int2ecall / aksp Goto Github PK
View Code? Open in Web Editor NEWThis project forked from cloudsec/aksp
Another kernel self protection
This project forked from cloudsec/aksp
Another kernel self protection
NOTICE: This project have done my research in spare time,the name of hksp was given by myself, it's not related to huawei company,there is no huawei product use these code. This patch code is raised by me,as one person do not have enough energy to cover every thing, so there is lack of quality assurance like review and test. THis patch is just a demo code. UPDATE: - Thanks grsecurity team to find lots of bug in this patch. The ksg_guard is a sample poc to detect kernel level rootkits, the user and kernel communication is throw the /proc interface, my origin purpose is to verify the idea quickly, so i do not add enough security checks on it. Actually checking rootkit in kernel level still need to discuss with the community, if need to design an ARK(anti rootkit) tool for the linux system... So, i remove the ksg_guard code, and going to rewrite with netlink interfaces. - i also remove the hide symbol module, because the kptr_restrict is good enough. thanks shoulewoba to review the code. - remove huawei strings, because this is my personal work, not official project. ============================= Another kernel self protection ============================= Cred guard ---------- - random cred's magic. most kernel exploit try to find some offsets in struct cred, but it depends on CONFIG_DEBUG_CREDENTIALS, then need to compute the right offset by that kernel config, so mostly the exploit code is something like that: if (tmp0 == 0x43736564 || tmp0 == 0x44656144) i += 4; - detect shellcode like: commit_creds(prepare_kernel_cred(0)); the common kernel code is never write like that. Namespace Guard --------------- This feature detects pid namespace escape via kernel exploits. The current public method to bypass namespace is hijack init_nsproxy to current process: switch_task_namespaces_p(current, init_nsproxy_p); commit_creds(prepare_kernel_cred(0)); Rop stack pivot -------------- - user process stack can't be is mmap area. - check kernel stack range at each system call ret. the rsp pointer can point below __PAGE_OFFSET. Slub harden ----------- - redzone/poison randomization. - double free enhance. old slub can only detect continuous double free bugs. kfree(obj1) kfree(obj1) hksp can detect no continuous double/multi free bugs. kfree(obj1) kfree(obj2) kfree(obj1) or kfree(obj1) kfree(obj2) kfree(obj3) kfree(obj1) - clear the next object address information when using kmalloc function. Proc info leak -------------- Protect important file with no read access for non root user. set /proc/{modules,keys,key-users}, /proc/sys/kernel/{panic,panic_on_oops,dmesg_restrict,kptr_restrict,keys}, /proc/sys/vm/{mmap_min_addr} as 0640. Aslr hardended -------------- User stack aslr enhanced. Old user process's stack is between 0-1G on 64bit. the actually random range is 0-2^24. we introduce STACK_RND_BITS to control the range dynamically. echo "24" > /proc/sys/vm/stack_rnd_bits we also randomize the space between elf_info and environ. And randomize the space between stack and elf_info. Ptrace hardened --------------- Disallow attach to non child process. This can prevent process memory inject via ptrace. Sm*p hardened ------------- Check smap&smep when return from kernel space via a syscall, this can detect some kernel exploit code to bypass smap & smep feature via rop attack technology. Raw socket enhance ------------------ Enhance raw socket for ipv4 protocol. - TCP data cannot be sent over raw sockets. echo 1 > /proc/sys/net/ipv4/raw_tcp_disabled - UDP datagrams with an invalid source address cannot be sent over raw sockets. The IP source address for any outgoing UDP datagram must exist on a network interface or the datagram is dropped. This change was made to limit the ability of malicious code to create distributed denial-of-service attacks and limits the ability to send spoofed packets (TCP/IP packets with a forged source IP address). echo 1 > /proc/sys/net/ipv4/raw_udp_verify - A call to the bind function with a raw socket for the IPPROTO_TCP protocol is not allowed. echo 1 > /proc/sys/net/ipv4/raw_bind_disabled Arbitrary code guard -------------------- we extended the libc personality() to support: - mmap can't memory with PROT_WRITE|PROT_EXEC. - mprtect can't change PROT_WRITE to PROT_EXEC. Code integrity guard -------------------- To support certificate for user process execve. it can prevent some internet explorer to load third party so librarys.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.