11logger -- trivial patch to log SIGSEGV under linux 2.2
Copyright(C) 2000 by Salvatore Sanfilippo

OVERVIEW
--------

11logger is a simple kernel patch that implements a kernel hook
in kerne/signal.c and a module that exploit this hook
in two ways: logging all SIGSEGV of all the processes in the
system and taking an history (actually a limited circular
buffer) of the occurred SIGSEGV.

In the format string and buffer overflow bugs era this patch
can be used for security pourpose: the attacker may
fail trying to exploit some vulnerability leaving some track
even if core dumping is disabled. It is proved that
security vulnerability like buffer overflows may be hard to
found, and the attacker may have audited the code without
to release any advisory. 11logger can give you some chance
to discover attacks to programs that aren't belived
vulnerable. Many services come back after segfault
(think at inetd and concurrent servers), after some retry
the attacker may find the correct offset and crack into
your system: use some reliable logging system in replacement
to the standard syslog with 11logger!
Obviously if the attacker guess the right paramenters
the first time you are cracked, and 11logger will not
log any information.

<i386 only>
It seems that 11logger can be used for debugging if combined with
a debugger like gdb, since it is able to tell you if
the SIGSEGV was caused writing or reading some invalid address,
the address itself and if the problem was a non existent page
or a protection fault.
(AFAIK you can't get all this information from userspace).
</i386 only>

INSTALL
-------

# untar the tarball
cd /somewhere/
cp /incominig/11logger-xxx.tar.gz
tar xvzf 11logger-xxx.tar.gz

# compile and install it
make
make install

# patch your kernel
cd /usr/src/linux/kernel/
patch < /somewhere/11logger-xxx.tar.gz/linux-2.2-patch

# Compile the patched kernel and
# reboot the system with the new kernel.
# Yes, I know, patching the kernel
# really bores, but once you patched the
# kernel you will be able to run
# upgraded modules of 11logger without
# further kernel complilations.

# Install the module
insmod /somewhere/sigsegv.o

# register the hook (i.e. turn the logging on)
echo 1 > /proc/sys/sigsegv/status
(obviously you can echo '0' to turn off 11logger)

UNINSTALL
---------

make unistall

UPGRADE
-------

For a problem in the kernel patch to upgrade
from 11loger 0.1.2 to 11logger 0.1.3 you MUST
re-patch you kernel with the new kernel patch.
Otherwise your system will crash.

However, you can use the new userspace tool
that report more information with the old 0.1.2
kernel patch and module.

USE IT
------

To use 11logger is trivial, just "simulate" a SIGSEGV
using the program 'badaccess' that's part of 11logger.
'bacaccess' is simple to use, it can be called in three
different way to perform a SIGSEGV reading, writing or
executing an invalid memory address, for example:

# badaccess R
read
segmentation fault  ./badaccess R

# badaccess W
write
segmentation fault  ./badaccess W

# badaccess X
exec
segmentation fault  ./badaccess X

Now see what your system are logging:

# tail -3 /var/log/messages
Oct 12 19:51:43 antiz kernel: pid 3374 (badaccess), uid 0 exited on signal 11 reading or executing 0x11111111
Oct 12 19:51:45 antiz kernel: pid 3375 (badaccess), uid 0 exited on signal 11 writing 0x11111111
Oct 12 19:51:46 antiz kernel: pid 3376 (badaccess), uid 0 exited on signal 11 reading or executing 0x1915966c

Also you may want to see a (short) history of the SIGSEGV trapped,
just use the command 'segvdump':

# segvdump
badaccess            (pid: 3374, uid: root) got signal 11
reading or executing 0x11111111 at Thu Oct 12 19:51:43 2000

badaccess            (pid: 3375, uid: root) got signal 11
writing              0x11111111 at Thu Oct 12 19:51:45 2000

badaccess            (pid: 3376, uid: root) got signal 11
reading or executing 0x1915966c at Thu Oct 12 19:51:46 2000

A more realistic example:

# telnet localhost 21
Trying 127.0.0.1...
Connected to localhost (127.0.0.1).
Escape character is '^]'.
220 victim.host.net FTP server (Version wu-2.5.0(1) Sat May 29 10:01:47 MET DST 1999) ready.
USER antirez
331 Password required for antirez.
PASS xxxxxxx
230 User antirez logged in.
SITE EXEC %s   
Connection closed by foreign host.

# segvdump -q
badaccess            segfaulted reading or executing 0x11111111
badaccess            segfaulted writing              0x11111111
badaccess            segfaulted reading or executing 0x1915966c
in.ftpd              segfaulted reading or executing 0x000000f7

segvdump help screen is the following:

# segvdump -h
usage: segvdump [-F file] [-hvrq]
  -F <file>             use <file> instead of /proc/sigsegv/history
  -h                    print this help screen and exit
  -v                    print version information and exit
  -q                    quite, less verbose

THANKS
------

I'm not so skilled with the linux kernel, when I got in truble I
asked some help to:

#kernelnewbies guys of openproject net (irc.openprojects.net),
Alessandro Rubini and Ciro Cattuto

They ** never seen my code **, so if 11logger is buggy,
or it will crash your system with the history highest uptime,
all the blame is just mine.

A special thanks to Lorenzo `Gigi Sullivan' Cavallaro for a four-eyes
code review, and many ideas and fix.

CONTRIBUTORS
------------

"Robert A. Seace" <ras@slartibartfast.magrathea.com> that reported
a problem with the kernel patch (the insert point was after the
spinlock, and before to return the error the old patch didn't unlock it).
This problem was already fixed, and the module of 11logger never users
to return a non-zero value, but it is a good point.

GET INVOLVED
------------

This is a stupid patch, but if you have
some suggestion or code drop me an email.

Have segmentation faults,
antirez