[vbox-dev] Honeynet research, catching kernel syscall fails with sebek

Andrew Rosborough andros at sas.upenn.edu
Mon Mar 16 16:35:07 GMT 2009 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hello,
I originally posted to the virtualbox forums, but was directed to this
mailing list due to the technical nature of my inquiry.  I summarized
the problems to the best of my ability in the original post, so here
it is:

I prefer VirtualBox to VMware, but I ran in to trouble during a
project where I am building a honeypot behind a firewall in VirtualBox.

The guest operating system is Ubuntu 7.10, and I am trying to insert a
module that is technically a rootkit, called sebek. The purpose of
this module is to monitor ssh traffic off an attacker. The sebek code
works natively, and in VMware, but when using VirtualBox there is an
error dereferencing a null pointer. I'm not an expert coder, but I
have analyzed the source code of the sebek project to determine where
the issue is occuring. syscall.c attempts to overload and log read
calls (in addition to other kernel calls) and the function that does
this is not initializing.

My guess is that virtualbox is somehow preventing the call from being
made or returning a value, but I am not sure. The function asmlinkage
ssize_t nrd (unsigned int fd, char *buf, size_t count) is supposed to
take 3 arguments directly from the stack, run a sys_read with the
arguments, check for errors, log the contents using sbk_log, return
resulting ssize_t of the original call. For whatever reason this
variable is null when it gets cast to a different type on line 783,
and this causes a runtime error.

I have submitted a ticket to the sebek trac, and would like to follow
up with useful information so the project can offer support for
virtualbox servers as well. My ticket is at
https://projects.honeynet.org/sebek/ticket/5

If this forum is not appropriate for this issue, I apologize in
advance. Thanks for reading, have a wonderful afternoon!

Andrew

- --
Andrew Rosborough

Information Security Specialist
Information Security and Unix Systems
University of Pennsylvania
School of Arts and Sciences
3600 Market St.
Room 501
Philadelphia, PA 19104
215.573.8772(p)
215.573.3166(f)
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAkm+f7oACgkQeHiaLtUKG3wK5QCfQPaMqnRbWmeT3RZAhGLT2C0g
oRUAn0RfIsmVq0DJt5Bo5iKKLzhwb7R4
=O/Np
-----END PGP SIGNATURE-----

More information about the vbox-dev mailing list