In brief, AngeL is a Linux kernel module designed to work with
kernel version 2.6.0 or later. The module uses the new Linux Security Module framework to implement
security policies without performing any system call interposition. This
approach leads to a less intrusive code that means more robust and more
easy to read. AngeL uses the rock solid netfilter firewalling facility in
order to control all packets leaving your host.
AngeL makes your host unable to send hostile traffic across the network.
It also blocks a large number of root compromise attacks and
local denial of services, by using hooks provided by LSM
framework and perfom sanity checks on the input parameters before
allowing or not the requested service.
AngeL was designed with security as a goal. However, it is not
AngeL's purpose to defend your host from your network neighbours. AngeL
prevents your host from becoming a hostile network node, i.e., it
prevents it from sending hostile packets across the network. By
"hostile" we mean both malicious (e.g., a remote exploit attempt) and
malformed (e.g., with IP or TCP header not properly built) packets.
AngeL operates at network level, blocking all outgoing packets
that match some well known patterns. This is done, using the Linux
kernel firewalling capabilities to capture packets, when packets go
through the kernel TCP/IP stack. Outgoing packets are inspected, at
header level or at payload level if needed, and a decision is made
whether to let them out or not.
Attacks targeting external network hosts blocked by AngeL
Ping of death
Protocol specific traffic
Outlook remote buffer overflow
AngeL also operates at host level, trapping a set of system calls
by means of appropriate wrappers. Such wrappers look for badly formed
requests, such as passing a shellcode as parameter to a suid
program, or requesting a fork() within an infinite loop. If AngeL
accepts the analyzed system call invocation, it calls the original
system call, otherwise it refuses the operation to the calling program.
August - I started rewriting the whole module from scratch to implement a
rock solid access control system in kernel based. I know that I lack about
continuity but I promise a new release in the late 2005.
Please stay tuned.
September - I started thinking a brand new project bigger
than AngeL. I called this project... Dafne.
May, June - WebbIt 2004
I introduced LSM framework in Webbit, a popular italian
computer science event full of speech and technical
demonstration. The speech title was "Lsm - a walk
throughout penguin cops. Viaggio introduttivo al Linux
Slides in PDF file format are here (Italian only).
21.04.2004 - New development version released. Angel
Angelo Dell'Aera rewrites from scratch anti BoF
code. New approach check if %ebx register points
into VM_GROWSDOWN VMA (this is symptom of a
string allocated in user spaces) and checks must
to be done over this string if detected.
Big cleanup over angel_sys_kill() moving #ifdef
code in header files instead C source code.
Check this new release and submit any feedback that can
improve AngeL code.
Patch over last development release is here. Enjoy it.
12.02.2004 - New development version released. AngeL
log subsystem enhancement: system calls are no
more called within kernel space.
a FreeBSD like jail implementation written
by Daniele Bellucci a new and very active AngeL
12.01.2004 - New web site look. This will improve
readbility and will introduce new project goodies.
05.01.2004 - Started working on AngeL and Linux Security
Module interaction. The a2 project is born.
27.10.2003 - There was a bug in stable version. When
compiling AngeL, enabling logging signal via sys_kill(),
there is a variable which is used without declaration.
Fixed, applying this
21.10.2003 - New development version released. AngeL
0.9.3 is mainly a code cleanup version perfomed by Angelo
Dell'Aera. AngeL log routine was rewritten handling in a
more fashioned way the log append to filesystem and
system call integration.
6.10.2003 - Found a bug in 0.8.10.1 release. If the file
is not existant, user_path_walk() fails and angel_open()
simply return error code. This means that the system
won't create new files anymore. A new patch is out and
corrects this problem. Now error handling is demanded to
sys_open() so if user_path_walk() fails properly actions
are taken by linux system call. The patch must
0.8.10.1 source tree.
25.09.2003 - In the past month of July, Dark Angel from
antifork.org team, wrote an exploit to reset AngeL user
counter and then removing the module from kernel even
without knowing the right password. This was possible
because I wrote a very sully sys_open() wrapper that
suffered a /dev/kmem attack using symlink. The bad code
simply made comparison between filename to be checked and
/dev/kmem so /tmp/fake_kmem won't alert AngeL even
thought it is a valid link to /dev/kmem so writing checks
to /dev/kmem was overriden. Now, patching the module, the
exploit won't work anymore since the /dev/[mem, kmem]
check againts writing is performed looking inode instead
filename string. Please, upgrade to version
Many thanks to Dark Angel that discovered the problem,
wrote the exploit and have contributed to improve the
16.09.2003 - New development version. AngeL 0.9.2 was
provided by Angelo Dell'Aera who made a big cleanup on
the code. I'm working in 0.8.11 release which will
a fix to a /dev/kmem attack to AngeL. By know it's
possible to unload the module even if you don't
know the password, of course using ad hoc
a wrapper that makes possible to overrun some
checks in order to sniff your network for
administration tasks, for example.
Next stable release will be released as soon as
possibile. Time is lacking so much :(
22.05.2003 - I know, new AngeL news delayed so long but
now there are two goodies for you. First of all
the new stable 0.8.10 release. It fixes some errors
during compile process and introduce a new way to kill
unwanted outgoing connections. Last but not least it
includes a rewritten from scratch experimental shellcode
scanner. The new development version fixes a race
condition that may occur during module unload and improve
system call locking mechanism. Upgrade! :)
10.05.2003 - Webbit 2003, Padova(Italy) I took a speach
about AngeL and the brand new security approach we
introduced. I talked about how the module works and how
attacks are denied.
If you want to check out this event please go here.
Plese note that the supplied slides are in italian
Patching is done in the usual way:
Move patch-x.y.z.gz in the same directory where AngeL is stored. Make
sure that AngeL is a symbolic link to the AngeL version you are using
(if you have more than one AngeL version on that directory. From then
you type "gunzip patch-x.y.z.gz; patch -p0 < patch-x.y.z" and AngeL
will be patched for you.
A small window maker dock
application is available to control AngeL behaviour for analysis
Download the latest wmAngel version here
We need your feedback. We need your suggestions, your bug report,
your suggestions for new features or improvements, your comments.
So if you enjoined using AngeL let us know, if not, please
tell us what you did not like so that we can improve our work.
You can also join AngeL developer mailing list by clicking