Sebek2 - A Kernel-based Data Capture Tool

LogError writes "Sebek is a piece of code the lives entirely in kernel space and records either some or all data accessed by users on the system. This paper is a detailed discussion of Sebek, how it works and its value."

Great tool in the right hands

[mpeg4codec]

This can just as easily be modified and used by blackhats as an advanced rootkit, though. Like everything, it's a double-edged sword.

Re:Great tool in the right hands

[moreati]

True, like anthing this has Good and Evil uses, but since it is kernel resident then it requires either a reboot or a siutable set of hooks in the running kernel so it can be loaded as a module.

Thus the impact of malicuous use of this technology could be mitigated by disabling loadable modules once booted, limiting access to kernel structures by loaded modules, using some varient of TCPA (rootkit module not signed), and/or only accepting shutdown signals from the local console.

In a corporate environment however I could see this used as a virtually undetectable piece of snitch software, ie for spying on employees at their workstation, even if they have root.

Regards

Alex

Re:Great tool in the right hands

[gregfortune]

Exactly what I thought. It's kind of ironic that at the end of the paper they mention that it may be detectable by scripts like chrootkit and that future development will address that issue. When it *is* used as an advanced root kit, the whitehats will need to make better detection script so they can detect hostile rootkits. And that just makes it easier to detect this tool. Around and around we go :)

Re:Great tool in the right hands

[mpeg4codec]

I think you miss my point. My concerns are that Sebek will be a toolkit for attackers. Sort of like designing a deadly weapon and not doing a background cheque on those who purchase it.

As an aside, I hadn't even considered what might happen to the logs on a compromised host. Seeing as they don't exist locally, that shouldn't be an issue. Thanks for pointing that out.

Re:Great tool in the right hands

[Charbal]

It seems to me that at this point their attempts to make it difficult to detect would be fairly easily circumvented.

Since as part of the design a Sebek-enabled host will not see any Sebek packets, someone who has rooted the box already could merely send it Sebek packets and observe whether he/she could capture the packets or if they were lost.

This can be prevented to some degree with having the module rewrite outgoing Sebek-like packets which it did not create and similarly recognize these when they arrive and rewrite them as they went out. Of course, one would have to write this in such a way that all packets were still expressible (much like HTML makes it possible to include arbitrary text in a page even though some kinds would have special meaning if left unescaped: &, <, >, etc.).

However, when such schemes start to become more complex as they try to account for all possibilities (radar detector detector detector, anyone?), there is a definite risk that something will be overlooked. Fortunately, with a system like Sebek, you can see what the attacker does up until the point at which they discover Sebek installed and move on. In this way, a system like Sebek provides the tools to better itself if it is not perfect and scripts and techniques that attackers may use to detect it should be short-lived (since I would hope those that create honeynets are actually paying attention to them).

Re:Great tool in the right hands

[hacker]

In a corporate environment however I could see this used as a virtually undetectable piece of snitch software, ie for spying on employees at their workstation, even if they have root.

So now the question is.. do you even trust the systems you have accounts on, even when you use gpg and ssh to access them or get data from untrusted systems TO them?

I regularly use client networks and systems, generally with ssh/vpn/ipsec/gpg, but now I have no idea if I should trust these "trusted" systems.

So what we need now is a tool that lets us determine if Sebek is actually loaded and running in the kernel, before we use these "secure" protocols and applications FROM that system.

Next, someone will just obfuscate the structures and symbols to make it impossible to tell if the "sniff" module is a simple usb interface, or an actual low-level sniffing module.

It was bound to happen, and now basically undermines security on "trusted" systems.

re-incorporation?

[SHEENmaster]

Why not just merge SELinux with Linux? Does the NSA step outside copyright law to prevent this, or has no one bothered to do the necessary work?

Re:re-incorporation?

SELinux security modules are already in the vanilla 2.6-test kernels. The issuse of including all parts of SELinux has more to do with how well the code works with the rest of the kernel code. A good example of this is the current decision to use CryptoAPI instead of the long-standing kerneli patches. SELinux some code is already in the kernel without such a drastic rewrite, so more of it will likely find its way into the vanilla branch.

Re:re-incorporation?

[Nucleon500]

It's because most people don't want or need SELinux. One part of it is a bunch of patches against the kernel, which allow you to restrict (not grant) access in a very tightly controlled way. But the "mainstream" access control is good enough for most people. It's just another of many ofshoots of the Linux kernel, like User Mode Linux, uCLinux, and others.

Re:re-incorporation?

[plcurechax]

Why not just merge SELinux with Linux?

SELinux is about mandatory access controls and control policy enforcement. See the SELinux FAQ for more info about SE Linux.

Sebek (now version 2) is an kernel level logger. It does not stop users from doing anything. In fact if it did, that would make it useless for its primary job, as a tool for building HoneyNets, an controlled network of systems designed to be compromised by attackers, and the methods (and related) studied by security geeks.

Re:re-incorporation?

[NemoX]

Why not just merge SELinux with Linux?

Because if I wanted big brother in my box, I would use SELinux. There is no need for anyone to mandate total logging of what I do. If SELinux merges with Linux, them I'm off to BSD, or somewhere where big brother is not.

"I intend to honor my family by maintaining the freedoms they died for!"

weird name

[Tumbleweed]

Sounds Vulcan.

Re:weird name

[Tumbleweed]

You shall not live long, nor prosper, for that joke.

Re:weird name

[Szyman]

Actually, in Polish the name Sebek is a shorter version of the name Sebastian.

Re:weird name

[bj8rn]

It's not a name, it's a magical formula. Using the correct algorithm, which is conveniently missing (oh, that'd make a wonderful plot for a horror movie), this word can be turned into a magical incantation. After a hundred years of experimenting, a secret sect of Bulgarian (why the hell not?) Egyptologists have managed to reverse engineer the algorithm, published the source under GPL. It's actually quite easy - just say all the anagrams of the name:

sebek, sbeek, skeeb, skebe, sbkee, skbee, sekbe, sebke, eebsk, ebesk, ebsek, ebske, eskbe, eksbe, ebkse, ebeks, ebesk, ekesb etc (I'm not going to list them all here, as I'm more than a bit sleepy and would miss some of them). If you happen to say them in the correct order, mystical and magic(k)al things will happen. If the order is wrong, however, then you will have just wasted a part of your life doing nothing.

(Letters from satisfied customers will follow after I've had some sleep.)

Re:weird name

[bj8rn]

Though they may be closely related, it's not the same thing (as you may see from the moderation done to you - probably a Vulcan Supreme Moderator got angry). Vulcans are actually a spin-off group of Pollocks (though nobody can exactly say why - but they all agree it was one helluva reason). Your comparison was just as offensive and tactless as saying "Catholic or Protestant, it's the same thing" in Northern Ireland...

Re:weird name

[Tumbleweed]

> Your comparison was just as offensive and tactless as saying "Catholic or Protestant, it's the same thing" in Northern Ireland...

Heh, funny you should say that...for one of my particular spiritual bent, they ARE. Even Christians & Satanists are at least two sides of the same coin. :)

Re:weird name

[bj8rn]

Even Christians & Satanists are at least two sides of the same coin.

It's weird that people always talk about two sides of a coin, but they never think of the fact that all coins are (at least) three-dimensional. Nobody ever says "Hey, if two things are two sides of the same coin, then what's on the rim?" And what's inside it? I mean, there's practically nothing (usually it's air or the linings of your pocket or other coins) on the outer sides of the coin, everything interesting is inside it...

Re:weird name

[Tumbleweed]

What's on the rim of the Christian/Satanist coin? Jehovah's Witnesses, definitely!

And inside? Some soft nougat-like material, I'm guessing. Either that, or Moon Cheese(tm).

That's my story, and I'm sticking to it!

Wow!

[scovetta]

I'm sure the speed of a kernel-level logger will be amazing. I bet WinXP comes with one already running and recording everything.

Actually, doesn't Windows come with some pretty fancy-schmancy documented (and undocumented) kernel-level logging APIs?

Or is this *nix? I should RTFA.

Re:Wow!

[borius]

I'm sure the speed of a kernel-level logger will be amazing. I bet WinXP comes with one already running and recording everything.

Yeah, maybe that's why it needs so much disk space

Re:Wow!

[Compuser]

If it does then all their fancy drm is worth
nothing. Imagine logging every song you played
in the decoded form...

Re:Wow!

[LostCluster]

He who controls the kernal controls all on the system. Wonder if the Department of Homland Security can do an OS upgrade using a sneak-and-peak warrent?

Why the hell is this on Slashdot now?

[Creepy+Crawler]

After all, with the Gen2 honeynets out there, this is the tool of choice.

This tool has been out at honeynet.org for months now.I've been using it for at least 2 months.

THIS IS NOT NEWS,

Re:Why the hell is this on Slashdot now?

[Karamchand]

IIRC the paper was last changed on 13th Sept 2003. So it is quite new. Not the tool itself (as the version number - remember, it was 2 - implies), but this paper about it.

Mirror

[Magus311X]

Mirrored here: Sebek.pdf

-----

because it wasn't before

[poptones]

I never heard of honeynet. I didn't know I could run a kernel level logger on my firewall. Maybe someone at /. turned the story down two months ago, but I never heard of this. So why didn't you send in the story when it was "news?"

Re:because it wasn't before

[Creepy+Crawler]

If you didnt know about it, you probably didnt need it, as you probably would do a search before paying for a tool similar to these.

After all, we know slashdotters click on the link, but 95% of them are windows users (roughly the similar percentage as every other site). Slashdot is a site where people whine about MS and parade Linux news around, so why attempt to submit an article HERE?

Even better yet, if you're soo interested in linux stuf, check out Fravia's lessons on Searching. There's interesting black and gray hat tools that compare to sebek, but you have to ACTUALLY find them. They're not on the normal crapforge site

Palladium can fix this.

As much as we like to complain about trusted computing initiatives; I think palladium can help.

If I remember right, one component dealt with keycodes being replaced with encrypted and digitally signed packets that could only be decoded by the process authenticated by the palladium hardware.

Any spyware, even in the kernel couldn't get the key to decrypt these packets.

If this is right, and if anyone remembers the details, please help fill me in. No doubt, dozens or hundreds will correct me if I'm wrong. :-)

Re:Palladium can fix this.

[42forty-two42]

The distinction between the user-mode process and the kernel is in the kernel. After all, most modern kernels shuffle a program's code and data around periodically (swapping, etc) - what's to prevent it from loading kernel code instead? Or what about just replacing the Palladium hardware with a kernel emulation?

Probable origin of name?

[deltagreen]

I couldn't see it mentioned anywhere, but I found this on www.kemet.org, a site about the religious tradition of Ancient Egypt:

Sebek (Sobek; G/R Suchos) - "Watching over You" Son of Nit (and also, according to some myths, Set), Sebek is either depicted as a full crocodile, or, less often, as a crocodile-headed man. He is often given the epithets of Heru-sa-Aset as a Netjer [manifestation of god] of protection, healing and vengeance over the wrongdoer. In some mythologies Sebek is a powerful and awe-inspiring denizen of the underworld, and was invoked to do away with annoyances and negative situations, in the phrase "to Sebek with it(him)!," much as modern-day slang consigns bothersome things and persons "to Hell."

Re:Probable origin of name?

[owlstead]

In all probability it was featured in Buffy then :)

Re:Sigh

[borius]

1) Beer.
2) Cops (on TV)
3) Food. p All I need on a Saturday evening.

Yet, here you are, posting on Slashdot

Plonked off the high horse

[poptones]

There are nearly 3/4 of a million registered users of slashdot. Like it or not, cowboy, this isn't a site that caters exclusively to those "already in the know." It's an advocacy site as much as anything, and the readers here are going to come from thousands of difference backgrounds and have thousands of different viewpoints.

this article is interesting. I'm not an admin of a corporate wan and there's only so much damage that can be done to a home network, so my interest is not sufficient to compel me to "search for it" anymore than my interest in particle physics would drive me to "search for" the latest technical papers on particel accelerators.

If this offends your l33t sensibilities then you need a thorough ass kicking by RMS and JP Barlow to remind you of why sites like slashdot even exist.

Re:Plonked off the high horse

[Hektor_Troy]

If this offends your l33t sensibilities then you need a thorough ass kicking by RMS and JP Barlow to remind you of why sites like slashdot even exist.

I thought beatings like those were there reason sites like this existed ...

Application for Knowledge Management

[G4from128k]

This type of kernal-level tap on the flow of commands/data for a high-level entity is perfect for advanced knowledge management applications. Rather than create a KM application that is compatible with various web & office applications, we could tap into what those applications are doing by watching their calls to the kernal and core libraries.

What I want is something that lets me monitor all the calls to string-related objects (Sebak only seems to watch calls to read() ). Processing all of an application's uses of strings might be data overload, but disk space is cheap, so who cares.

Re:Application for Knowledge Management

[Zurk]

disk space is cheap but processor load is not.
doing that will likely result in high CPU load which tips off your cracker.

Sounds Vulcan.

[Ceadda]

Does this mean you do setup with a vulcan mind meld, and close the program with a neck pinch?

Umm...

[pr0ntab]

the article summary mentions that it is the bastard child of existing kernel modding rootkits.

So, uh, they already have this. But I doubt they'll put them up on freshmeat...

Re: SELinux

"If SELinux merges with Linux, them I'm off to BSD, or somewhere where big brother is not."

That was a really dumb statement.

SELinux is merging with Linux, but it is an optional component, like ALSA or a NIC driver. It's a tool, and a useful one. Get over it.

BTW, FreeBSD (arguably the most advanced BSD) already has a very similar framework, the "TrustedBSD Mandatory Access Control Framework." It does similar things as SELinux, and in fact has an optional port of the SELinux stuff in development. (I for one can't wait for it ;)

SELinux and TrustedBSD are good things, and are also entirely optional. Get with the program.

Am I wrong

[scrod]

or can't one simply modify the shell that the attacker is using to have it log the keystrokes either as it receives them from sshd, or before they're sent to ssh and encrypted?

Re:Am I wrong

[__past__]

Attackers aren't necessarily stupid. They are likely to bring their own shell, and have the same ways to check file integrity of their executables as the whitehats have. (In fact, one can generally assume that they have more and better tools - they can use all publicly available ones as well as their own they didn't tell anyone about) So it would be hard to modify their shell without them noticing. You would notice a trojaned /bin/sh on your systems too, wouldn't you?

Re:After 20+ years of buffer overflow exploits...

[Gwala]

** I realise this is following an offtopic post, however I also feel its worth discussing & debunking **

And what do you suggest we use?

C is powerfull, fast, and well known. The advantages are clear, and buffer overflows are the product of poor coding, where a coder misuses memory, and lapses to forget that all input is infact, quite evil.

The very concept of secure computing is a very new one. Yes, 20 years ago, Buffer Overflows were possible, however 20 years ago, we werent worrying about them, becuase simply put it was not an issue. With the advent of network computing in the last 10 years, it has slowly become an issue, and since then, any coder worth his money has learnt to deal with them, to assume that input is evil, to ensure that his code cannot be subjected to remote exploitation.

Other languages, have their place, however for mere speed of execution, and its powerfull nature, C/C++ is not challenged. The only challenge that needs to be conquered is to ensure that programmers think through what they are doing, before they do it.

Re: SELinux

[axxackall]

if SElinux is being ported to BSD, why not to port TrustedBSD to Linux? Just to keep the balance and the choice :)