REMUS Project: REference Monitor for Unix Systems
The main objective of the REMUS project consists in developing
an Intrusion Detection System for Linux kernel 2.4 that
is able to detect any attempt to hijack the control of privileged processes, for example by means of buffer overflow
attacks. Remus is designed to confine root-privileged and setuid processes by mediating their use of security-relevant system calls. In particular, REMUS provides:
- a secure enhancement of Linux by means of a LKM (Loadable Kernel Module) that uses interposition at the system call interface to implement the access control functionality;
- the detection of illegal invocation of critical system calls before they complete so to prevent attackers to hijack the control of any privileged process;
- an efficient check of the argument values of the system calls;
- the design and the kernel implementation of a scheme to prevent a subverted privileged application from loading a maliciuos kernel module. The extended system maitains a digital signature of the executable code of the legal modules which are the only one that can be loaded and executed;
It is widely accepted that immediate detection of security rules violations can be achieved by monitoring the system calls made by processes. This in turn makes possible to prevent malicious invocations of system calls from breaking system security.
We have developed the REMUS (REference Monitor for Unix Systems) prototype for monitoring those critical system calls which may be used to subvert the execution of privileged applications. REMUS employs a simple mechanism for system calls interception at the OS kernel level and requires minimal additions to the kernel code and no change to the syntax and semantics of existing
system calls. Basically, the system call execution is allowed just in
case the invoking process and the value of the arguments comply with
the rules kept in an Access Control Database (ACD) within the
kernel. Common penetration techniques that involve tricking the system
into running the intruder's own program in privileged mode are blocked
by this approach. In particular, REMUS blocks buffer overflow attacks
before they can complete. Note that these are just examples of
possible attacks, since our approach intends to protect against any
technique that allows an attacker to hijack the control of a
The REMUS collaborators
- the integration of the Access Control Database (ACD) with the Unix standard virtual file system
/proc. Administrators see the ACD has a directory, each file contains the set of rules for a given critical system call. Thanks to this interface, the administrators can configure Remus to allow confined processes to make only certain calls with certain parameters.
REMUS is Free software designed for the Linux Kernel 2.4, and is available for download under the GNU GPL from the following Primary FTP site: https://sourceforge.net/projects/remus/
PACUM is Free software designed for the analyis of the SElinux configuration, and is available for download under the GNU GPL from the following Primary FTP site: http://spazioinwind.libero.it/paculandia
- Massimo Bernaschi, Istituto di Applicazione del Calcolo, CNR, Roma, Italy.
- Luigi V. Mancini and Emanuele Gabrielli, Dipartimento di Informatica, Universita’ di Roma “La Sapienza”, Italy.
- Master students involved so far: Ivano Alonzi, Giacomo Magnini
- The Remus cooperative Web is on-line. We must:
Copyright © 2008-2017 by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding TWiki? Send feedback