Openwrt 18.06.5 featured with the Exein's security framework
Exein framework's goal is to accomplish the task of protecting the target system from undesirable behavior, introducing the self-protecting and remote-monitoring set of tools into the embedded systems arena.
The natural position of a piece of software providing Run-time anomaly detection features is within the Linux kernel using the Linux Security Module ecosystem.
The task of analyzing the system behavior enumerating system's event is divided into three macro functions:
The LSM Exein is the part of the Exein solution which interfaces with the Linux kernel and exports the system events data to the userspace application module for the analysis. Its main functions are:
The Exein_interface is the glue that makes it possible for the userspace MLEPlayer to communicate with the LSM Exein. It accomplishes this task by defining a new protocol within the Linux Netlink stack. It also provides userspace tools for debugging purposes.
The next part of the list is the code part where the actual computation is performed by the machine learning algorithms. The code block element is called MLEPlayer.
The MLEPlayer embodies the following functions:
The example shown in this repository represents the porting of the Exein's solution to the Openwrt ecosystem.
Exact versions in use are:
Users can easily test the solution in an emulated environment by following these steps:
sudo qemu-system-arm -M virt -nographic -smp 1 -kernel bin/targets/armvirt-exein/32-glibc/openwrt-armvirt-exein-32-zImage-initramfs -append "rootwait root=/dev/vda console=ttyAMA0 loglevel=0 norandmaps" -netdev tap,ifname=tap0,id=eth0 -device virtio-net-device,netdev=eth0
# dmesg |grep Exein
[ 0.001962] ExeinLSM - lsm is active: seed [857594974]
[ 9.280018] ExeinLKM - Interface module load complete. Interface ready.
# tf-exein 857594974 /etc/exein/config-13107.ini /etc/exein/model-13107.tflite
To make you taste how an Exein protected application performs, this repo has been equipped with the OpenWrt HTTP server behavior model.
Worth to note that the HTTP root directory also includes a trojan CGI-script located at http://192.168.1.1/cgi-bin/vuln.cgi
which lets an attacker obtain a reverse shell to TCP:192.168.1.2:4919
.
During the test you should observe that regular traffic to the server is allowed, whereas the anomal behavior of an HTTP server instance acting as a shell is detected and terminated.
Looking at the MLEPlayer output, you should see something like the following:
Starting Exein monitoring for tag: 13107
libexnl staring up
Now checking pid 835
INFO: Initialized TensorFlow Lite runtime.
Now checking pid 4432
Now checking pid 4438
Removing pid 4432
Now checking pid 4463
Removing pid 4463
Now checking pid 4481
Block process: 4438
Removing pid 4438
Removing pid 4481
Here's a brief description of most meaningful parts:
Tags are a central concept of the Exein framework. They act as classifiers and let the Exein framework identify the target processes and their children. Tags are basically 16-bits identifiers that are embedded into executables by adding a section within the ELF header ad are checked every time the executable is ran.
Now checking pid 835 notifies the process 835 was added to the watchlist.