what you don't know can hurt you
Showing 1 - 25 of 29 RSS Feed

Files from Tim Lawless

First Active1999-11-24
Last Active2002-10-28
StJude_LKM-0.22.tar.gz
Posted Oct 28, 2002
Authored by Tim Lawless | Site wwjh.net

Saint Jude LKM is a Linux Kernel Module for the 2.2.0 and 2.4.0 series of kernels. This module implements the Saint Jude model for improper privilege transitions. This will permit the discovery of local and remote root exploits during the exploit itself. Once discovered, Saint Jude will terminate the execution, preventing the root exploit from occurring. This is done without checking for attack signatures of known exploits, and thus should work for both known and unknown exploits.

Changes: Redhat 8.0's attempt to stop module rootkits stopped StJude as well - added code to discover the sys_call_table during initialization on systems with a non-exported sys_call_table. Fixed some bugs and include problems.
tags | remote, kernel, local, root
systems | linux
MD5 | 355bc6c48ce1a8d82edf83a28df0ce89
StJude_LKM-0.21.tar.gz
Posted Aug 7, 2002
Authored by Tim Lawless | Site sourceforge.net

Saint Jude LKM is a Linux Kernel Module for the 2.2.0 and 2.4.0 series of kernels. This module implements the Saint Jude model for improper privilege transitions. This will permit the discovery of local and remote root exploits during the exploit itself. Once discovered, Saint Jude will terminate the execution, preventing the root exploit from occurring. This is done without checking for attack signatures of known exploits, and thus should work for both known and unknown exploits.

Changes: Addition of Self Integrity Checks to Detect Attacks against StJude itself, Addition of configuration options to hard-code memory offsets into the source instead of discovery during load time permitting the loading of Stmichael from an initrd, before init spawns and the filesystems are mounted. Added in Kernel Licensing Code to Identify the Kernel License for Newer kernels - No more Tainted Kernels. Really Immutable filesystem support for ext3 fs added. Includes modifications to work with more recent ac kernels.
tags | remote, kernel, local, root
systems | linux
MD5 | 975a1b5bf451a89bc8e38d466d03f459
StMichael_LKM-0.11.tar.gz
Posted Aug 7, 2002
Authored by Tim Lawless | Site sourceforge.net

StMichael is a LKM that attempts to detect and divert attempts to install a kernel-module backdoor into a running linux system. This is done by monitoring the init_module and delete_module process for changes in the system call table. Detects most modern LKM's, including KIS.

Changes: Addition of Self Integrity Checks to Detect Attacks Against StMichael itself. Added of configuration options to hard-code memory offsets into the source instead of discovery during load time, permitting loading of Stmichael from an initrd, before init spawns and the filesystems are mounted.
tags | kernel
systems | linux
MD5 | 77d653c5a129e32c59d85ef1451358d5
OIR.pdf
Posted May 14, 2002
Authored by Tim Lawless | Site sourceforge.net

This paper puts forth the concept of intrusion resiliency as an emergent behavior that occurs within coupled intrusion detection and intrusion response mechanisms when the mechanisms, as a whole, exhibit a key set of identified attributes. An Illustrative example of how these attributes interact with each other to produce this behavior is given in the form of the Saint Jude Linux Kernel Module.

tags | paper, kernel
systems | linux
MD5 | 5b518c15a0f84d085f417ddc32788e2b
StJude_SKM-0.10.tar.gz
Posted May 14, 2002
Authored by Tim Lawless | Site sourceforge.net

The Saint Jude Solaris Kernel module is a port of the StJude_LKM kernel module into the Solaris 8 kernel for both 32 and 64 bit architectures. This Module implements the Saint Jude Model for the detection of improper privilege transitions. This will permit the discovery of local and remote root exploits during the exploit itself. Once discovered, Saint Jude will terminate the execution, preventing the root exploit from occurring. This is done without checking for attack signatures of known exploits, and thus should work for both known and unknown exploits. This is the First public release of the StJude Solaris Kernel Module (SKM). The Version number, though, parallels the capability and maturity of its sister program StJude_LKM. Tested on single and dual Sparc and ultrasparc I/II on Solaris 8.

tags | remote, kernel, local, root
systems | unix, solaris
MD5 | 0b8d3bf8e5a4e3d0e6b8c37b705ad91a
StMichael_LKM-0.10.tar.gz
Posted Mar 30, 2002
Authored by Tim Lawless | Site sourceforge.net

StMichael is a LKM that attempts to detect and divert attempts to install a kernel-module backdoor into a running linux system. This is done by monitoring the init_module and delete_module process for changes in the system call table. Detects most modern LKM's, including KIS.

Changes: Really Immutable filesystem support for ext3 fs added, Added in Kernel Licensing Code to Identify the Kernel License for newer kernels, Backup kernel is now obscured from string searches using the weak crypt function, Added needed modifications to support the newer Alan Cox Kernels, with the different VM system, fixed lots of compilation issues, and better docs.
tags | kernel
systems | linux
MD5 | 16b42d7707d5dfa25214d8cd3768e7fa
StMichael_LKM-0.08.tar.gz
Posted Jan 22, 2002
Authored by Tim Lawless | Site sourceforge.net

StMichael is a LKM that attempts to detect and divert attempts to install a kernel-module backdoor into a running linux system. This is done by monitoring the init_module and delete_module process for changes in the system call table. Detects most modern LKM's, including KIS.

Changes: Addition of ability to restore a system attacked using kernel modification techniques such as a Silvio Stealth syscall by reloading the kernel without a reboot. Addition of Checks to detect the possible subversion of the kernel at loadtime. Now does Full Kernel Text Validation.
tags | kernel
systems | linux
MD5 | 56b40532ec8f1f3089de8ec4fe7f5f4f
StMichael_LKM-0.07.tar.gz
Posted Oct 30, 2001
Authored by Tim Lawless | Site sourceforge.net

StMichael is a LKM that attempts to detect and divert attempts to install a kernel-module backdoor into a running linux system. This is done by monitoring the init_module and delete_module process for changes in the system call table. Detects most modern LKM's, including KIS.

Changes: Fixed a serious bug that could cause a kernel Oops if StMichael was not the first module loaded into the system.
tags | kernel
systems | linux
MD5 | e5cb4205fd25c95563a84be8b4fa8cf6
StMichael_LKM-0.06.tar.gz
Posted Oct 25, 2001
Authored by Tim Lawless | Site sourceforge.net

StMichael is a LKM that attempts to detect and divert attempts to install a kernel-module backdoor into a running linux system. This is done by monitoring the init_module and delete_module process for changes in the system call table. Detects most modern LKM's, including KIS.

Changes: Began code and signature obfuscation work to conceal commonly found strings, Introduced permanent immutability to files on ext2 fs, and other misc code beautification.
tags | kernel
systems | linux
MD5 | 9f0d2f9612b1daa97a68c9678fde0348
StJude_LKM-0.20.tar.gz
Posted Jul 30, 2001
Authored by Tim Lawless | Site sourceforge.net

Saint Jude LKM is a Linux Kernel Module for the 2.2.0 and 2.4.0 series of kernels. This module implements the Saint Jude model for improper privilege transitions. This will permit the discovery of local and remote root exploits during the exploit itself. Once discovered, Saint Jude will terminate the execution, preventing the root exploit from occurring. This is done without checking for attack signatures of known exploits, and thus should work for both known and unknown exploits.

Changes: Introduced kernel integrity checking, and module support on systems that require module support. Added Read-Only /dev/kmem support. Eliminated the double-execve problem. New configuration script simplifies platform identification, and selection of compile-time options. Updated checks, verified compatibility with 2.4.7, and updated documentation. Changed license to GNU.
tags | remote, kernel, local, root
systems | linux
MD5 | 82af381dcf19fd6d6ab29092dc9709d5
StMichael_LKM-0.05.tar.gz
Posted Jul 12, 2001
Authored by Tim Lawless | Site sourceforge.net

StMichael is a LKM that attempts to detect and divert attempts to install a kernel-module backdoor into a running linux system. This is done by monitoring the init_module and delete_module process for changes in the system call table. Detects most modern LKM's, including KIS.

Changes: Added Checks to Detect modules hiding their presence, Added Read-Only /dev/kmem, and Added VFS checking.
tags | kernel
systems | linux
MD5 | fda543690273352eaa367dd9d0fbdb92
StMichael_LKM-0.04.tar.gz
Posted Jul 11, 2001
Authored by Tim Lawless | Site sourceforge.net

StMichael is a LKM that attempts to detect and divert attempts to install a kernel-module backdoor into a running linux system. This is done by monitoring the init_module and delete_module process for changes in the system call table. This is a experimental version, and a spin off from the Saint Jude Project.

Changes: Added the SHA1 checksum to complement the md5's, added timers to periodically revalidate the kernel, added a configuration script, and added some demos which will trigger StMichael.
tags | kernel
systems | linux
MD5 | 617e56ab882299f50e8b27bf0fd267f4
StMichael_LKM-0.03.tar.gz
Posted Jun 5, 2001
Authored by Tim Lawless | Site sourceforge.net

StMichael is a LKM that attempts to detect and divert attempts to install a kernel-module backdoor into a running linux system. This is done by monitoring the init_module and delete_module process for changes in the system call table. This is a experimental version, and a spin off from the Saint Jude Project.

Changes: Added md5 checksums to the contents of system calls, added cloaking to hide the presence of StMichael, and its symbols. Since StMichael cause the rootkits to not work as expected, we do not want to give away any useful debugging information.
tags | kernel
systems | linux
MD5 | 5b4c791c22c5fa58c904835a96f0389e
StMichael_LKM-0.02.tar.gz
Posted May 10, 2001
Authored by Tim Lawless | Site sourceforge.net

StMichael is a LKM that attempts to detect and divert attempts to install a kernel-module backdoor into a running linux system. This is done by monitoring the init_module and delete_module process for changes in the system call table. This is a experimental version, and a spin off from the Saint Jude Project.

Changes: Fixed an inverted match which could cause kernel to hang on attempt to unload StMichael.
tags | kernel
systems | linux
MD5 | 531d16989e7b893bef78cffdbf033f81
StMichael_LKM-0.01.tar.gz
Posted May 8, 2001
Authored by Tim Lawless | Site sourceforge.net

StMichael is a LKM that attempts to detect and divert attempts to install a kernel-module backdoor into a running linux system. This is done by monitoring the init_module and delete_module process for changes in the system call table. This is a experimental version, and a spin off from the Saint Jude Project.

tags | kernel
systems | linux
MD5 | caa99d3b4772a1cc15352b72f6680686
StJude_LKM-0.12.tar.gz
Posted Apr 6, 2001
Authored by Tim Lawless | Site sourceforge.net

Saint Jude LKM is a Linux Kernel Module for the 2.2.0 and 2.4.0 series of kernels. This module implements the Saint Jude model for improper privilege transitions. This will permit the discovery of local and remote root exploits during the exploit itself. Once discovered, Saint Jude will terminate the execution, preventing the root exploit from occurring. This is done without checking for attack signatures of known exploits, and thus should work for both known and unknown exploits.

Changes: Updated checks and verified compatibility with 2.4.3, and fixed some theoretical bugs.
tags | remote, kernel, local, root
systems | linux
MD5 | 880fc6981bb8a8bc7a4b9b4590906e7c
StJude_LKM-0.11.tar.gz
Posted Mar 20, 2001
Authored by Tim Lawless | Site sourceforge.net

Saint Jude LKM is a Linux Kernel Module for the 2.2.0 and 2.4.0 series of kernels. This module implements the Saint Jude model for improper privilege transitions. This will permit the discovery of local, and ultimately, remote root exploits during the exploit itself. Once discovered, Saint Jude will terminate the execution, preventing the root exploit from occurring. This is done without checking for attack signatures of known exploits, and thus should work for both known and unknown exploits.

Changes: Several compilation problems are fixed, in addition to a bug where if a process exec'd() without forking, and it was an override rule -- the first execution wouldn't be recorded through learning.
tags | remote, kernel, local, root
systems | linux
MD5 | c2d2a18ff5f4528d85759d904599fdc7
StJude_LKM-0.10.tar.gz
Posted Mar 19, 2001
Authored by Tim Lawless | Site sourceforge.net

Saint Jude LKM is a Linux Kernel Module for the 2.2.0 and 2.4.0 series of kernels. This module implements the Saint Jude model for improper privilege transitions. This will permit the discovery of local, and ultimately, remote root exploits during the exploit itself. Once discovered, Saint Jude will terminate the execution, preventing the root exploit from occurring. This is done without checking for attack signatures of known exploits, and thus should work for both known and unknown exploits.

Changes: This is the most stable version yet. Tested with kernel 2.4. Added Learning Parser to facilitate the generation of the Rulebase from the Learning Mode output. Combined with the Override directive, remote root attacks may be thwarted.
tags | remote, kernel, local, root
systems | linux
MD5 | 3f546a4f181d0c3503edb5afbd3f02aa
StJude_LKM-0.07.tar.gz
Posted Mar 19, 2001
Authored by Tim Lawless | Site sourceforge.net

Saint Jude LKM is a Linux Kernel Module for 2.2.0 and greater kernels. This module implements the Saint Jude model for improper privilege transitions. This will permit the discovery of local, and ultimately, remote root exploits during the exploit itself. Once discovered, Saint Jude will terminate the execution, preventing the root exploit from occurring. This is done without checking for attack signatures of known exploits, and thus should work equally well for both known and unknown exploits.

Changes: Fixes problems on some of the newer Linux distributions. Makefile can now find include files better.
tags | remote, kernel, local, root
systems | linux
MD5 | ce9148dbc5c4b7de94de7158736f8f5e
StJude_LKM-0.06.tar.gz
Posted Dec 17, 2000
Authored by Tim Lawless | Site sourceforge.net

Saint Jude LKM is a Linux Kernel Module for 2.2.0 and greater kernels. This module implements the Saint Jude model for improper privilege transitions. This will permit the discovery of local, and ultimately, remote root exploits during the exploit itself. Once discovered, Saint Jude will terminate the execution, preventing the root exploit from occurring. This is done without checking for attack signatures of known exploits, and thus should work equally well for both known and unknown exploits.

Changes: Fixed some broken code from 0.05 due to a 2AM release.
tags | remote, kernel, local, root
systems | linux
MD5 | 1a25c4e6e3db0751c2c2d7825c220e68
StJude_LKM-0.05.tar.gz
Posted Dec 15, 2000
Authored by Tim Lawless | Site sourceforge.net

Saint Jude LKM is a Linux Kernel Module for 2.2.0 and greater kernels. This module implements the Saint Jude model for improper privilege transitions. This will permit the discovery of local, and ultimately, remote root exploits during the exploit itself. Once discovered, Saint Jude will terminate the execution, preventing the root exploit from occurring. This is done without checking for attack signatures of known exploits, and thus should work equally well for both known and unknown exploits.

Changes: Added new response method which will execute an external command to record and deal with the intrusion. It is likely to be noted by an astute individual that this also affords the opportunity to counter-attack the attacker, using their control channel against them.
tags | remote, kernel, local, root
systems | linux
MD5 | d145e9768dc1a83974534bd301b738da
StJudeModel.pdf
Posted Nov 2, 2000
Authored by Tim Lawless | Site sourceforge.net

This paper describes how the StJude kernel module stops local and remote exploits from being successful. The Saint Jude model for improper privilege transitions terminates program execution when it is exploited even if the exploit is unknown.

tags | paper, remote, kernel, local
systems | unix
MD5 | c902a44532bc1a78a08bc72e5f872245
StJude_LKM-0.04.tar.gz
Posted Nov 2, 2000
Authored by Tim Lawless | Site sourceforge.net

Saint Jude LKM is a Linux Kernel Module for 2.2.11 and greater kernels. This module implements the Saint Jude model for improper privilege transitions. This will permit the discovery of local, and ultimately, remote root exploits during the exploit itself. Once discovered, Saint Jude will terminate the execution, preventing the root exploit from occuring. This is done without checking for attack signatures of known exploits, and thus should work for both known and unknown exploits.

Changes: Fixed bugs, added a Makefile, hid the old execve better, added a homepage.
tags | remote, kernel, local, root
systems | linux
MD5 | 31c63fad67e2ad7181c7596115b571ac
StJude_LKM-0.03.tar.gz
Posted Aug 11, 2000
Authored by Tim Lawless

Saint Jude LKM is a Linux Kernel Module for 2.2.11 and greater kernels. This module implements the Saint Jude model for improper privilege transitions. This will permit the discovery of local, and ultimately, remote root exploits during the exploit itself. Once discovered, Saint Jude will terminate the execution, preventing the root exploit from occuring. This is done without checking for attack signatures of known exploits, and thus should work for both known and unknown exploits.

Changes: Support for SMP kernels, module-sealing is enabled, and a memory leak fix.
tags | remote, kernel, local, root
systems | linux
MD5 | dcc56176c1d569cabf3b852184f3f903
StJude_LKM-0.02.tar.gz
Posted Jul 29, 2000
Authored by Tim Lawless

Saint Jude LKM is a Linux Kernel Module for the 2.2.0 series of kernels. This module implements the Saint Jude model for improper privilege transitions. This will permit the discovery of local, and ultimately, remote root exploits during the exploit itself. Once discovered, Saint Jude will terminate the execution, preventing the root exploit from occuring. This is done without checking for attack signatures of known exploits, and thus should work for both known and unknown exploits.

Changes: Fixed bug which would prevent the setreuid syscal from being restored upon exit.
tags | remote, kernel, local, root
systems | linux
MD5 | 4bd7eeca77d479a36df73c38d7cff517
Page 1 of 2
Back12Next

File Archive:

November 2020

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    2 Files
  • 2
    Nov 2nd
    9 Files
  • 3
    Nov 3rd
    15 Files
  • 4
    Nov 4th
    90 Files
  • 5
    Nov 5th
    22 Files
  • 6
    Nov 6th
    16 Files
  • 7
    Nov 7th
    1 Files
  • 8
    Nov 8th
    1 Files
  • 9
    Nov 9th
    40 Files
  • 10
    Nov 10th
    27 Files
  • 11
    Nov 11th
    28 Files
  • 12
    Nov 12th
    13 Files
  • 13
    Nov 13th
    18 Files
  • 14
    Nov 14th
    2 Files
  • 15
    Nov 15th
    2 Files
  • 16
    Nov 16th
    29 Files
  • 17
    Nov 17th
    15 Files
  • 18
    Nov 18th
    15 Files
  • 19
    Nov 19th
    21 Files
  • 20
    Nov 20th
    16 Files
  • 21
    Nov 21st
    1 Files
  • 22
    Nov 22nd
    0 Files
  • 23
    Nov 23rd
    19 Files
  • 24
    Nov 24th
    32 Files
  • 25
    Nov 25th
    0 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2020 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close