I’ve long had an interest in Linux, and by Linux I mean the actual Linux project, ie. the kernel, not GNU/Linux, but getting into kernel development is an incredibly difficult task to accomplish. Linux has millions of lines and is one of the largest software projects in the world. Not to mention that the Linux kernel mailing list can be an intimating place. In all, it’s not something that you just jump into on a whim.
I’ve been using GNU/Linux for over six years now. I’ve become very comfortable with it and C. I’ve read kernel code in the past, but never written any. My goal was to dip my toe in and test the waters of writing some kernel code. I figured that a good way to do this was to try to add my own custom syscall to Linux. And to have some fun with it, I decided that this syscall would work like the
setuid syscall except that it would change the
uid of the calling process to 0 without any authentication checks. That’s right, this sucker is completely subverts all security in the kernel and is essentially a rootkit. As usual, my goal here is purely academic, not malicious. Considering employing this would mean completely changing the kernel of a system, I’d hardly consider it a vulnerability. If you’re able to change the kernel of a system, all security has already gone out the window.
Note that at the end of this process, if you want to try it out, you’ll need to compile your own kernel. This isn’t a guide on how to compile the kernel so you’ll need to look up that process for yourself. However, if you’re on Ubuntu, the Ubuntu wiki has a pretty good guide.
That said, let’s dive in and see what files need modified. If you haven’t already, you’ll want to get a copy of the source with:
1 $ git clone git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
Specifically, I’m working off of commit
a64f0f8c23740dc78c5f9aaee3904d0d3df4bfb5 so it may be helpful to run:
1 $ git checkout a64f0f8c23740dc78c5f9aaee3904d0d3df4bfb5
Linux is massive and I’m no magician so I needed a little help on where to start looking. A quick search revealed this guide: http://www.tldp.org/HOWTO/html_single/Implement-Sys-Call-Linux-2.6-i386/ which turned out to be a very good resource. The only problem is that is slightly out of date being written for Linux 2.6 and for x86 architecture. Let’s see if we if make this work on the current version of Linux 3.14 (at the time of this writing) and for x86_64.