 Hi, I'm Adrian, and I'm going to come out of SysTemptap, and we can use it to do fun and questionable things. So, just a word about you. I'm French on Fina, and I like low level stuff, you know, the burgers, curled out stuff, and playing with the Lipsy, and things like that. So, I ended up playing with the Lipsy system after the last two years or so. And so, that's why I came to think of all two using it for doing interesting security, potentially security related stuff. I'm not a developer myself. Well, I can write code, but I'm not really a developer. And I'm just a system type user. And I'm not a VRF hater. That's probably because I don't really have a computer. I could follow the free software, use a good combo. Facebook. If you live in the Arlo area in Belgium, you probably want to check them out. It's a good place for a typical meeting. Yeah, I'm looking for jobs. Sorry, we are full, guys. I think we are full. Please, please, come here. It's way too much. So, the bastard operator from home. So the VRF h is the bastard operator from home. It's a supposedly fictional character. Yeah, we just enjoy abusing his users. So, yeah, the typical story is like the user coding. I mean, like, I don't have any more space in my own territory. So, yeah, I can fix that. And here I can do my own territory for you in the backup as well. So, you don't have to worry about free space anymore. Yeah, that's also the bastard operator from Elm. Elm users, you know, just delete their files and stuff. But we'll see some more subtle ways to handle users of the bastard operator from Elm. Can you system tap? So, system tap is... If you look at the website, you have a nice description explaining how system tap is useful. Depending on tracing tool that will help you to figure out what functional and performance issues. And, but really, I like to think of it as like a system-wide code detection framework. So, yeah, if you start to think of it like that, that makes it more interesting. But, yeah, basically, you can just say anywhere in the system, I want this thing... I want to see what's up-move just there. Or you can also say I want to actually change all these parts of the code here at any point in the system. It's kernel, or application, or library, or whatever. And you don't have to rebuild the whole application or the kernel or anything. So, yeah, that's a pretty powerful dependent tool. And we'll see if you can do all the details about this. So, this presentation specifically is about the BRFH finding a new toy and system tap. And we see all the BRFH can use system tap to do interesting things. Yeah, this is the security level. But this is not actually really breaking any security because the BRFH is root already. And we are not trusting one boundary or anything. Everything we are going to see to do here, you can already do it with the root. The root for the interest. So, you don't really need system tap for that. But system tap makes things much easier. And we'll see some examples of that. So, yeah, there are two parts really. I'll start explaining system tap and see what it can do. And then we'll see some examples with demos if I can manage to look at them more. Questions so far? So, system tap, what it does really is you write a system tap script in a specific language. And just the step binary that converts that into C. And the C is compiled into a kernel module. And the module is loaded and stopped communicating with the module. So, in practice, you end up with something like this. We went stop with dash B so we can see actually what happens. So, yeah, the script is parsed and analyzed. And then it's translated into a temporary C file and written nice. And it's compiled into a kernel module that's loaded. And if your script is actually doing some output that could go there. And it would just be pretty abusive already. So, system tap is all about looking into certain things. So, we want to probe specific parts of the system. So, this is all about executing certain actions when something happens. So, that's the place where we want to execute the action. It's called the probe point. So, probe points, there are some examples of probe points. So, you can get an idea of where you can tap into the system. So, for example, you said whenever there's a read system pool starting or you have to do something or whenever we are returning from a close system pool or you can use white card and say whenever we are entering any function in the floppy module or you can say whenever we are returning from any function in the socket.c5 in the kernel or whenever we are hitting line 2917 in the scheduler. Some more examples. You can also say every 200 milliseconds, let's do something. Or whenever, but it's not restricted to kernel as well, you can say whenever we are entering any function in alas or whenever we are entering any function that has Manok in its name in the libc, you can do something. Or you can combine things with the co-op and say whenever we are entering any function in the kernel that has kini in the name or whenever we are returning from any function that has kini in the name. That would be a single, but that would be aggregated if you ask for a part in the script. And if you get into system type, just bring the friendly manual and you'll have much more details about all the props that are available. But that should give you an idea of what you can tap into. So the system type programming language is kind of C above old and obviously you are executing actions whenever we are hitting something that pretty old style. There are many facilities, but I'm not going to mention details, but the presentation about that, you have associative arrays, the aggregate of statistical data that's pretty useful if you do the filing. We are not talking about that today. There are many, many helper functions, both protein within the language and available as libraries, that's called a tab set, that's system type scripts that are reusable for programming. But if you want the full details, go with the manual. So some example of helper function to give you an idea again. I think most of these are pretty obvious. So we're going to do what process we are in, what thread we are in, what is the name of the current process. Pro-franc maybe can be detailed. Assessing we can use wildcabs and so when we give one probe point that will really match multiple probe points and we can end up in any of multiple functions. In that case, Pro-franc will tell you which function we are in. Bring back this pretty useful when you're at the doing stuff so you can figure out how we ended up there. And the view fetch is probably more interesting than things like channel string and user string to give it the pointer and it will get the string that that address and convert it into something usable within system type in a safe way that you are not like in different somethings that you probably shouldn't. They are transit but they could not practice system. And again, many more. That's just an example to give you an idea. Questions so far? Show some nice examples. Yeah, the examples are coming. I think you need to have some idea of what the examples are. You need this to understand the examples. There are some more stuff options. So you have by default, if you run a stuff script that will just trace everything in the system. If you say dashing, so you will trace just the specific PID you want, dash C so you can run just specific process. Something we'll see, a per case L so you can that will not run an script. You give it a probe point and it will tell you what variables are available at that probe point and if you say wild card it will give you it will expand the wild card and tell you what you are going to match. So that's what you do when you develop system type script. A per case F is nice to, the stuff will just load the model and it will get but the model will still be loaded. So you won't have a IO but the model will do what you want it to do and it's more stillty because you don't have a process hanging around. So the graph is probably interested in doing that. And you have the dash G which lets you, by default system type will not allow you to change anything. Now it will just allow you to trace those and observe things but that will allow you to change things and to actually inject C codes or whatever you like. So of course that's very easy to crash process and system if you change the behavior of the system at one time. That's all. Questions before the example? Interesting path. So let's see how we can apply this. So this is an example. You may know maybe Lit purple. It's something that's been developed for Pitkin and basically it's a library to, it's an IM library so you can read your friends on ICQ or IRC or Majaba or whatever through Lit purple and the application doesn't have to care about it. Lit purple and those stuff. And every communication basically goes through that function in Lit purple for proper conversation, right? Arguments. No idea how most of these work at Terraform but the room and message are probably interesting. It's obviously the person sending the message and the actual message. So we can use system type here to actually tap into the library Lit purple and instrument the specific function, purple conversation, right? And when we're in this function we just say we retrieve the sender of the message, the actual message and we just print it. And yeah, I didn't have time to get the internet in my laptop so I cannot do the demo of this one. I can show you at the end if you have time. How do you get the who and message variables? How does it know that those are the second and third variables? Okay, that's because you have the debug symbols for that. Oh, I see, okay. So yeah, it's used the debug symbols. You don't necessarily need debug symbols installed on the machine you are planning to instrument but you need them at some point when you put the system type on it. I can give you more details about that if you like but I'll just short time. So yeah, I cannot demo this one because I don't have internet. It works and it's not. So this one... Yeah, I'm probably going to skip this one because it's not so interesting and I don't have time but this one is more interesting. So you have... Let's say you have the uiFish and you don't like your user to play mp3 files for whatever reason. So there's that function in the kernel called mayopen and that function... you give it a path strict. Yeah? And the kernel determines if that user have access or not and so the mayopen function returns zero if the user is allowed to access the file or something else otherwise. So what we can do... So if you look at what system type we see for the mayopen function here we are going to instrument the return of that function and so you see here the variables that are available that's using the debugging course and you see... what we can see and change from system type at that point are not the return value obviously the path were probably interesting to do that the rest are... Yeah, well there are more things you can look into if you're interested in but most of them have no idea about that so the system type script we're going to write for that is we are just going to say we are instrumenting after when that function is going to return and well when that function returns we're going to let root do whatever it likes so we'll see here we are root after root so yeah if we are not root and we are not already disallowing access to the file because the return value is 0 and if in the path mp3 so this dname and is in the str are system type provided functions so dname will so here we are the path script we look into the dn3 and we get the actual name of the file and is in the str so to look at if mp3 exists in that file and if it's the case well we will place the return value minus 13 to say permission denied but you can give another error code if you like if you like confuse user 7 more so I should be able to hear any more of this ok ok so we have the system type script running there and we are a user and things we are instrumenting the main open function but we can still create files so this works but this won't and you see we have the writes and stuff it's possible for the user to rename the file yes the user is still able to work around this of course because well you are just instrumenting the main open so you can still use mn3 and yeah you can say oh it's really ogg file or whatever but well it's just a little what does this girls have system type by default you have fedora and all the red app based distribution so are you saying that by default there is the toolkit for a rootkit on all the just learning and stuff and yeah if you are bored you can you can do this kind of stuff pretty easily on fedora on the old red app based system and on the next stable devian and I don't know I think you want to check the state of system type on your distribution what about debugging symbols debugging symbols on a normal yes you need to debug symbols for what you are instrumenting at some point so for the kernel you are going to need the debug info on the kernel that's usually shipped as another package on your regular kernel in most distributions so yeah your distribution needs to prepare for that or you can debug your kernel do people still debug your kernel another example unless there are more questions is there any performance degradation because of this well depending what you are doing for the example you are not going to notice anything I mean that's just one function you are just going to you have a simple condition I mean you have your friends a pointer a couple of times doing a string proper reason and yeah check on the uid and the return and value you already have in your register this is not going to cost you any time no if you do more complex stuff I mean if you don't do any complex stuff in your functions but you are just trying to plug into a lot of the kernel functions yeah if you are going to plug into a lot of things that are going to be called a lot you may you may have problems gap, burden, safeties the day here but basically if system top notice that it's just going to be too costly or it's taking more time doing that stuff than actually letting the kernel do whatever it will just stop and say okay don't do that some kernels come with custom models that restrict this kind of rule key to run like you know some kind of patch that can be proposed and that are applied automatically on the kernel and that is a law or is there no way to well there are ways to not allow that but basically you are going to it's actually a feature that's a part of the kernel it's basically based on key probe so you can, when you build a kernel you can say I disabled key probes and you will not be allowed you will not be able to do that well not as easily but I don't see the point of a feature restricting another feature I was just thinking of a guy hacking my system that is installing the root key and how to make sure to should I run all processes encrypted or things like that this is unix once the guy have root you reinstall the machine yeah the system that just make the things easier you could already do that 10 years ago with your own shell code it's much harder you know five lines of code you can just say do but you have to try everything to the system there are two questions how to use system type against c++ programs yes you can do my example are for c but type works as well for c++ and note are things for Python and Java and Perl and other languages you know I can give a very quick example of the most I'm just going to say system type with system type last time I give this presentation I was asked can you hide system type with system type yes actually you can so a couple of hours later I came up with a script so the list of models basically what you want is the model so the list of models is stored as a list in the kernel and you just to move the models around when someone is going to look into the list you just move the models you don't want to show in the list somewhere and you get it back in whenever appropriate so this is the function here we are using it against a stand up rule because you are actually writing to c so yeah you look at this later because I don't have time for you but if you are using the kernel API to just mess with the list and we are going to store the even models in the list in a static list in this function and actually all you actually use this is that in the module.c in the kernel you have a function called mstart that is whenever someone tries to read the models which is where the smart goes to see the list of models so whenever we are going to to read that file we inject there and what we are doing here we want to inject just after the matrix but before we actually do anything with the list so that's why I do plus 2 here and and we just for the function we have written before to move and we do the opposite when the user close the file so I don't have time for the actual demo but basically whenever someone will will open the file it will it will not show the models you are hiding so you are hiding system and if you want to know more about this stuff yeah nice slide and all the examples will be online in a couple of minutes at the start of the UI page.front.b for system tab itself if you want to see look the beginners guide on the system tab website there is a wiki as well there is lots of excellent documentation for system tab if you are not interested in system tab you are maybe interested in the best out of very few from end stories and yeah yeah thank you I might be looking for a job maybe still ok thank you