Slashdot Mirror

← Back to Stories (view on slashdot.org)

Sebek2 - A Kernel-based Data Capture Tool

Posted by michael on from the i-spy-with-my-little-eye dept.

LogError writes "Sebek is a piece of code the lives entirely in kernel space and records either some or all data accessed by users on the system. This paper is a detailed discussion of Sebek, how it works and its value."

7 of 74 comments (clear)

  1. Great tool in the right hands by mpeg4codec · · Score: 4, Insightful

    This can just as easily be modified and used by blackhats as an advanced rootkit, though. Like everything, it's a double-edged sword.

    1. Re:Great tool in the right hands by moreati · · Score: 5, Insightful

      True, like anthing this has Good and Evil uses, but since it is kernel resident then it requires either a reboot or a siutable set of hooks in the running kernel so it can be loaded as a module.

      Thus the impact of malicuous use of this technology could be mitigated by disabling loadable modules once booted, limiting access to kernel structures by loaded modules, using some varient of TCPA (rootkit module not signed), and/or only accepting shutdown signals from the local console.

      In a corporate environment however I could see this used as a virtually undetectable piece of snitch software, ie for spying on employees at their workstation, even if they have root.

      Regards

      Alex

  2. weird name by Tumbleweed · · Score: 3, Funny

    Sounds Vulcan.

  3. Wow! by scovetta · · Score: 3, Interesting

    I'm sure the speed of a kernel-level logger will be amazing. I bet WinXP comes with one already running and recording everything.

    Actually, doesn't Windows come with some pretty fancy-schmancy documented (and undocumented) kernel-level logging APIs?

    Or is this *nix? I should RTFA.

    --
    Wer mit Ungeheuern kämpft, mag zusehn, dass er nicht dabei zum Ungeheuer wird. --Nietzsche
  4. Mirror by Magus311X · · Score: 3, Informative

    Mirrored here: Sebek.pdf

    -----

  5. Re:re-incorporation? by Anonymous Coward · · Score: 3, Informative

    SELinux security modules are already in the vanilla 2.6-test kernels. The issuse of including all parts of SELinux has more to do with how well the code works with the rest of the kernel code. A good example of this is the current decision to use CryptoAPI instead of the long-standing kerneli patches. SELinux some code is already in the kernel without such a drastic rewrite, so more of it will likely find its way into the vanilla branch.

  6. Probable origin of name? by deltagreen · · Score: 5, Informative

    I couldn't see it mentioned anywhere, but I found this on www.kemet.org, a site about the religious tradition of Ancient Egypt:

    Sebek (Sobek; G/R Suchos) - "Watching over You" Son of Nit (and also, according to some myths, Set), Sebek is either depicted as a full crocodile, or, less often, as a crocodile-headed man. He is often given the epithets of Heru-sa-Aset as a Netjer [manifestation of god] of protection, healing and vengeance over the wrongdoer. In some mythologies Sebek is a powerful and awe-inspiring denizen of the underworld, and was invoked to do away with annoyances and negative situations, in the phrase "to Sebek with it(him)!," much as modern-day slang consigns bothersome things and persons "to Hell."