This is a work in progress. Please see the TODO file for pending enhancements.
kva-tool is an interactive commandline application designed as a research tool to explore kernel insecurities.
The first offering is a Linux kernel module (mmsearch) which demonstrates how to scan any process's memory heap for information of interest.
We are looking for other contributors to add modules and tests illustrating concerning behaviors.
Our hope is to prompt a broader discussion as to how better to secure a unix kernel be it Linux or other.
In the end, we aspire to evolve this into a regression tool to assess the security state of any running kernel.
Ideas and improvements welcome.
-
git clone the kv-assessment-tool repo
-
install the linux-headers package for the kernel version running on the build system
This is required to build the kernel module
-
install libprocps3-dev package
This is required to access process information
-
run make from top level directory
lkm-mmsearch
descr: loads the mmsearch kernel module
rkm-mmsearch
descr: unloads the mmsearch kernel module
mmsearch-pid <proc_id>
descr: searches a given process's memory space
depends on mmsearch kernel module
pagemapinfo <proc_id>
descr: outputs process virtual memory addresses
map
procinfo <proc_id>
descr: displays detailed process information
proclist
descr: displays the set of running processes
(akin to ps)
sysinfo
descr: reports system infomration
quit
descr: to exit
-
it must be run in a root shell. It cannot be run using 'sudo'.
-
the code must be checked out and compiled on the system under test.
-
the application must be run from the sources base directory as illustrated above.
mmsearch-pid walks the memory space of any process and searches for a credit card number.
The commandline 'mmsearch-pid <proc_id>' option passes the process pid to the mmsearch kernel module which scans the process's memory from kernel space.
The search is restricted to the process's heap regions. Other regions such as vdso, stack, anonymous are omitted.
This kernel module was originally designed to demonstrate the effectiveness of the proposed XPFO patch set. See:
[RFC PATCH] Add support for eXclusive Page Frame Ownership (XPFO)
credit-card-app is a C application which allocates a chunk of memory into which credit card information is copied.
To run the application:
start mmearch/test/credit-card-app in the foreground
Example output...
dsr@hlinux-devel:~/dsr_src/kernel-vulnerability-tests$ mmsearch/test/credit-card-app
running as pid: 1188
malloc operation 0 ptr val: 0x1e30010
Identify the process id of the running application, then invoke the mmsearch-pid command line option from kva-tool.
Alternatively you can send the pid number to the kernel module with this command 'echo > /sys/kernel/mmsearch_pid/mmsearch_pid'.
root@hlinux-devel:/home/dsr/dsr_src/kernel-vulnerability-tests# kva-tool/kvat
running as PID 1192
kva-tool> mmsearch-pid 1188
On completion, check dmesg output...
[ 155.871206] mmsearch: module verification failed: signature and/or required key missing - tainting kernel
[ 155.872605] mmsearch_init: task(1192) task_struct_ptr(ffff88013a6e0000)
[ 171.864242] mmsearch_pid_store: mmsearch pid: 1188
[ 171.864255] process_vm_area_list: vm_start(1e30000) vm_end(1e32000) bytes copied(0x2000)
[ 171.864256] dump_vma_flags: rw-p
[ 171.864257] dump_page_table_flags: PTE(80000000b8707067) USER(1) PRES(1) PCD(0) RW(1) ACCESSD(1)
[ 171.864258] attack_run: dereferencing address(ffff8800b8707010): 3333 444444 55555 1234 0910 Frodo Baggins [1]
[ 171.864306] process_vm_area_list: vm_start(1e32000) vm_end(1e52000) bytes copied(0x20000)
[ 171.864307] dump_vma_flags: rw-p
[ 171.864454] buffer_search: no data found
[ 171.864457] mmsearch_pid_store: search complete for pid: 1188
Alternatively to view the search result you can read from the mmsearch_pid via the following command: 'cat /sys/kernel/mmsearch_pid/mmsearch_pid'
If a kernel thread/process is passed in, the following error is reported:
[ 5399.373518] mmsearch_pid_store: mmsearch pid: 3711
[ 5399.373533] mmsearch_pid_store: 3711 is a kernel thread
[ 5399.373535] mmsearch_pid_store: search complete for pid: 3711
Kernel threads are skipped because they do not have access to
userspace memory. A kernel thread process sets mm_struct to NULL.
The objective of kva-tool is to provide the tools to interrogate a system under one umbrella.
Command takes as input the id of a running linux process.
Example output:
kva-tool> procinfo 9722
Searching for info on pid: 9722
beginning address of text segment: 0x400000
ending address of text segment: 0x60c6c0
address of bottom of stack: 0x7ffe52993440
address kernel stack pointer: 0x7ffe52992200
address kernel instruction pointer: 0x7fe5f8875da3
kva-tool>
Lists the /proc/[pid]/maps information.
Example output:
kva-tool> pagemapinfo 8946
./credit-card-app(8946)
00400000 (4 KB) r-xp (08:01 21238394) /home/david/tmp/kernel-vulnerability-tools/mmsearch/test/credit-card-app
00600000 (4 KB) r--p (08:01 21238394) /home/david/tmp/kernel-vulnerability-tools/mmsearch/test/credit-card-app
00601000 (4 KB) rw-p (08:01 21238394) /home/david/tmp/kernel-vulnerability-tools/mmsearch/test/credit-card-app
025f5000 (8 KB) rw-p (00:00 0) [heap]
025f7000 (128 KB) rw-p (00:00 0) [heap]
7ff024287000 (1768 KB) r-xp (08:01 2361750) /lib/x86_64-linux-gnu/libc-2.19.so
7ff024441000 (2048 KB) ---p (08:01 2361750) /lib/x86_64-linux-gnu/libc-2.19.so
7ff024641000 (16 KB) r--p (08:01 2361750) /lib/x86_64-linux-gnu/libc-2.19.so
7ff024645000 (8 KB) rw-p (08:01 2361750) /lib/x86_64-linux-gnu/libc-2.19.so
7ff024647000 (20 KB) rw-p (00:00 0)
7ff02464c000 (140 KB) r-xp (08:01 2361736) /lib/x86_64-linux-gnu/ld-2.19.so
7ff024845000 (12 KB) rw-p (00:00 0)
7ff02486b000 (12 KB) rw-p (00:00 0)
7ff02486e000 (4 KB) r--p (08:01 2361736) /lib/x86_64-linux-gnu/ld-2.19.so
7ff02486f000 (4 KB) rw-p (08:01 2361736) /lib/x86_64-linux-gnu/ld-2.19.so
7ff024870000 (4 KB) rw-p (00:00 0)
7fff5a910000 (132 KB) rw-p (00:00 0) [stack]
7fff5a9fe000 (8 KB) r-xp (00:00 0) [vdso]
ffffffffff600000 (4 KB) r-xp (00:00 0) [vsyscall]
mapped: 4328 KB writable/private: 332 KB shared: 0 KB
Lists system information of interest.
Example output:
kva-tool> sysinfo
processor: x86_64
release: 3.13.0-71-generic
version: #114-Ubuntu SMP Tue Dec 1 02:34:22 UTC 2015
total ram: 25264107520
free ram: 21985210368
total swap: 25750925312
free swap: 25750925312
\num current processes: 723
total high memory size: 0
free high memory: 0
memory units size (bytes): 1
Lists the set of current running processes.
Example output:
kva-tool> proclist
1 init: 808 45 119
2 kthreadd: 0 0 1
3 ksoftirqd/0: 0 0 27
4 kworker/0:0: 0 0 560
5 kworker/0:0H: 0 0 0
6 kworker/u64:0: 0 0 2266
8 rcu_sched: 0 0 957
9 rcuos/0: 0 0 1282
10 rcuos/1: 0 0 42
11 rcuos/2: 0 0 47
12 rcuos/3: 0 0 38
13 rcuos/4: 0 0 42
14 rcuos/5: 0 0 36
15 rcuos/6: 0 0 31
16 rcuos/7: 0 0 31
17 rcuos/8: 0 0 443
18 rcuos/9: 0 0 23
19 rcuos/10: 0 0 24
20 rcuos/11: 0 0 144
...