Security Hacks


FUPIDS - "Fuzzy" User Profile IDS for the OpenBSD Kernel (2003)

FUPIDS stands for Fuzzy Userprofile Intrusion Detection System (it is *not* based on fuzzy logic!). FUPIDS is a kernelcode patch for OpenBSD systems that creates a profile for every user and alerts the admin if an attacker is detected. For FUPIDS, an attacker is a local user who overtakes the account of a user. I wrote the FUPIDS code back in Nov 2003.

The project was heavily discussed and received lots of criticism (mostly due to the bad implementation that I wrote two years before I started studying CS). Please thus consider FUPIDS as a simple PoC code.

You can find the announcement mail here. The first public version was released with this mail on Tue, 11 Nov 2003 18:44:57 +0100.
deadly.org article (now undeadly.org)
slashdot.org article
 
Features
 
Here is a list of FUPIDS' features:
  • FUPIDS calculates an attacker level for every user (with uid >= 1000) on your system. It will alert you via syslog if the attacker levels becomes too high.
  • FUPIDS has a profile of used executables for every user. If a user uses too many new executables in a short time, the attacker level will raise. This is needed, because an attacker could overtake the account of a user and will probably use some new compiled exploits or another editor the normal user never starts.
  • FUPIDS reports if your network interfaces (not pflog0 and lo[01]) are going in promiscuous mode (this is linked to the attacker level as well).
  • FUPIDS monitors the listen() syscall and will tell you if a user creates a new listen socket (maybe a backdoor).
  • If a user who never did anything "bad" before (for example 'uucp') is now active on your system, FUPIDS will notice and report it.
  • An attacker cannot kill the FUPIDS system because it is kernel code. The attacker can also not unload a LKM because the code is directly implemented in the kernel.
  • Your users do not know that FUPIDS is running on the system, i.e., FUPIDS is transparent.
Documentation
 
You can find a README file in the .tgz archive and you can find the official documentation I wrote for this project in the list of my publications.

Download
 
You can download FUPIDS 0.0.4 from freshmeat.net. Just follow the introductions of the 'INSTALL' file to install it. I don't know if FUPIDS will run on current OpenBSD kernels. I developed it for OpenBSD 3.3. However, it should be possible to modify it for the current kernel versions if you have enough skills ;-)

 

openportd - ICMP port knocking service for OpenBSD (2006)

openportd is a very simple ICMP echo reply-based port knocking daemon for OpenBSD. I wrote that code in 2006. You can download it here.


KSPIDS - Linux Kernel User Profile IDS Patch (2008)

KSPIDS stands for Kernel Service Profile Intrusion Detection System. It is a kernel code patch for Linux systems that monitors the programs a service user (e.g. www-data) uses. It alerts you if -- for example -- your www-data user now executes something like /bin/sh. Please note that KSPIDS is based on FUPIDS (see above).

Features
 
Here is a list of KSPIDS' features:
  • KSPIDS calculates an attacker level for every user (with uid 1...999) on your system. It will alert you via syslog if the attacker levels becomes too high.
  • KSPIDS has a profile of used executables for service accounts. If such a user uses too many new programms within a short time, the attacker level will raise. This is done because an attacker could overtake the account of this user and now uses some new compiled exploits or an editor the normal user never starts.
  • If a user who never did anything "bad" before (for example 'uucp') is now active on your system, KSPIDS will notice and report it.
  • An attacker cannot kill the KSPIDS system because it is kernel code. The attacker can also not unload a LKM because the code is directly implemented in the Linux kernel.
  • KSPIDS is transparent for users, i.e. no user will notice the presence of KSPIDS.

Download

KSPIDS is available for Kernel 2.6.24.7: kspids for kernel-2.6.24.7.

Installation
 
Patch your kernel with the KSPIDS patch, activate the option "Security / KSPIDS", recompile the kernel and boot it (but make sure you backup'ed your other kernel and make sure you can boot the other kernel, too (in the case something went wrong)!

Results
 
You need to calibrate KSPIDS via kspids.c. If you skip this part, you will maybe get too many attack warnings or even not a single one.

Demo
 
Here you can see a typical simulated attack: The user mysql (used to execute the MySQL database daemon) was "exploited" and can now execute something like /bin/echo what lets KSPIDS print out new log messages:

KSPIDS simulated attack detection

Here you can see how the attacker level decreases after some time due to "normal" behavior:

KSPIDS simulated attack detection