Chapter 14: Capturing Ring 0 Under Linux | Shellcoders Programming Uncovered (Uncovered series)

Download CD Content

Overview

Ring 0 gives full power over the processor, allowing you to do whatever you want with it. At this level, the code of the operating system is executed, as well as LKMs. For a long time, Linux was considered the "right" operating system, reliably protected against viruses and hacker attacks. However, this is not so. During recent years , lots of security holes have been detected , some of which remain unpatched.

What is it possible to do from the application level? The options are limited: It is possible to execute unprivileged processor commands, access user memory cells , and carry out a syscall. Such operations as writing into input/output ports, reprogramming BIOS, and concealing processes and network connections are possible only from the kernel level. All hackers strive to reach this sanctuary; however, not everyone is capable of finding it. Lots of roads lead there; therefore, I will describe only the most interesting ones.

Holes in Linux are even more numerous than in Windows, and many such holes are critical. For example, the loader of Executable and Linkable Format (ELF) files is a true bug breeder. Multithreading support generates even more bugs . In contrast to Windows, where threads existed initially and synchronization problems were solved at the fundamental level, for Linux multithreading support is not native, and synchronization was carried out too hastily.

Errors nestle, in droves, mainly around semaphores. There is no sense in using exploits written by someone else, because for these exploits patches have been already developed. The hacker's code resulting from such an approach is too unreliable and helpless. The administrator's activities grow daily and servers are equipped with automatic update systems; therefore, it becomes increasingly difficult for the code to survive. Thus, hackers must carry out research on their own. They must know how to analyze source code and machine code, detecting new errors for which the patches are as yet nonexistent.