Upload
hollee-wiley
View
29
Download
0
Embed Size (px)
DESCRIPTION
LEMONA Linux Enhanced Monitoring Architecture. Linux zest for security. Outline. Security and Forensics Forensics Computer Security Computer Forensics Related Work Lemona Project Overview Architecture References. Forensics. Short for “Forensic Science” Aims at: Collecting Evidence - PowerPoint PPT Presentation
Citation preview
Kenfe-Mickael LaventureLaurent Malvert
Macquarie University2008-09-19
LEMONALinux Enhanced Monitoring
Architecture
Linux zest for security
Lemona – Linux Enhanced Monitoring Architecture 2 2008-09-19 Laventure / Malvert
Outline
• Security and Forensics– Forensics– Computer Security– Computer Forensics
• Related Work
• Lemona– Project– Overview– Architecture
• References
Lemona – Linux Enhanced Monitoring Architecture 3 2008-09-19 Laventure / Malvert
Forensics
• Short for “Forensic Science”
• Aims at:– Collecting Evidence– Providing Legal Proof (used in court)
• Concerned with Computers / Networks
Lemona – Linux Enhanced Monitoring Architecture 6 2008-09-19 Laventure / Malvert
Computer Forensics
• Memory Analysis…– Volatile Memory (i.e. RAM)
– Optical Drives (i.e. CD-ROM)
– Magnetic Drives (i.e. HDD, Floppies)
• … but also Logs Analysis– Network– System
Lemona – Linux Enhanced Monitoring Architecture 7 2008-09-19 Laventure / Malvert
Computer Forensics
• Incomplete– Logs are not activated by default– Not everything is logged– Not all applications generate logs
• Unreliable– Generated in User Land– Editable by an Attacker
Lemona – Linux Enhanced Monitoring Architecture 8 2008-09-19 Laventure / Malvert
Outline
• Security and Forensics– Forensics– Computer Security– Computer Forensics
• Related Work
• Lemona– Project– Overview– Architecture
• References
Lemona – Linux Enhanced Monitoring Architecture 10 2008-09-19 Laventure / Malvert
Outline
• Security and Forensics– Forensics– Computer Security– Computer Forensics
• Related Work
• Lemona– Project– Overview– Architecture
• References
Lemona – Linux Enhanced Monitoring Architecture 11 2008-09-19 Laventure / Malvert
Lemona > Project
• Open Architecture– Open Protocols– Open Source Implementation
• Decentralized– Local Tracing Components– Remote Monitoring Components
• Prevention, Detection, Forensics, Recovery– Possible…?
Lemona – Linux Enhanced Monitoring Architecture 12 2008-09-19 Laventure / Malvert
Lemona > Overview
• Exhaustiveness– Kernel Land Tracer 100% User Land Coverage
• Integrity– Harder to bypass Would require Kernel Level code– Integrity Checks
• Flexible– Variable Granularity Levels– Selectable Hooks
Lemona – Linux Enhanced Monitoring Architecture 13 2008-09-19 Laventure / Malvert
Lemona > Architecture
Inside Attackers
Outside Attackers
TargetStorage Point
Forensics Tools
Lemona tracestransmission
Architecture >Architecture >
^̂Workflow / HooksWorkflow / Hooks
Lemona – Linux Enhanced Monitoring Architecture 14 2008-09-19 Laventure / Malvert
Outline
• Security and Forensics– Forensics– Computer Security– Computer Forensics
• Related Work
• Lemona– Project– Overview– Architecture
• References
Lemona – Linux Enhanced Monitoring Architecture 15 2008-09-19 Laventure / Malvert
References > Lemona
[home] http://lemona.googlecode.com/
[blog] http://lemona-project.blogspot.com/
[wiki] http://lemona.googlecode.com/wiki/
[SCM] http://lemona.googlecode.com/svn/
[group] http://groups.google.com/group/lemona/
Lemona – Linux Enhanced Monitoring Architecture 16 2008-09-19 Laventure / Malvert
References > Related
– SARMORIA, C. G. & CHAPIN, S. J. (2005)Monitoring access to shared memory-mapped files.Proc. of the 2005 Digital Forensics Research Workshop (DFRWS). New Orleans.
– GOEL, A., FENG, W. C., MAIER, D. & WALPOLE, J. (2005)Forensix: a robust, high-performance reconstruction system.Distributed Computing Systems Workshops, 2005. 25th IEEE International Conference on, 155-162.
– KRISHNAKUMAR, R. (2005)Kernel korner: kprobes-a kernel debugger.Linux Journal, 2005.