Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
×
Security Software Linux

Sebek2 - A Kernel-based Data Capture Tool 74

LogError writes "Sebek is a piece of code the lives entirely in kernel space and records either some or all data accessed by users on the system. This paper is a detailed discussion of Sebek, how it works and its value."
This discussion has been archived. No new comments can be posted.

Sebek2 - A Kernel-based Data Capture Tool

Comments Filter:
  • by mpeg4codec ( 581587 ) on Saturday September 27, 2003 @03:55PM (#7073930) Homepage
    This can just as easily be modified and used by blackhats as an advanced rootkit, though. Like everything, it's a double-edged sword.
    • by moreati ( 119629 ) <alex@moreati.org.uk> on Saturday September 27, 2003 @04:15PM (#7074034) Homepage
      True, like anthing this has Good and Evil uses, but since it is kernel resident then it requires either a reboot or a siutable set of hooks in the running kernel so it can be loaded as a module.

      Thus the impact of malicuous use of this technology could be mitigated by disabling loadable modules once booted, limiting access to kernel structures by loaded modules, using some varient of TCPA (rootkit module not signed), and/or only accepting shutdown signals from the local console.

      In a corporate environment however I could see this used as a virtually undetectable piece of snitch software, ie for spying on employees at their workstation, even if they have root.

      Regards

      Alex
      • In a corporate environment however I could see this used as a virtually undetectable piece of snitch software, ie for spying on employees at their workstation, even if they have root.

        So now the question is.. do you even trust the systems you have accounts on, even when you use gpg and ssh to access them or get data from untrusted systems TO them?

        I regularly use client networks and systems, generally with ssh/vpn/ipsec/gpg, but now I have no idea if I should trust these "trusted" systems.

        So what we need

    • Exactly what I thought. It's kind of ironic that at the end of the paper they mention that it may be detectable by scripts like chrootkit and that future development will address that issue. When it *is* used as an advanced root kit, the whitehats will need to make better detection script so they can detect hostile rootkits. And that just makes it easier to detect this tool. Around and around we go :)
    • the article summary mentions that it is the bastard child of existing kernel modding rootkits.

      So, uh, they already have this. But I doubt they'll put them up on freshmeat...
  • weird name (Score:4, Funny)

    by Tumbleweed ( 3706 ) on Saturday September 27, 2003 @03:57PM (#7073939)
    Sounds Vulcan.
    • Actually, in Polish the name Sebek is a shorter version of the name Sebastian.
      • Re:weird name (Score:1, Flamebait)

        by Tumbleweed ( 3706 )
        Polacks...Vulcans...same thing. :)
        • Though they may be closely related, it's not the same thing (as you may see from the moderation done to you - probably a Vulcan Supreme Moderator got angry). Vulcans are actually a spin-off group of Pollocks (though nobody can exactly say why - but they all agree it was one helluva reason). Your comparison was just as offensive and tactless as saying "Catholic or Protestant, it's the same thing" in Northern Ireland...
          • > Your comparison was just as offensive and tactless as saying "Catholic or Protestant, it's the same thing" in Northern Ireland...

            Heh, funny you should say that...for one of my particular spiritual bent, they ARE. Even Christians & Satanists are at least two sides of the same coin. :)
            • Even Christians & Satanists are at least two sides of the same coin.

              It's weird that people always talk about two sides of a coin, but they never think of the fact that all coins are (at least) three-dimensional. Nobody ever says "Hey, if two things are two sides of the same coin, then what's on the rim?" And what's inside it? I mean, there's practically nothing (usually it's air or the linings of your pocket or other coins) on the outer sides of the coin, everything interesting is inside it...

              • What's on the rim of the Christian/Satanist coin? Jehovah's Witnesses, definitely!

                And inside? Some soft nougat-like material, I'm guessing. Either that, or Moon Cheese(tm).

                That's my story, and I'm sticking to it!
    • It's not a name, it's a magical formula. Using the correct algorithm, which is conveniently missing (oh, that'd make a wonderful plot for a horror movie), this word can be turned into a magical incantation. After a hundred years of experimenting, a secret sect of Bulgarian (why the hell not?) Egyptologists have managed to reverse engineer the algorithm, published the source under GPL. It's actually quite easy - just say all the anagrams of the name:

      sebek, sbeek, skeeb, skebe, sbkee, skbee, sekbe, sebke, ee

  • Wow! (Score:4, Interesting)

    by scovetta ( 632629 ) on Saturday September 27, 2003 @03:57PM (#7073943) Homepage
    I'm sure the speed of a kernel-level logger will be amazing. I bet WinXP comes with one already running and recording everything.

    Actually, doesn't Windows come with some pretty fancy-schmancy documented (and undocumented) kernel-level logging APIs?

    Or is this *nix? I should RTFA.
    • I'm sure the speed of a kernel-level logger will be amazing. I bet WinXP comes with one already running and recording everything.

      Yeah, maybe that's why it needs so much disk space

    • If it does then all their fancy drm is worth
      nothing. Imagine logging every song you played
      in the decoded form...
      • He who controls the kernal controls all on the system. Wonder if the Department of Homland Security can do an OS upgrade using a sneak-and-peak warrent?
  • by Creepy Crawler ( 680178 ) on Saturday September 27, 2003 @04:00PM (#7073955)
    After all, with the Gen2 honeynets out there, this is the tool of choice.

    This tool has been out at honeynet.org for months now.I've been using it for at least 2 months.

    THIS IS NOT NEWS,
    • IIRC the paper was last changed on 13th Sept 2003. So it is quite new. Not the tool itself (as the version number - remember, it was 2 - implies), but this paper about it.
    • I never heard of honeynet. I didn't know I could run a kernel level logger on my firewall. Maybe someone at /. turned the story down two months ago, but I never heard of this. So why didn't you send in the story when it was "news?"
      • If you didnt know about it, you probably didnt need it, as you probably would do a search before paying for a tool similar to these.

        After all, we know slashdotters click on the link, but 95% of them are windows users (roughly the similar percentage as every other site). Slashdot is a site where people whine about MS and parade Linux news around, so why attempt to submit an article HERE?

        Even better yet, if you're soo interested in linux stuf, check out Fravia's lessons on Searching. There's interesting bla
        • There are nearly 3/4 of a million registered users of slashdot. Like it or not, cowboy, this isn't a site that caters exclusively to those "already in the know." It's an advocacy site as much as anything, and the readers here are going to come from thousands of difference backgrounds and have thousands of different viewpoints.

          this article is interesting. I'm not an admin of a corporate wan and there's only so much damage that can be done to a home network, so my interest is not sufficient to compel me to "

          • If this offends your l33t sensibilities then you need a thorough ass kicking by RMS and JP Barlow to remind you of why sites like slashdot even exist.
            I thought beatings like those were there reason sites like this existed ...
  • Mirror (Score:4, Informative)

    by Magus311X ( 5823 ) on Saturday September 27, 2003 @04:02PM (#7073972)
    Mirrored here: Sebek.pdf [lazysonofabitch.net]

    -----
  • by Anonymous Coward
    As much as we like to complain about trusted computing initiatives; I think palladium can help.

    If I remember right, one component dealt with keycodes being replaced with encrypted and digitally signed packets that could only be decoded by the process authenticated by the palladium hardware.

    Any spyware, even in the kernel couldn't get the key to decrypt these packets.

    If this is right, and if anyone remembers the details, please help fill me in. No doubt, dozens or hundreds will correct me if I'm wrong

    • Sure, and how much do you want to bet the the people who end up knowing all the keys aren't the same ones that actually own the hardware?

      I have another, far more entertaining solution. Let the government post an official list of individuals and companies that are considered "persona non grata" in cyberspace. Call it the "Internet Black List" (IBL.) At a minimum this should include known spammers, their providers, and the RIAA. Now, under my plan, being on this list would legally entitle anyone to att
    • The distinction between the user-mode process and the kernel is in the kernel. After all, most modern kernels shuffle a program's code and data around periodically (swapping, etc) - what's to prevent it from loading kernel code instead? Or what about just replacing the Palladium hardware with a kernel emulation?
  • by deltagreen ( 522610 ) on Saturday September 27, 2003 @04:40PM (#7074139) Homepage

    I couldn't see it mentioned anywhere, but I found this on www.kemet.org, a site about the religious tradition of Ancient Egypt:

    Sebek (Sobek; G/R Suchos) - "Watching over You" Son of Nit (and also, according to some myths, Set), Sebek is either depicted as a full crocodile, or, less often, as a crocodile-headed man. He is often given the epithets of Heru-sa-Aset as a Netjer [manifestation of god] of protection, healing and vengeance over the wrongdoer. In some mythologies Sebek is a powerful and awe-inspiring denizen of the underworld, and was invoked to do away with annoyances and negative situations, in the phrase "to Sebek with it(him)!," much as modern-day slang consigns bothersome things and persons "to Hell."

  • This type of kernal-level tap on the flow of commands/data for a high-level entity is perfect for advanced knowledge management applications. Rather than create a KM application that is compatible with various web & office applications, we could tap into what those applications are doing by watching their calls to the kernal and core libraries.

    What I want is something that lets me monitor all the calls to string-related objects (Sebak only seems to watch calls to read() ). Processing all of an appl
  • Does this mean you do setup with a vulcan mind meld, and close the program with a neck pinch?
  • or can't one simply modify the shell that the attacker is using to have it log the keystrokes either as it receives them from sshd, or before they're sent to ssh and encrypted?
    • Attackers aren't necessarily stupid. They are likely to bring their own shell, and have the same ways to check file integrity of their executables as the whitehats have. (In fact, one can generally assume that they have more and better tools - they can use all publicly available ones as well as their own they didn't tell anyone about) So it would be hard to modify their shell without them noticing. You would notice a trojaned /bin/sh on your systems too, wouldn't you?

Let's organize this thing and take all the fun out of it.

Working...