring is more optimized .

In this paper , We will explore control eBPF Method of event , And study a use BPF Event capture rootkit The case of .Rootkit It is a complex type of malicious vulnerability attack existing in the kernel , And will introduce Tracee Used to detect Syscall New features of hook , It realizes the use in the kernel eBPF The unique way of events .

eBPF: Not just for tracking

eBPF It's a kind of Linux Kernel technology , It allows you to do this without changing the kernel source code or adding new modules , stay Linux Run the sandbox program in the kernel . therefore ,eBPF Can support safe Hook To the event , Without the risk of kernel crash .

say concretely ,eBPF The program uses kernel mechanism ( Such as kprobes、kretprobes、Linux Security module (LSM) Hooks、uprobes and traceponits) To create and set hooks , And verify that the code will not crash the kernel .eBPF There is one Verifier Validator , The goal is to ensure that eBPF The program runs safely ( Instead of interacting with the kernel by loading kernel modules , If the operation is improper , Will cause the system to crash ).

Why do attackers like Hook Kernel functions ？

Currently in use rootkit Complex attacks of are often targeted at kernel space , This is because the attacker tries to avoid being attacked by the security defense scheme , And forensics tools that monitor user space events or analyze basic system logs detect . Besides , Embedding malware in kernel space also makes it harder for security researchers and response teams to find it . The closer malware is to the bottom , The more difficult it is to detect .

below , We're going to look at TNT Examples of teams , And see how they use Diamorphine This rootkit, as well as Tracee How to detect it .

Function operations in the kernel

Attackers maximize their own interests , Will look for kernel level objective functions . A common method is function hook , It aims to hide malicious activities by manipulating functions in the kernel . The reason for this is that kernel functions perform tasks from user space . If they are destroyed , An attacker can control the behavior of all user space programs .

When the attacker tries Hook system call (syscall) Function time , This is a good example of a function hook . These advanced kernel functions are used to perform tasks from user space ,Hook Their main purpose is to hide malicious behavior . for example , The attacker will getdents system call Hook get up , To hide the commands used to list files ( Such as ps、top and ls) Malicious files and processes .

Usually , Read the system call table and get the address of the system call function to Hook they . Once the system call function address is obtained , The attacker will save the original address , And try to overwrite it with a new function containing malicious code .

How the attacker Hook Kernel functions ？

Now? , Let's study how attackers hijack kernel functions in real-world network attacks .

in order to Hook Kernel functions , You must first obtain access to the object you want to hook . for example , It can be a system call table that stores the addresses of all system call functions . then , Save the original address of the function and overwrite it . In some cases , Due to the memory permissions of the current location , You also need to get CPU Control register permissions in .

Next is TNT The team used Diamorphine Hide encrypted activities , This as part of their attack can well explain such a method :

Use memory boundary technology to detect Syscall hook

Now we have determined the motives of attackers and how they modify kernel behavior , The problem is , How can we detect this activity ? The clear goal is to find a way , To distinguish the original internal functions in the kernel ( Or associated with the core kernel syscall) And new kernel module code ( Or in other words , The function after being attacked ).

We can use the kernel core_text Boundary detection to achieve this . The memory in the kernel is divided into several parts . One of them is core_text paragraph , It saves the original functions in the kernel . This part is registered in a specific memory mapping area , This area is not affected by changes or operations . Besides , If we load a new kernel module -- in other words , Write a new function or overwrite the original function —— This new function will be written to another memory area reserved for the new function . You can see this in the virtual memory map below . Be careful , Address range assigned to the original kernel code ( Text part , also called “ Core kernel text ”) And the address range assigned to the new kernel module is different .

therefore , The current goal is to get a system call address , Then compare it with the kernel core_text Compare the boundaries , As we can see ,core_text The boundary represents the scope of the original kernel source .

Use Tracee testing Syscall hook

Now? , We have learned how and why malware targets kernel functions , And how to detect hooked kernel functions , Next, you need to know how to use eBPF To extract the address of the function . Use Tracee You can determine whether the function is hooked , Even if the hook is Tracee Execute the placed .

First create a trigger in user space BPF Program , And capture the corresponding in kernel space BPF event . If the kernel program needs information from user space , Can pass BPF Map to pass .

For example, in Tracee Create an event in , This event will get the system call address from the system call table , Next, confirm whether the system call is hooked by the kernel module . If it gets hooked , Continuing will create a derived event ( An event created by another event in the kernel ), It will prompt the system call to hook , as follows :

First use libbpfgo Of helper To get the address of the system call table , And add it to the event kernel symbolic dependency .

Be careful ,detect_hooked_sycalls Events are derived events . This means that after we receive the addresses of the system calls and check them , We will create a new detect_hooked_sycalls event .

then , We pass it along with the system call number , For use BPFMap Check kernel space .

To check those system calls in kernel space , be based on security_file_ioctl Upper kprobe Create an event , It is ioctl An internal function called by the system . In this way, we can trigger system calls to control program flow by using specific parameters in user space , Next, trigger with a specific command ioctl:

here , Start checking in kernel space ioctl Whether the commands are the same , And whether the process calling the system call is Tracee. This can be verified only when the user requests Tracee The need for detection will only occur during inspection .

The detection code is simple , Traverse the system call mapping , By using READ_KERN() To get the address of the system call table as follows :

Then in user space , We associate these addresses with libbpfgo helpers Compare :

Hunting time : use eBPF testing Diamorphine rootkit

Now? , Began to run Tracee, See how it will detect Diamorphine rootkit.

• Use insmod Function load Diamorphine (.ko) Kernel object file . The goal is to see Tracee Detection results of . Usually , Start with a kernel module loaded Tracee, If you choose detect_hooked_sycall event ,Tracee Will send a hooked_sycalls event , To ensure that the system is not destroyed :

• Tracee detected getdents and getdents64 These pending system calls .TNT The team uses them to hide the CPU Overload , And usually used to send commands from user space to kill processes kill function . under these circumstances ,rootkit Use kill -63 As the communication channel between user space and kernel space . Again , If run again Diamorphine and Tracee Use json Output , The parameter will display Diamorphine Malicious hook :

• If you run Tracee-rules, We can see detect_hooked_sycall New signature of the event :

Conclusion

Modern attackers target all levels of the operating system including the kernel layer , Besides , Because of open source projects ( Such as Diamorphine) The popularity of , Offensive Web tools are becoming increasingly accessible . therefore , Security researchers need to improve their defense capabilities and knowledge , Develop appropriate detection methods .