Kenfe-Mickael LaventureLaurent Malvert

Macquarie University2008-09-19

LEMONALinux Enhanced Monitoring

Architecture

Linux zest for security

Lemona – Linux Enhanced Monitoring Architecture 2 2008-09-19 Laventure / Malvert

Outline

• Security and Forensics– Forensics– Computer Security– Computer Forensics

• Related Work

• Lemona– Project– Overview– Architecture

• References

Lemona – Linux Enhanced Monitoring Architecture 3 2008-09-19 Laventure / Malvert

Forensics

• Short for “Forensic Science”

• Aims at:– Collecting Evidence– Providing Legal Proof (used in court)

• Concerned with Computers / Networks

Lemona – Linux Enhanced Monitoring Architecture 4 2008-09-19 Laventure / Malvert

Computer Security

Lemona – Linux Enhanced Monitoring Architecture 5 2008-09-19 Laventure / Malvert

Computer Security

Lemona – Linux Enhanced Monitoring Architecture 6 2008-09-19 Laventure / Malvert

Computer Forensics

• Memory Analysis…– Volatile Memory (i.e. RAM)

– Optical Drives (i.e. CD-ROM)

– Magnetic Drives (i.e. HDD, Floppies)

• … but also Logs Analysis– Network– System

Lemona – Linux Enhanced Monitoring Architecture 7 2008-09-19 Laventure / Malvert

Computer Forensics

• Incomplete– Logs are not activated by default– Not everything is logged– Not all applications generate logs

• Unreliable– Generated in User Land– Editable by an Attacker

Lemona – Linux Enhanced Monitoring Architecture 8 2008-09-19 Laventure / Malvert

Outline

• Security and Forensics– Forensics– Computer Security– Computer Forensics

• Related Work

• Lemona– Project– Overview– Architecture

• References

Lemona – Linux Enhanced Monitoring Architecture 9 2008-09-19 Laventure / Malvert

Related Work

Lemona – Linux Enhanced Monitoring Architecture 10 2008-09-19 Laventure / Malvert

Outline

• Security and Forensics– Forensics– Computer Security– Computer Forensics

• Related Work

• Lemona– Project– Overview– Architecture

• References

Lemona – Linux Enhanced Monitoring Architecture 11 2008-09-19 Laventure / Malvert

Lemona > Project

• Open Architecture– Open Protocols– Open Source Implementation

• Decentralized– Local Tracing Components– Remote Monitoring Components

• Prevention, Detection, Forensics, Recovery– Possible…?

Lemona – Linux Enhanced Monitoring Architecture 12 2008-09-19 Laventure / Malvert

Lemona > Overview

• Exhaustiveness– Kernel Land Tracer 100% User Land Coverage

• Integrity– Harder to bypass Would require Kernel Level code– Integrity Checks

• Flexible– Variable Granularity Levels– Selectable Hooks

Lemona – Linux Enhanced Monitoring Architecture 13 2008-09-19 Laventure / Malvert

Lemona > Architecture

Inside Attackers

Outside Attackers

TargetStorage Point

Forensics Tools

Lemona tracestransmission

Architecture >Architecture >

^̂Workflow / HooksWorkflow / Hooks

Lemona – Linux Enhanced Monitoring Architecture 14 2008-09-19 Laventure / Malvert

Outline

• Security and Forensics– Forensics– Computer Security– Computer Forensics

• Related Work

• Lemona– Project– Overview– Architecture

• References

Lemona – Linux Enhanced Monitoring Architecture 15 2008-09-19 Laventure / Malvert

References > Lemona

[home] http://lemona.googlecode.com/

[blog] http://lemona-project.blogspot.com/

[wiki] http://lemona.googlecode.com/wiki/

[SCM] http://lemona.googlecode.com/svn/

[group] http://groups.google.com/group/lemona/

Lemona – Linux Enhanced Monitoring Architecture 16 2008-09-19 Laventure / Malvert

References > Related

– SARMORIA, C. G. & CHAPIN, S. J. (2005)Monitoring access to shared memory-mapped files.Proc. of the 2005 Digital Forensics Research Workshop (DFRWS). New Orleans.

– GOEL, A., FENG, W. C., MAIER, D. & WALPOLE, J. (2005)Forensix: a robust, high-performance reconstruction system.Distributed Computing Systems Workshops, 2005. 25th IEEE International Conference on, 155-162.

– KRISHNAKUMAR, R. (2005)Kernel korner: kprobes-a kernel debugger.Linux Journal, 2005.