download | code | mailing lists |
LinSIeVe is a System Integrity Verifier that will detect all rootkits that modify the Linux kernel's code or read-only data. This is done by comparing, on a byte-by-byte basis, a RAM snapshot with the program segments of the ELF-format vmlinux that corresponds to the booted bzImage. Recent Linux kernels on recent i386-architecture hardware perform run-time tuning of code at initialization time by selectively overwriting certain instruction sequences with model-specific alternative code. Also, the exception table residing in read-only memory is sorted during initialization. LinSIeVe uses the information in the patch tables used by Linux to verify that each differing byte can be accounted for by run-time tuning, and accounts for the exception table sort. On a 2.6.20 SMP i386 kernel, over 6000 bytes of such alternate code were found and verified.
The main analysis program, rkdiff.py, need not be present on the system being examined. The auditor is not constrained to any particular method for sampling the RAM.
Also bundled with the project are two Python programs that generate an ELF-format vmlinux file from a (b)zImage. This is useful for situations where the original vmlinux file is not available, but a good set of symbols is, either from a System.map file, or built into the kernel and exported via the /proc/kallsyms interface.
LinSIeVe differs from various other open source Linux rootkit detectors in that it addresses all modifications to code and read-only memory. Other detectors focus upon commonly modified portions of memory such as the system call table or function prologs of various event handlers. One drawback of this reactive approach is that rootkit authors can always bypass checks for specific modifications by going deeper into the code.
Currently the project is at the Proof of Concept stage with version 0.1.0 .
As Linux uptake increases amongst technically unsophisticated users, it will become an increasingly popular target for malware authors, hence the need for good, open-source system integrity verication software.