Question

1. [1] Can you load a Linux kernel module more than once? Explain briefly.

2. [1] For the modules we have created in class, does the code run continuously, or does it run in response to certain events? Explain, and be specific.

3. [1] When the kernel does a printk(), does it write directly to /var/log/kern.log? Explain.

4. [1] The makefile for a Linux kernel module is generally very simple; however, building a module seems to be a bit complicated, generating lots of files. Where is the module build process getting instructions for doing all this work?

5. [1] If you change line 22 in the ones module to define CLASS_NAME to be "OSclass", will this change the observable behavior of the module? Explain briefly.

6. [1] When doing the work for a system call, how does the kernel keep track of which process made that system call (so it does the work on behalf of that process)?

7. [2] How does the format of data returned by getdents(2) differ from that returned by readdir(3) (at a high level)? What is a key motivation for this difference?

8. [2] How can you change the magic_prefix for the rootkit without changing the code of the module? How is this information passed to the kernel at runtime?

9. [2] When the kernel allocates memory for its own use, does it refer to that memory using virtual or physical addresses? How does the remember module show this?

10. [2] What is a significant reason why the kernel uses functions such as copy_to_user() when accessing process memory? Why not just access this memory directly?

11. [2] Change the ones module so that it will allow writes, and the first character of whatever is written will become the character that is repeatedly output when reading (instead of '1'). What changes do you need to make?

12. [4] How could you make a "spooky rootkit" (based on 3000rootkit) that would randomly (with a .01 probability on each call to getdents) insert a file "BOO!" with an inode of 9999 into the stream of returned files? Note that you can get random bytes using the get_random_bytes() function in the kernel.

Answer 1

Q.[1] Can you load a Linux kernel module more than once? Explain briefly.

Ans- Linux allows the Kernel to be configured at run time, to enable or disable different services. A kernel module (or several of them) is generally loaded once. Only one kernel module run at a time but we can keep more than one. There is no harm in keeping multiple versions, and it's usually a good idea to do so in case we hit any issue with the newer version. The kernel would have to be built with all functionalities integrated directly into the kernel image. This would mean having bigger kernels, and system administrators would need to recompile the kernel every time a new functionality is needed.

So, generally we can not load a Linux kernel model more than once.

Q.[1] For the modules we have created in class, does the code run continuously, or does it run in response to certain events? Explain, and be specific.

Ans- There are two utilities to load modules: insmod and modprobe. insmod is a low-level utility: it loads a module file, given by its full path. modprobe is a high-level utility: we pass it a module name, and it looks up that module name in the module database, loads any necessary dependencies then loads the module itself. If the module isn't recorded in the module database, modprobe fails.

Q.[1] When the kernel does a printk(), does it write directly to /var/log/kern.log? Explain.

Ans- The kernel print function, printk(), behaves almost identically to the C library printf() function.The printk() function is callable from just about anywhere in the kernel at any time. It can be called from interrupt or process contex. The kernel needs its own printing function because it runs by itself.

/var/log/kern.log and his rotated logs contains the logs produced by the kernel and handled by syslog. The logging of the printk messages depends on the priority level you assign to each message and on the syslog configuration so depending on the level priority if we assign to kernel messages in syslog.conf, they will be displayed in the log file.

Q.[1] The makefile for a Linux kernel module is generally very simple; however, building a module seems to be a bit complicated, generating lots of files. Where is the module build process getting instructions for doing all this work?

Ans- Yes it is true that the makefile for a Linux kernel module is generally very simple; however, building a module seems to be a bit complicated, generating lots of files. Whenever we create a kernel module, the kernel's build machinery generates a struct module object, and makes THIS_MODULE point to it.The role of a module is to extend kernel functionality.

The module build process requires several steps :

• creating a module.
• testing the module - We can test the module with the insmod and rmmod utilities.

A module runs in kernel space so it is the role of the operating system to provide programs with a consistent view of the computer's hardware.