Be the first to post a text review of Saint Jude. Rate and review a project by clicking thumbs up or thumbs down in the right column.

• File released: /StMichael_LKM Kernel 2.6/StMichael_LKM-0.13-k2.6/StMichael_LKM-0.13-k2.6.tar.gz.sig

  posted 1193 days ago

• File released: /StMichael_LKM Kernel 2.6/StMichael_LKM-0.13-k2.6/StMichael_LKM-0.13-k2.6.tar.gz.md5sum

  posted 1193 days ago

• File released: /StMichael_LKM Kernel 2.6/StMichael_LKM-0.13-k2.6/StMichael_LKM-0.13-k2.6.tar.gz

  posted 1193 days ago

• File released: /StMichael_LKM/StMichael_LKM-0.13/StMichael_LKM-0.13.tar.gz.sig

  posted 1193 days ago

• File released: /StMichael_LKM/StMichael_LKM-0.13/StMichael_LKM-0.13.tar.gz.md5sum

  posted 1193 days ago

• File released: /StMichael_LKM/StMichael_LKM-0.13/StMichael_LKM-0.13.tar.gz

  posted 1193 days ago

• StMichael_LKM StMichael_LKM-0.13 file released: StMichael_LKM-0.13.tar.gz.sig

  0.13Beta->0.13 (Jun 12 2006) -------------- -- Fixed SHA1 implementation -- Fixed some compilation problems with all options -- Code enhancements (a lot of failures has been corrected) 0.12->0.13Beta (December 06 2005) -------------- -- Removed unused function definitions -- Added /dev/mem protection 0.11->0.12 (October 10 2005) -------------- -- New project manteiner: Rodrigo Rubira Branco (rodrigo@kernelhacking.com) -- Changed the code structure (added src/ Docs/ includes/ objs/ bin/) -- Fixed some compiling problems (when you doesnt use CHECKSUM support) -- Fixed many kpanics conditions (and market others into Docs/KNOW_BUGS) -- Fixed some values into ./configure script when you use ext3 filesystems (dont exist /proc entries) -- Added grub sample at README.initrd -- Some functions definitions doesnt exist when some ./configure options arent choosed (this causes a lot of oops into the running system) -- Added /lib/modules/`uname -r` in the list of files to be immutable in a linux install (README.Immutable) -- Added MBR integrity checks that can prevent from GRUB modifications (in conjunction of really immutable into the /boot/grub files) 0.10->0.11 -------------- -- Addition of Self Integrity Checks to Detect Attacks Against StMichael Himself/Itself.. whichever. -- Addition of configuration options to hard-code memory offsets into the source instead of discovery during load time. This permits the loading of Stmichael from an initrd, before init spawns and the filesystems are mounted. See Readme.initrd for information on how to load StMichael from an initrd. -- Assordted Modifications and Varable Name changes to permit easier migration of code between projects. -- Addition of Goals for Next Version. See TODO 0.09->0.10 -------------- -- Cleanup the multitude of compilation options, and re-do the definitions to make a more sane set of options. This will resolve some problems where certin sets of compile time options may cause the compile to fail -- or even cause the module to Oops on load. Of note: * Stand Alone Support for Really-Immutable Filesystem. * Stand Alone Support for Read-Only KMEM * Module-List monitoring is done by default now. * StMichael will actually work with checksumming turned off. (This is to support the GNU lisence terms) -- Really Immutable filesystem support for ext3 fs added. -- Added in Kernel Lisencing Code to Identify the Kernel Lisence for Newer kernels. No more Tainted Kernels. -- Updated Configure Script to reflect changes in the compile time options. Also, better guessing of where the proper include files will be found -- should reduce confusion on standard mandrake and redhat systems. -- Updated instructions on configuration with notes on known issues. -- Backup kernel is now obscured from string searches using the weak crypt function. -- Added needed modifications to support the newer Alan Cox Kernels, with the diffrent VM system. -- A list has been created for Announcements, Questions, Discussion regarding StMichael, StJude, and System Survivability in General. http://lists.sourceforge.net/lists/listinfo/stjude-project 0.08->0.09 ------------- Internal Version - Not Released. Changes rolled up into 0.10. 0.07->0.08 -------------- -- If attacks are noticed during a interupt, the notice must be queued. We can not do output during an interupt. -- Refrence: Unk. [1] -- Under some circumstances, we could OOPS on a derefrence of NULL when checking for self-concealing modules during delete_module syscall. -- Refrence: Junichi Murakami -- Addition of Checks to detect the possible subversion of the kernel at loadtime. -- Refrence: Junichi Murakami -- Full Kernel Text Validation Validate the full text of the kernel, this permits arbitrary modifications to the kernel text from going unnoticed, such as modification of the system_call function to call system calls from an alternate (and invisable) system call table. -- Kernel Restore Option This permits recovery from catastrophic attacks, such as a silvio stealth-syscall attack that actually modifies portions of the kernel text. The Kernel's code is backed up, and when a compromise of the text is detected, the old text is reloaded. Concept and concept code by Junichi Murakami. ** Note: This should be considered VERY experimental for the time being, as this is much akin to performing open heart surgery upon oneself without anastesia. [1] In the time since correspondence, I have been daft enough to misplace the email address and name. I apoligize, and if you wish to re-contact me, I will update this entry. 0.06->0.07 -------------- -- Serious bug could cause a kernel Oops, and segv of insmod when StMichael.o was loaded after other kernel modules. 0.05->0.06 --------------- -- New email address, lawless@wwjh.net. lawless@netdoor.com still works, for the time being. -- Began Code and Signature Obfsication work. -- Introduced perminate immutability to files on ext2 fs (like bsd securelevel 1, immutable files may not be made unimmutable) -- Configuration Script Cleanups, and other Misc code beautification. (including notes on the odd redhat timer_t behavior) 0.04->0.05 --------------- -- Added Checks to Detect modules hiding their presence. And try to reveal them. ie, Anti-Cloaking. -- Added Read-Only /dev/kmem Avoid programs patching the kernel real-time without going through the modules interface. ;) -- Added VFS checking. Beginning of checks to validate the VFS. Instead of replacing the system calls, why not attack VFS? I don't think so. 0.03->0.04 ---------------- -- Added the SHA1 checksum to complement the md5 checksumming. There was some concern voiced that there oould possibly be birthday attacks. By using two checksumming functions we reduce the likelyhood of such an occurance. -- Added Timers Perodicly revalidate the kernel. This is done via a Timer and by wrapping the exit call to call the integrity checking routines. Timer Code Submitted by MixMan <mixman@langusta.starnet.pl> Refrence: timer_attack.c in DEMO_ATTACKS Directory -- Added Configuration Script. Configuration Script Submitted by by MixMan <mixman@langusta.starnet.pl> -- Code Cleanup to Accomidate future inclusion in the StJude_LKM -- Inclusion of Demo Modules that will trigger the StMichael LKM. *** WARNING: USE OF THESE MODULES COULD CAUSE YOUR COMPUTER TO REBOOT. YOU KNOW WHAT THIS IMPLIES. USE THESE DEMO MODULES AT YOUR OWN RISK. -- Silent mode is Disabled by Default. It is Recommended that The Silent Mode be Re-Enabled Before Deployment, and After Testing. -- The Beginning of Dependency Checking for All Kernel symbols. Only Selected functions are being validated at this moment. Future Releases will build the module to include all major functions. This detects attacks against the integrity of the function itself. Refrence: printk_attack.c in DEMO_ATTACKS Directory. 0.02->0.03 ----------------- -- Added md5 checksums to contens of the systemcalls themselves This will enable the code that performd MD5 checksums on the first part of each systemcall to verify that the syscall has not been attacked as described in the paper listed below. http://www.big.net.au/~silvio/stealth-syscall.txt One may wish to disable this, but for what reason, I can not grasp. The md5.c file is not covered under the GNU lisence, and thusly is optional. Noted, along with suggection for resolution by Frederic Raynal <Frederic.Raynal@inria.fr> The MD5 code used is housed on the web at: -- Added cloaking to hide the presence of StMichael, and its symbols This next option causes the module to hide itself and all of its symbols. Without this it is possible for an intruder to easily identify the datastructure we hold our valid values in, and modify them to pass our checks. The Silent mode is also enabled to quelch any output to klogd regarding our actions. Since the intruder has root, they can see everything that comes out of the logs. Since StMichael cause the rootkits to not work as expected, we do not want to give away any usefull debugging information ;) Possibility of Attack via This means identified by Frederic Raynal <Frederic.Raynal@inria.fr> Attack Demo and further explanation of Vulnrability identified by MixMan <mixman@langusta.starnet.pl> 0.01->0.02 ----------------- -- Inverted match could cause kernel to hang on attempt to unload StMichael. Fixed.

  posted 1193 days ago

• StMichael_LKM StMichael_LKM-0.13 file released: StMichael_LKM-0.13.tar.gz.md5sum

  0.13Beta->0.13 (Jun 12 2006) -------------- -- Fixed SHA1 implementation -- Fixed some compilation problems with all options -- Code enhancements (a lot of failures has been corrected) 0.12->0.13Beta (December 06 2005) -------------- -- Removed unused function definitions -- Added /dev/mem protection 0.11->0.12 (October 10 2005) -------------- -- New project manteiner: Rodrigo Rubira Branco (rodrigo@kernelhacking.com) -- Changed the code structure (added src/ Docs/ includes/ objs/ bin/) -- Fixed some compiling problems (when you doesnt use CHECKSUM support) -- Fixed many kpanics conditions (and market others into Docs/KNOW_BUGS) -- Fixed some values into ./configure script when you use ext3 filesystems (dont exist /proc entries) -- Added grub sample at README.initrd -- Some functions definitions doesnt exist when some ./configure options arent choosed (this causes a lot of oops into the running system) -- Added /lib/modules/`uname -r` in the list of files to be immutable in a linux install (README.Immutable) -- Added MBR integrity checks that can prevent from GRUB modifications (in conjunction of really immutable into the /boot/grub files) 0.10->0.11 -------------- -- Addition of Self Integrity Checks to Detect Attacks Against StMichael Himself/Itself.. whichever. -- Addition of configuration options to hard-code memory offsets into the source instead of discovery during load time. This permits the loading of Stmichael from an initrd, before init spawns and the filesystems are mounted. See Readme.initrd for information on how to load StMichael from an initrd. -- Assordted Modifications and Varable Name changes to permit easier migration of code between projects. -- Addition of Goals for Next Version. See TODO 0.09->0.10 -------------- -- Cleanup the multitude of compilation options, and re-do the definitions to make a more sane set of options. This will resolve some problems where certin sets of compile time options may cause the compile to fail -- or even cause the module to Oops on load. Of note: * Stand Alone Support for Really-Immutable Filesystem. * Stand Alone Support for Read-Only KMEM * Module-List monitoring is done by default now. * StMichael will actually work with checksumming turned off. (This is to support the GNU lisence terms) -- Really Immutable filesystem support for ext3 fs added. -- Added in Kernel Lisencing Code to Identify the Kernel Lisence for Newer kernels. No more Tainted Kernels. -- Updated Configure Script to reflect changes in the compile time options. Also, better guessing of where the proper include files will be found -- should reduce confusion on standard mandrake and redhat systems. -- Updated instructions on configuration with notes on known issues. -- Backup kernel is now obscured from string searches using the weak crypt function. -- Added needed modifications to support the newer Alan Cox Kernels, with the diffrent VM system. -- A list has been created for Announcements, Questions, Discussion regarding StMichael, StJude, and System Survivability in General. http://lists.sourceforge.net/lists/listinfo/stjude-project 0.08->0.09 ------------- Internal Version - Not Released. Changes rolled up into 0.10. 0.07->0.08 -------------- -- If attacks are noticed during a interupt, the notice must be queued. We can not do output during an interupt. -- Refrence: Unk. [1] -- Under some circumstances, we could OOPS on a derefrence of NULL when checking for self-concealing modules during delete_module syscall. -- Refrence: Junichi Murakami -- Addition of Checks to detect the possible subversion of the kernel at loadtime. -- Refrence: Junichi Murakami -- Full Kernel Text Validation Validate the full text of the kernel, this permits arbitrary modifications to the kernel text from going unnoticed, such as modification of the system_call function to call system calls from an alternate (and invisable) system call table. -- Kernel Restore Option This permits recovery from catastrophic attacks, such as a silvio stealth-syscall attack that actually modifies portions of the kernel text. The Kernel's code is backed up, and when a compromise of the text is detected, the old text is reloaded. Concept and concept code by Junichi Murakami. ** Note: This should be considered VERY experimental for the time being, as this is much akin to performing open heart surgery upon oneself without anastesia. [1] In the time since correspondence, I have been daft enough to misplace the email address and name. I apoligize, and if you wish to re-contact me, I will update this entry. 0.06->0.07 -------------- -- Serious bug could cause a kernel Oops, and segv of insmod when StMichael.o was loaded after other kernel modules. 0.05->0.06 --------------- -- New email address, lawless@wwjh.net. lawless@netdoor.com still works, for the time being. -- Began Code and Signature Obfsication work. -- Introduced perminate immutability to files on ext2 fs (like bsd securelevel 1, immutable files may not be made unimmutable) -- Configuration Script Cleanups, and other Misc code beautification. (including notes on the odd redhat timer_t behavior) 0.04->0.05 --------------- -- Added Checks to Detect modules hiding their presence. And try to reveal them. ie, Anti-Cloaking. -- Added Read-Only /dev/kmem Avoid programs patching the kernel real-time without going through the modules interface. ;) -- Added VFS checking. Beginning of checks to validate the VFS. Instead of replacing the system calls, why not attack VFS? I don't think so. 0.03->0.04 ---------------- -- Added the SHA1 checksum to complement the md5 checksumming. There was some concern voiced that there oould possibly be birthday attacks. By using two checksumming functions we reduce the likelyhood of such an occurance. -- Added Timers Perodicly revalidate the kernel. This is done via a Timer and by wrapping the exit call to call the integrity checking routines. Timer Code Submitted by MixMan <mixman@langusta.starnet.pl> Refrence: timer_attack.c in DEMO_ATTACKS Directory -- Added Configuration Script. Configuration Script Submitted by by MixMan <mixman@langusta.starnet.pl> -- Code Cleanup to Accomidate future inclusion in the StJude_LKM -- Inclusion of Demo Modules that will trigger the StMichael LKM. *** WARNING: USE OF THESE MODULES COULD CAUSE YOUR COMPUTER TO REBOOT. YOU KNOW WHAT THIS IMPLIES. USE THESE DEMO MODULES AT YOUR OWN RISK. -- Silent mode is Disabled by Default. It is Recommended that The Silent Mode be Re-Enabled Before Deployment, and After Testing. -- The Beginning of Dependency Checking for All Kernel symbols. Only Selected functions are being validated at this moment. Future Releases will build the module to include all major functions. This detects attacks against the integrity of the function itself. Refrence: printk_attack.c in DEMO_ATTACKS Directory. 0.02->0.03 ----------------- -- Added md5 checksums to contens of the systemcalls themselves This will enable the code that performd MD5 checksums on the first part of each systemcall to verify that the syscall has not been attacked as described in the paper listed below. http://www.big.net.au/~silvio/stealth-syscall.txt One may wish to disable this, but for what reason, I can not grasp. The md5.c file is not covered under the GNU lisence, and thusly is optional. Noted, along with suggection for resolution by Frederic Raynal <Frederic.Raynal@inria.fr> The MD5 code used is housed on the web at: -- Added cloaking to hide the presence of StMichael, and its symbols This next option causes the module to hide itself and all of its symbols. Without this it is possible for an intruder to easily identify the datastructure we hold our valid values in, and modify them to pass our checks. The Silent mode is also enabled to quelch any output to klogd regarding our actions. Since the intruder has root, they can see everything that comes out of the logs. Since StMichael cause the rootkits to not work as expected, we do not want to give away any usefull debugging information ;) Possibility of Attack via This means identified by Frederic Raynal <Frederic.Raynal@inria.fr> Attack Demo and further explanation of Vulnrability identified by MixMan <mixman@langusta.starnet.pl> 0.01->0.02 ----------------- -- Inverted match could cause kernel to hang on attempt to unload StMichael. Fixed.

  posted 1193 days ago

• StMichael_LKM StMichael_LKM-0.13 file released: StMichael_LKM-0.13.tar.gz

  0.13Beta->0.13 (Jun 12 2006) -------------- -- Fixed SHA1 implementation -- Fixed some compilation problems with all options -- Code enhancements (a lot of failures has been corrected) 0.12->0.13Beta (December 06 2005) -------------- -- Removed unused function definitions -- Added /dev/mem protection 0.11->0.12 (October 10 2005) -------------- -- New project manteiner: Rodrigo Rubira Branco (rodrigo@kernelhacking.com) -- Changed the code structure (added src/ Docs/ includes/ objs/ bin/) -- Fixed some compiling problems (when you doesnt use CHECKSUM support) -- Fixed many kpanics conditions (and market others into Docs/KNOW_BUGS) -- Fixed some values into ./configure script when you use ext3 filesystems (dont exist /proc entries) -- Added grub sample at README.initrd -- Some functions definitions doesnt exist when some ./configure options arent choosed (this causes a lot of oops into the running system) -- Added /lib/modules/`uname -r` in the list of files to be immutable in a linux install (README.Immutable) -- Added MBR integrity checks that can prevent from GRUB modifications (in conjunction of really immutable into the /boot/grub files) 0.10->0.11 -------------- -- Addition of Self Integrity Checks to Detect Attacks Against StMichael Himself/Itself.. whichever. -- Addition of configuration options to hard-code memory offsets into the source instead of discovery during load time. This permits the loading of Stmichael from an initrd, before init spawns and the filesystems are mounted. See Readme.initrd for information on how to load StMichael from an initrd. -- Assordted Modifications and Varable Name changes to permit easier migration of code between projects. -- Addition of Goals for Next Version. See TODO 0.09->0.10 -------------- -- Cleanup the multitude of compilation options, and re-do the definitions to make a more sane set of options. This will resolve some problems where certin sets of compile time options may cause the compile to fail -- or even cause the module to Oops on load. Of note: * Stand Alone Support for Really-Immutable Filesystem. * Stand Alone Support for Read-Only KMEM * Module-List monitoring is done by default now. * StMichael will actually work with checksumming turned off. (This is to support the GNU lisence terms) -- Really Immutable filesystem support for ext3 fs added. -- Added in Kernel Lisencing Code to Identify the Kernel Lisence for Newer kernels. No more Tainted Kernels. -- Updated Configure Script to reflect changes in the compile time options. Also, better guessing of where the proper include files will be found -- should reduce confusion on standard mandrake and redhat systems. -- Updated instructions on configuration with notes on known issues. -- Backup kernel is now obscured from string searches using the weak crypt function. -- Added needed modifications to support the newer Alan Cox Kernels, with the diffrent VM system. -- A list has been created for Announcements, Questions, Discussion regarding StMichael, StJude, and System Survivability in General. http://lists.sourceforge.net/lists/listinfo/stjude-project 0.08->0.09 ------------- Internal Version - Not Released. Changes rolled up into 0.10. 0.07->0.08 -------------- -- If attacks are noticed during a interupt, the notice must be queued. We can not do output during an interupt. -- Refrence: Unk. [1] -- Under some circumstances, we could OOPS on a derefrence of NULL when checking for self-concealing modules during delete_module syscall. -- Refrence: Junichi Murakami -- Addition of Checks to detect the possible subversion of the kernel at loadtime. -- Refrence: Junichi Murakami -- Full Kernel Text Validation Validate the full text of the kernel, this permits arbitrary modifications to the kernel text from going unnoticed, such as modification of the system_call function to call system calls from an alternate (and invisable) system call table. -- Kernel Restore Option This permits recovery from catastrophic attacks, such as a silvio stealth-syscall attack that actually modifies portions of the kernel text. The Kernel's code is backed up, and when a compromise of the text is detected, the old text is reloaded. Concept and concept code by Junichi Murakami. ** Note: This should be considered VERY experimental for the time being, as this is much akin to performing open heart surgery upon oneself without anastesia. [1] In the time since correspondence, I have been daft enough to misplace the email address and name. I apoligize, and if you wish to re-contact me, I will update this entry. 0.06->0.07 -------------- -- Serious bug could cause a kernel Oops, and segv of insmod when StMichael.o was loaded after other kernel modules. 0.05->0.06 --------------- -- New email address, lawless@wwjh.net. lawless@netdoor.com still works, for the time being. -- Began Code and Signature Obfsication work. -- Introduced perminate immutability to files on ext2 fs (like bsd securelevel 1, immutable files may not be made unimmutable) -- Configuration Script Cleanups, and other Misc code beautification. (including notes on the odd redhat timer_t behavior) 0.04->0.05 --------------- -- Added Checks to Detect modules hiding their presence. And try to reveal them. ie, Anti-Cloaking. -- Added Read-Only /dev/kmem Avoid programs patching the kernel real-time without going through the modules interface. ;) -- Added VFS checking. Beginning of checks to validate the VFS. Instead of replacing the system calls, why not attack VFS? I don't think so. 0.03->0.04 ---------------- -- Added the SHA1 checksum to complement the md5 checksumming. There was some concern voiced that there oould possibly be birthday attacks. By using two checksumming functions we reduce the likelyhood of such an occurance. -- Added Timers Perodicly revalidate the kernel. This is done via a Timer and by wrapping the exit call to call the integrity checking routines. Timer Code Submitted by MixMan <mixman@langusta.starnet.pl> Refrence: timer_attack.c in DEMO_ATTACKS Directory -- Added Configuration Script. Configuration Script Submitted by by MixMan <mixman@langusta.starnet.pl> -- Code Cleanup to Accomidate future inclusion in the StJude_LKM -- Inclusion of Demo Modules that will trigger the StMichael LKM. *** WARNING: USE OF THESE MODULES COULD CAUSE YOUR COMPUTER TO REBOOT. YOU KNOW WHAT THIS IMPLIES. USE THESE DEMO MODULES AT YOUR OWN RISK. -- Silent mode is Disabled by Default. It is Recommended that The Silent Mode be Re-Enabled Before Deployment, and After Testing. -- The Beginning of Dependency Checking for All Kernel symbols. Only Selected functions are being validated at this moment. Future Releases will build the module to include all major functions. This detects attacks against the integrity of the function itself. Refrence: printk_attack.c in DEMO_ATTACKS Directory. 0.02->0.03 ----------------- -- Added md5 checksums to contens of the systemcalls themselves This will enable the code that performd MD5 checksums on the first part of each systemcall to verify that the syscall has not been attacked as described in the paper listed below. http://www.big.net.au/~silvio/stealth-syscall.txt One may wish to disable this, but for what reason, I can not grasp. The md5.c file is not covered under the GNU lisence, and thusly is optional. Noted, along with suggection for resolution by Frederic Raynal <Frederic.Raynal@inria.fr> The MD5 code used is housed on the web at: -- Added cloaking to hide the presence of StMichael, and its symbols This next option causes the module to hide itself and all of its symbols. Without this it is possible for an intruder to easily identify the datastructure we hold our valid values in, and modify them to pass our checks. The Silent mode is also enabled to quelch any output to klogd regarding our actions. Since the intruder has root, they can see everything that comes out of the logs. Since StMichael cause the rootkits to not work as expected, we do not want to give away any usefull debugging information ;) Possibility of Attack via This means identified by Frederic Raynal <Frederic.Raynal@inria.fr> Attack Demo and further explanation of Vulnrability identified by MixMan <mixman@langusta.starnet.pl> 0.01->0.02 ----------------- -- Inverted match could cause kernel to hang on attempt to unload StMichael. Fixed.

  posted 1193 days ago

• StMichael_LKM Kernel 2.6 StMichael_LKM-0.13-k2.6 file released: StMichael_LKM-0.13-k2.6.tar.gz.sig

  StMichael for 2.6 Kernels (Jul 2006) -------------- -- This is a special version of StMichael... first release of StMichael for the newest 2.6 kernels (coded specially for Defcon www.defcon.org) -- Added LSM hook (to break modules the use of register_security) -- Integrity check of the {register|unregister}_security functions -- It's the first DRAFT of StMichael for the 2.6 branch, don't use it in production environments! 0.13->0.14 (Jun 12 2006) -------------- -- Fixed SHA1 implementation -- Fixed some compilation problems with all options 0.12->0.13 (December 06 2005) -------------- -- Removed unused function definitions -- Added /dev/mem protection 0.11->0.12 (October 10 2005) -------------- -- New project manteiner: Rodrigo Rubira Branco (rodrigo@kernelhacking.com) -- Changed the code structure (added src/ Docs/ includes/ objs/ bin/) -- Fixed some compiling problems (when you doesnt use CHECKSUM support) -- Fixed many kpanics conditions (and market others into Docs/KNOW_BUGS) -- Fixed some values into ./configure script when you use ext3 filesystems (dont exist /proc entries) -- Added grub sample at README.initrd -- Some functions definitions doesnt exist when some ./configure options arent choosed (this causes a lot of oops into the running system) -- Added /lib/modules/`uname -r` in the list of files to be immutable in a linux install (README.Immutable) -- Added MBR integrity checks that can prevent from GRUB modifications (in conjunction of really immutable into the /boot/grub files) 0.10->0.11 -------------- -- Addition of Self Integrity Checks to Detect Attacks Against StMichael Himself/Itself.. whichever. -- Addition of configuration options to hard-code memory offsets into the source instead of discovery during load time. This permits the loading of Stmichael from an initrd, before init spawns and the filesystems are mounted. See Readme.initrd for information on how to load StMichael from an initrd. -- Assordted Modifications and Varable Name changes to permit easier migration of code between projects. -- Addition of Goals for Next Version. See TODO 0.09->0.10 -------------- -- Cleanup the multitude of compilation options, and re-do the definitions to make a more sane set of options. This will resolve some problems where certin sets of compile time options may cause the compile to fail -- or even cause the module to Oops on load. Of note: * Stand Alone Support for Really-Immutable Filesystem. * Stand Alone Support for Read-Only KMEM * Module-List monitoring is done by default now. * StMichael will actually work with checksumming turned off. (This is to support the GNU lisence terms) -- Really Immutable filesystem support for ext3 fs added. -- Added in Kernel Lisencing Code to Identify the Kernel Lisence for Newer kernels. No more Tainted Kernels. -- Updated Configure Script to reflect changes in the compile time options. Also, better guessing of where the proper include files will be found -- should reduce confusion on standard mandrake and redhat systems. -- Updated instructions on configuration with notes on known issues. -- Backup kernel is now obscured from string searches using the weak crypt function. -- Added needed modifications to support the newer Alan Cox Kernels, with the diffrent VM system. -- A list has been created for Announcements, Questions, Discussion regarding StMichael, StJude, and System Survivability in General. http://lists.sourceforge.net/lists/listinfo/stjude-project 0.08->0.09 ------------- Internal Version - Not Released. Changes rolled up into 0.10. 0.07->0.08 -------------- -- If attacks are noticed during a interupt, the notice must be queued. We can not do output during an interupt. -- Refrence: Unk. [1] -- Under some circumstances, we could OOPS on a derefrence of NULL when checking for self-concealing modules during delete_module syscall. -- Refrence: Junichi Murakami -- Addition of Checks to detect the possible subversion of the kernel at loadtime. -- Refrence: Junichi Murakami -- Full Kernel Text Validation Validate the full text of the kernel, this permits arbitrary modifications to the kernel text from going unnoticed, such as modification of the system_call function to call system calls from an alternate (and invisable) system call table. -- Kernel Restore Option This permits recovery from catastrophic attacks, such as a silvio stealth-syscall attack that actually modifies portions of the kernel text. The Kernel's code is backed up, and when a compromise of the text is detected, the old text is reloaded. Concept and concept code by Junichi Murakami. ** Note: This should be considered VERY experimental for the time being, as this is much akin to performing open heart surgery upon oneself without anastesia. [1] In the time since correspondence, I have been daft enough to misplace the email address and name. I apoligize, and if you wish to re-contact me, I will update this entry. 0.06->0.07 -------------- -- Serious bug could cause a kernel Oops, and segv of insmod when StMichael.o was loaded after other kernel modules. 0.05->0.06 --------------- -- New email address, lawless@wwjh.net. lawless@netdoor.com still works, for the time being. -- Began Code and Signature Obfsication work. -- Introduced perminate immutability to files on ext2 fs (like bsd securelevel 1, immutable files may not be made unimmutable) -- Configuration Script Cleanups, and other Misc code beautification. (including notes on the odd redhat timer_t behavior) 0.04->0.05 --------------- -- Added Checks to Detect modules hiding their presence. And try to reveal them. ie, Anti-Cloaking. -- Added Read-Only /dev/kmem Avoid programs patching the kernel real-time without going through the modules interface. ;) -- Added VFS checking. Beginning of checks to validate the VFS. Instead of replacing the system calls, why not attack VFS? I don't think so. 0.03->0.04 ---------------- -- Added the SHA1 checksum to complement the md5 checksumming. There was some concern voiced that there oould possibly be birthday attacks. By using two checksumming functions we reduce the likelyhood of such an occurance. -- Added Timers Perodicly revalidate the kernel. This is done via a Timer and by wrapping the exit call to call the integrity checking routines. Timer Code Submitted by MixMan <mixman@langusta.starnet.pl> Refrence: timer_attack.c in DEMO_ATTACKS Directory -- Added Configuration Script. Configuration Script Submitted by by MixMan <mixman@langusta.starnet.pl> -- Code Cleanup to Accomidate future inclusion in the StJude_LKM -- Inclusion of Demo Modules that will trigger the StMichael LKM. *** WARNING: USE OF THESE MODULES COULD CAUSE YOUR COMPUTER TO REBOOT. YOU KNOW WHAT THIS IMPLIES. USE THESE DEMO MODULES AT YOUR OWN RISK. -- Silent mode is Disabled by Default. It is Recommended that The Silent Mode be Re-Enabled Before Deployment, and After Testing. -- The Beginning of Dependency Checking for All Kernel symbols. Only Selected functions are being validated at this moment. Future Releases will build the module to include all major functions. This detects attacks against the integrity of the function itself. Refrence: printk_attack.c in DEMO_ATTACKS Directory. 0.02->0.03 ----------------- -- Added md5 checksums to contens of the systemcalls themselves This will enable the code that performd MD5 checksums on the first part of each systemcall to verify that the syscall has not been attacked as described in the paper listed below. http://www.big.net.au/~silvio/stealth-syscall.txt One may wish to disable this, but for what reason, I can not grasp. The md5.c file is not covered under the GNU lisence, and thusly is optional. Noted, along with suggection for resolution by Frederic Raynal <Frederic.Raynal@inria.fr> The MD5 code used is housed on the web at: -- Added cloaking to hide the presence of StMichael, and its symbols This next option causes the module to hide itself and all of its symbols. Without this it is possible for an intruder to easily identify the datastructure we hold our valid values in, and modify them to pass our checks. The Silent mode is also enabled to quelch any output to klogd regarding our actions. Since the intruder has root, they can see everything that comes out of the logs. Since StMichael cause the rootkits to not work as expected, we do not want to give away any usefull debugging information ;) Possibility of Attack via This means identified by Frederic Raynal <Frederic.Raynal@inria.fr> Attack Demo and further explanation of Vulnrability identified by MixMan <mixman@langusta.starnet.pl> 0.01->0.02 ----------------- -- Inverted match could cause kernel to hang on attempt to unload StMichael. Fixed.

  posted 1193 days ago