Saint Jude / News: Recent posts

StJude LKM 0.23 released

-- New project manteiner: Rodrigo Rubira Branco (rodrigo@kernelhacking.com)
-- Changed the code structure (added src/ objs/ includes/ bin/ Docs/)
-- Fixed compiling problems
-- Fixed problems that causes kpanics into the newest kernels of 2.4.x vanilla
-- Now, StJude includes StMichael-0.12 (the latest version)
-- Added Readme.Initrd into the Docs/ directory

Posted by Rodrigo Rubira Branco 2005-12-06

StMichael LKM 0.12 released

-- New project manteiner: Rodrigo Rubira Branco (rodrigo@kernelhacking.com)
-- Changed the code structure (added src/ Docs/ includes/ objs/ bin/)
-- Fixed some compiling problems (when you doesnt use CHECKSUM support)
-- Fixed many kpanics conditions (and market others into Docs/KNOW_BUGS)
-- Fixed some values into ./configure script when you use ext3 filesystems (dont exist /proc entries)
-- Added grub sample at README.initrd
-- Some functions definitions doesnt exist when some ./configure options arent choosed (this causes a lot of oops into the running system)
-- Added /lib/modules/`uname -r` in the list of files to be immutable in a linux
install (README.Immutable)
-- Added MBR integrity checks that can prevent from GRUB modifications (in conjunction of really immutable into the /boot/grub files)... read more

Posted by Rodrigo Rubira Branco 2005-12-06

Project has New Maintainer

StJude/StMichael now got Rodrigo Rubira Branco < rodrigo@kernelhacking.com > as the new mainteiner.

Posted by Rodrigo Rubira Branco 2005-10-25

Project Seeks New Maintainer

Due to work related issues involving Information Property rights, I have been and continue to be unable to contribute or maintain this project without tainting the existing code base. For this reason, This project seeks a new admin/developer. If intrested, email at tmlawless1 AT yahoo.com.

Posted by Tim Lawless 2004-03-04

StJude LKM 0.21 Released

An update to the Saint Jude LKM package was released. This update merges the past year of work on StMichael into the StJude tree, along
with options to load StJude thru initrd instead of via init.

See the Changes file for more iformation.

Posted by Tim Lawless 2002-08-06

Updated StMichael LKM 0.11 Released

An update to the StMichael LKM was released on
August 6th. Enhancements in this release include
self-integrity checking, support for loading
thru initrd with all checks enabled.

Posted by Tim Lawless 2002-08-06

khidee.c kernel module detectable by stmichael 0.10

On Wed, 31st of July, I was informed that a new kernel module was available on packetstorm that performs execution redirection without touching the execve system address in the syscall table.
This module, khidee.c, included statements in its description that the default configuration of StMichael LKM 0.10 is unable
to detect it.

khideee.c is located at http://packetstormsecurity.packetstorm.org/filedesc/khideee.c.html... read more

Posted by Tim Lawless 2002-08-06

Paper: &quot;On Intrusion Resiliency&quot; Released!

A paper on the design of systems capable of detecting and stopping ongoing attacks against their integrity has been released. This paper looks at what is necessary to produce systems that are capable of recoiling from attacks on their integrity, and identifies areas where potential weakenesses may appear if such systems are improperly implemented.

Posted by Tim Lawless 2002-05-13

Saint Jude for Solaris Released!

Saint Jude SKM, a kernel module for the Solaris 8 system is now out. This Module implements the Saint Jude Model in Solaris 8 on both the 32bit Sparc/Supersparc/Microsparc and 64bit Ultrasparc Processors.

To use this module on a 64 bit processor, the
Forte C compiler will be necessary. GCC may work
for you on the 32bit processors.

Posted by Tim Lawless 2002-05-13

OffSite MD5 Checksums Available

MD5 Checksums of the StMichael and StJude releases are available, along with copies of the
software that is available on SourceForge.

The FTP Site for MD5 Checksums of the packages that are available here is:

ftp://ftp.wwjh.net/pub/StMichael_LKM

Posted by Tim Lawless 2002-03-30

Stjude-Project Public Mailing List Created

The Stjude-project mailing list has been created for announcements and discussions regarding stjude, as well as system survivability and intrusion resiliency.

The URL for the mailing list is:

http://lists.sourceforge.net/lists/admin/stjude-project/members

Posted by Tim Lawless 2002-03-30

StMichael 0.08 Released

Hilights include:

-- Ability to reload the kernel after a catastrophic
modification is detected, such as a Silvio Stealth Syscall modification.

Posted by Tim Lawless 2002-01-22

Openwall, gr8security, and StJude

After working with a couple people who were having serious OOps issues with the modules,
we have determined that the Openwall patches,
grate security, and the StJude modules are not
compatable at this time.

In the coming month, I will be releasing a
update that will detect these conflicts,
and hopefully will be able to accomidate
the other security patches.

Posted by Tim Lawless 2001-12-01

New Contact Email - lawless@wwjh.net

As hinted in within the StMichael Readme
file in 0.07, my old address (lawless@netdoor.com)
will soon be defunct.

I can be contacted at my new address, lawless@wwjh.net

--Tim

Posted by Tim Lawless 2001-11-13

StMichael 0.07 Released - Major Bugfix

An error in the layout of 0.06 caused a condition that would
result in a Kernel Oops upon loading of the StMichael module.
A segfault in /sbin/insmod would also be observed. This was
caused by a duplication of code that would (on the second round) derefrence a null pointer. -- Fixed.

Other Changes (From StMichael 0.06):

Saint Michael 0.06 contains the following additional features:

-- Perminent Immutability ... read more

Posted by Tim Lawless 2001-10-26

Saint Jude Refrenced in &quot;surviving Security&quot;

One of the first books to discuss the emerging, and previously black art of intrusion resiliency is "Surviving Security, How to Interate People, Process, and Technology" by Mandy Andress.

The Saint Jude Project is used as one of the
two examples of this emerging form of host
based security.

You can grab your copy at Amazon:
http://www.amazon.com/exec/obidos/ASIN/0672321297/qid=997289020/sr=2-1/ref=aps_sr_b_1_1/002-4038516-8692810

Posted by Tim Lawless 2001-08-08

Saint Jude 0.20 Released

With this release, the Saint Jude project moves closer to emerging from gestation.

Within this version the following major changes
occured:

-- New Execve
This removes the double-execve problem that
could permit circumvention of the module if
a hostile knew the module was present.

This also begins the work to bring Saint
just to more then the intel processor.

-- Inclusion of Saint Michael Kernel Integrity
code.... read more

Posted by Tim Lawless 2001-08-08

StMichael 0.05 Detects KIS

StMichael, version 0.05 can currently detect the KIS Linux Trojan that was released on the 14th of July at the Defcon Confrence in Las Vegas NV. This is contrary to claims made by the author, Optyx of www.uberhax0r.net.

Screenshots of what occurs upon detection of
KIS are available from http://www.wwjh.net/~lawless/kisme

Posted by Tim Lawless 2001-07-25

StMichael 0.05 Released

See Changelog for Details.

Posted by Tim Lawless 2001-07-12

StMichael_LKM 0.04 Released

Changes in this Release Include:

Added the SHA1 checksum to complement the md5 checksumming.

There was some concern voiced that there oould possibly
be birthday attacks. By using two checksumming functions we reduce the likelyhood of such an occurance.

Added Timers

Perodicly revalidate the kernel. This is done via a Timer
and by wrapping the exit call to call the integrity checking
routines.

Timer Code Submitted by MixMan mixman@langusta.starnet.pl ... read more

Posted by Tim Lawless 2001-06-21

CVS Repositories Online

On Saturday, June 2nd, I moved the current CVS
trees from my home network onto sourceforge. These
repositories will be updated with working copies between releases.

Posted by Tim Lawless 2001-06-03

StMichael 0.03 Released

And updated version of Saint Micheal, the Anti-Kernel-Rootkit LKM.

Changes include a stealth mode, enabled by default
and validation of the contents of systemcalls.

Posted by Tim Lawless 2001-06-03

StJude 0.12 Released

This is a maintinence release containing a couple fixes to
mostly minor bugs, and an update to work wtih the 2.4.3 kernels without warnings.

Posted by Tim Lawless 2001-04-06

StJude_LKM 0.11 Released

<PRE>

Update 0.10->0.11 (March 18, 2000)
-----------------------------------

-- Improper IFDEF test in StJude_lkm.h would prevent compiles n 2.4.0 kernel. Fixed.

-- StJude_Learning_Parser.pl would produce a output in some instances that could not be compiled. This occured due
to unescaped '\'s at the end of the line.

-- (This one sounds odd, but it may be necessary sometimes)
Non-SMP compiles under an SMP kernel would fail -- fixed.... read more

Posted by Tim Lawless 2001-03-19

Undefined Symbols? Readme

Do you get an undefined symbol when you insmod StJude?

These are being caused by include files that refrence a symbol that is not being linked or exported from the kernel.

If its caused by a non-exported symbol, you can find
the symbol in the source by doing "grep SYMBOL *.c"

If its caused by include files, then the above command
(assuming SYMBOL is the symbol that is not found) is
will return no matching lines.... read more

Posted by Tim Lawless 2001-03-17