[Cs22800] CS 228 Project Proposal Write-Up

[Benjamin Johnson]

CS 228 Project Proposal Write-Up

SEBEK BSD, OS X, Solaris, Covertness

Sebek is a part of the honeynet project (www.honeynet.org) designed to
provide insight into the world of the hacker and cracker.  Sebek's part
is to capture session traffic, mainly keystrokes, when sniffers and
intrusion detection systems are not useful.  This mostly constitutes ssh
and scp sessions due to their encrypted nature, but in the future
necessity for sebek could be much more common.  Sebek does this through
a loadable kernel module and a few "helper applications".  Sebek acts as
a rootkit, where it loads into kernel memory space, intercepts system
calls and captures any desired data entering the kernel from user
applications (such as ssh).

Currently sebek works in a beta-level on linux operating systems.  I
believe it is most commonly tested on and developed for RedHat Linux,
but other flavors of the OS are also supported.

My initial goal is to determine the degree of hardness for porting Sebek
over to FreeBSD.  More specifically, I will install and configure a
normal FreeBSD 4.6.2 installation.  I will then attempt to straight up
compile and install sebek in its current form.  Here I expect to run
into compilation errors, as kernel functions and system calls may differ
between the two.  For this I will need to learn more about BSD
programming.  I already have a few good links into loadable kernel
modules for BSD systems, which has given me a good start.

If the porting to FreeBSD is not straight forward, that will take up my
first few weeks into the course.  Regardless of whether or not that
takes a long time, once it has been completed I will try to port sebek
over to Mac OSX.  I believe this should be straightforward as OSX has a
BSD core.  Once this step has been completed, I plan to work on the
covertness of sebek.  Since sebek has the same traits as other, more
malicious rootkits, there are plenty of rootkit detectors that would
alert a hacker to the presence of it (and therefore alert them to the
machine being a honeypot / honeynet).

Another option is that once I the FreeBSD version working (and hopefully
the OS X one as well), I could work on porting this system to Solaris. 
Solaris boxes have been good internet servers for a while and remarkly
seem to still be doing alright.

So that's what I assume my quarter of CS 228 to consist of.  I plan on
completing a few ports and possibly making sebek more stealthy /
covert.  If time permits, I hope to research a new way of sending data
covertly through headers and other parts of various protocols.


I hope Sam is pleased -- I wrote this entire message in Abiword, and
after doing a new install of linux did not even attempt to download
OpenOffice.  Long live Abiword! ;-)

Peace,

Ben