AngeL - The Power to protect

`2002 news`

04.11.2002 - As promised I released the new AngeL stable version. angel_execve() was improved and becomed less faulty. The Makefile was revised and the use of the new shellcode scanner is disabled by default. The new shellcode scanner, backported from development tree, works but the old one ( which works as well ) is more reliable at the moment so use it. With latest stable versions an oops occured while removing the module. I removed a proc entry after removing it's entry father, so the kernel wasn't very happy about it. Please, upgrade to 0.8.9 which fix all these problems.
31.10.2002 - Halloween goodie for all our beloved AngeL hackers. The real development tree starts today. AngeL version 0.9.0 is released today. Stability issues are related to the new shellcode scanner. I'm working hard into fixing some bad handled pointer. Some unexpected oops is reported after loading the module, so please don't use this development version in production servers. I also do working in backporting some fixes to stable code. I think in a couple of weeks we'll be out with AngeL-0.8.9 with some improvements as well.
23.10.2002 - I decided to apply the patch to the third release candidate and coming out with a fourth rc version. Nothing else is changed so, if you already applied the patch, you don't need to download this version.
17.10.2002 - Please note. A typo error was found by last night in angelMemoryMalloc(). The memory free function is called with the old name which is changed yesterday. The patch is trivial and it can be found here. Apply this patch in order to have AngeL rc3 working. The execve() wrapper has a strange behaviour sometime, I was working really hard to give you a stable wrapper, I also think I have to rewrite it from scratch.
16.10.2002 - Third and last release candidate for development AngeL series. Fixed some typos in angel_execve() and some memory handling macro was defined in order to have a more readable code. If all goes well with rc3, we will release 0.9.0 development version in a week, and so starting redesign AngeL net core. Please remember that stable AngeL version is still 0.8.8, we will support 0.8.x release until 0.10.x ( or 1.0.x ) version will be ready.
11.10.2002 - Second release candidate for development AngeL series. We are working hard in logging facilities macro and avoiding oopses in angel_execve... our most complicated wrapper I guess. More hacks is placed to avoid system call redirection, I think Angelo's code definitly rocks. So please, AngeL's hackers, feel free to download our latest source code and hacking around it. See host/Changelog for details.
26.09.2002 - New development release. Anti syscall redirection code is now almost complete. Angelo Dell'Aera was very active this month writing an awesome piece of code. We are really near to start 0.9.0 development series releases.
03.09.2002 - News from AngeL stable world. People reported me that it sounds difficult to compile AngeL if /boot/System.map doesn't exist. In RedHat system, but also in my Debian box, /boot/System.map-`uname -r` is used instead. AngeL makefile doesn't find the required file and compilation aborted. I remember you that we need to inspect System.map in order to take sysrq_enable and handle_sysrq addresses since these functions aren't exported by the kernel. Now a script is called by Makefile and, if System.map is not found or the required addresses were not found as well ( e.g. you have not compiled your kernel includiny sysrq support in "Kernel Hacking" menu ) an appropriate header file is generated disabling sysrq functions in AngeL. Please listen to me now.Sysrq facility is used when a malicious root tries to unload AngeL without using the startup password, AngeL will react to this attempt syncing the disks, unmounting them and shutting down the host. Without the sysrq facility, AngeL will raise a kernel panic without taking care of your disk, so please compile the kernel with sysrq support if you can. Please note that a logging feature is turned on as well. In Make file you will find LOG_ANGEL = y directive that turns on loggin facilities in /var/log/angel. Comment out these feature if you don't want the module writes in /var/log/angel before compiling. On the development 0.9.0 site we are working with good results in system call redirection and in other module self defence facilities, so stay tuned.
03.07.2002 - Call for help. We need help to develop AngeL module but, if you are not a kernel hacker but you can write C programs please think about helping us to develop arc2 tool ( contact me if you are interested ). I'm planning to write a gkrellm plugin to display some AngeL stats. If you are experienced into gkrellm plugin development, please contact me as well. Bye :)
03.07.2002 - Yes, we are alive. We are working hard in prepare a 0.9.0 release which is unvulnerable to system call redirect. Many thanks to Angelo Dell'Aera for the really cool code he wrote. 0.9.0 Milestone 5 release is the result of two month of work, I hope you enjoy this. No changes were made to stable AngeL release.
03.04.2002 - People report me that local DoS occours and the machine freeze if root tryes to perform a fork or a malloc bombing. AngeL fails to detect root attack due to a silly coding error in Is_this_a_fork_bomb() and Is_this_a_malloc_bomb() functions. These functions return attacker uid or 0 if no attack is detected. At this point you may guess that if root performs an attack, attacker uid is the same than no attack code. This is fixed also in 0.9.0 Milestone 3 release. A new feature is added in stable release as well. In Makefile you can use the non heuristic shellcode scanner backported from 0.9.0 development series, so you may test it without downloading development code. Please uncomment # USE_EXPERIMENTAL_SCANNER=y from the makefile and recompile angel.
03.02.2002 - Some fixes on "No codE" AngeL. arc tool now has a -H flag that estimate fork() and malloc() system call throughput. You can use these values to make an AngeL fine tune for your system and you can lower the false positive probability. Some fix in Is_this_a_malloc_bomb() that now calculate correctly the brk() / sec ratio. Some fixes also in angel_execve() in order to avoid false positive shellcode detection. Makefile shipped with AngeL has outgoing mail check disabled as default because of the elevate number of false positives. We still working on 0.9.x development, we're going to change angel_execve() shellcode pattern matching with some method more accurate.
09.01.2002 - Out! Today, our experimental angel code is coming out for the first time. Basically it stops the same attacks as the latest stable release but new cools features came across module's architecture. Now I need your tests, I need your support and I need your ideas in order to have a smashing new stable release before next summer.
02.01.2002 - New year, new face. Just web site style change. As you can see the development series version is set to 0.9.0pre6, it's true! We are working on the new release which contains cools new features: /proc tuning now is done using sysctl interface, it means that proc entry handlers disapperd and the code is now lightweight; host related stuff is divided from net related one. This means that in engine.c there are just few lines of code, simply host_init and net_init function calls. It wasn't possible to divide AngeL in 3 separated modules do to some problem related to /proc/sys handling but logically it is do divided; now we provide logging also in /var/log/angel. I think in a month we could hack onto the final 0.9.0 release. Stay tuned.

Back to the main page

$Id: 2002_news.html,v 1.2 2004/01/14 21:15:44 sponge Exp $