aboutsummaryrefslogtreecommitdiff
path: root/doc/sws.md
diff options
context:
space:
mode:
Diffstat (limited to 'doc/sws.md')
-rw-r--r--doc/sws.md156
1 files changed, 33 insertions, 123 deletions
diff --git a/doc/sws.md b/doc/sws.md
index e1d7c66..0d18151 100644
--- a/doc/sws.md
+++ b/doc/sws.md
@@ -1,116 +1,21 @@
# Proone Software Design Spec
-This document is part of **Proone Worn Project**. For overview, refer to
-[README.md](/README.md).
-
-* TODO structure
- * TODO workers and functions
- * TODO CNC TXT REC
- * TODO dvault
-* TODO IPv6
-* TODO classes
+This document is part of **Proone Worm Project**. See [README.md](/README.md)
+for overview.
## Subsystems
### Heartbeat
**Heartbeat** is a subsystem of Proone that consists of a backdoor and CNC
-mechanism on infected devices. **The Heartbeat protocol** is an point-to-point
-or a broadcast framing protocol that works over a transport stream such as
-TCP/IP. The protocol is documented separately in **[Protocol
-Spec](proto.md)**. The overview of the protocol is followed below.
-
-Heartbeat subsystem takes up a large portion of the Proone code base. The
-subsystem mainly works as a format in DNS TXT records and a TCP/IP framing
-protocol. A complete heartbeat connection consists of an **authoritive end** and
-a **submissive end**.
-
-In the Heartbeat protocol, a request is usually initiated by one initiating
-frame by one end and the other end responds to it by one or more response
-frames. The protocol also employs the concept of "protocol upgrade" like that of
-WebSocket in which both request and response frames can be streams of frames.
-
-A request-response session is distinguished by a message id number. A message id
-number is generated by the end which initiated the session and is used for the
-duration of the session. The idea behind having message id number is to make the
-protocol pipe-lineable so that simple request-response pairs can be processed in
-parallel. This is merely a future-proof design and does not play a significant
-role.
-
-Unlike conventional botnets, Proone instances(aka "bots") are controlled by TXT
-DNS records containing one or more request frames of an authoritive end. In this
-scheme, a request is initiated by Proone instances acting as a submissive end
-quering and reading the contents of the TXT records. Any response data resulted
-in the process is discarded. The heartbeat protocol binary is represented in
-base64 encoding because most DNS management software do not accept binary data
-for the value of TXT records although [the RFC
-spec](https://datatracker.ietf.org/doc/html/rfc1035#section-3.3) does not impose
-such restriction.
-
-Only public DNS servers which support DNS over TLS are used to counter lawful
-interception. The reason being, the DNS protocol is not encrypted and ISPs or
-law enforcfements can easily filter out TXT REC CNC traffic simply by doing
-plain-text string search. A TLS library is used to implement the SSH attack
-vector, so using the library for another purpose was an enticing choice. Proone
-queries public DNS servers directly rather than using system functions. This
-eliminates the chance of letting ISP DNS servers giving false results. Using
-public DNS servers is also beneficial since law enforcements would have to take
-down the domain itself as it would be difficult to convince the operators of
-public DNS servers to block a recursive query to a particular name server.
-Another benefit is not having to run CNC servers for simple tasks like running
-shell scripts.
-
-There are 2 recommended applications. One typical application is having a
-`PRNE_HTBT_OP_HOVER`(Hand Over Operation) request frame in TXT records so that
-instances will connect to servers running authoritive htbt implementations for
-furthur instructions. The second application is having a
-`PRNE_HTBT_OP_RUN_CMD`(Run Command Operation) frame or a
-`PRNE_HTBT_OP_RUN_BIN`(Run Binary Operation) containing a simple minified shell
-script for instances to run.
-
-Using CNC TXT records to transfer a large amount of data is possible but not
-recommended. In theory, doing `PRNE_HTBT_OP_NY_BIN`(Binary Upgrade Operation)
-with CNC TXT REC is possible. However, For Proone instances, quering TXT
-records, decoding base64 data and running a slave heartbeat client is costly
-operation. It's not a simple task and prone to failure.
-
-### Use Cases
-To stop all Proone instances, issue command `kill -9 0` or `reboot -nf` with
-detach flag unset. To disable all hosts, issue command `half -nf`.
-
-In order to do things of complexity, it's recommended to implement an
-authoritive server implementation and command Proone instances to take orders
-from the servers running the implementation. Load balancing can be done at the
-DNS level using techniques like round-robin DNS or GeoDNS. Once a Proone
-instance connects to an authoritive server, the server can fully utilise the
-heartbeat protocol to do the tasks described below.
-
-Shell scripts can be run on Proone hosts with `PRNE_HTBT_OP_RUN_BIN`(Run Binary
-Operation) as long as the script contains a shebang line at the very start of
-the script. Note that most embedded devices run lightweight shells like
-Ash(BusyBox) and Toysh(Toybox)[^1]. The best is strategy is targetting Bourne
-shell, which has been a default shell for the majority of systems(historically).
-
-To make hosts run an arbitrary binary executable, `PRNE_HTBT_OP_HOST_INFO`(Host
-Info Operation) can be used to query the archeticture type of the host to select
-a suitable binary for upload.
-
-To replace the Proone binary, `PRNE_HTBT_OP_NY_BIN`(Binary Upgrade Operation)
-can be used. The binary format for the operation is specified in a [separate
-document](proto.md). Upon successful upload, the Proone instance will attempt to
-`exec()` to the new binary after **binary recombination**(explained in a
-separate section) is performed. All this is done in the parent process. In the
-event of failure, Proone continues to operate with the existing binary. The only
-way to check the result of the operation is through reestablishing the
-connection to the Proone instance and querying the version of the binary through
-`PRNE_HTBT_OP_HOST_INFO` request.
-
-The protocol leaves room for implementing M2M mechanisms. A Proone instance
-checks if the target host is already infected by attempting to connect to a
-**local back door**(or simply, **LBD**) on the target host. An LBD port is
-served by a submissive Heartbeat client. The future versions of Proone can
-utilise the LBD port to update the binary of the target instance if old one is
-encountered. **proone-htbtclient** can be used to examine and maintain the
-Proone instance via this port.
-
-### Binary Archive and Data Vault
+mechanism on infected devices. **The Heartbeat protocol** is a point-to-point or
+a broadcast framing protocol that works over a transport stream such as TCP/IP.
+The subsystem is documented separately in [htbt.md](htbt.md).
+
+### Recon
+TODO
+
+### BNE
+TODO
+
+## Binary Archive and Data Vault
Proone aims to be a decentralised botnet. To spread without binary distribution
servers, Proone carries all the executables of arch types it supports. For this,
a special file structure is designed.
@@ -124,7 +29,7 @@ executables. Compression leviates this issue but there's a limit because the
size of data dictionary blocks can only get big. Having a custom *.data* section
for large data solves this issue at the cost of the size of code for fetching
and unmasking values from DVault. This implies that, in some cases, storing
-static values in the *.data* section of an ELF is more efficient[^2]. Another
+static values in the *.data* section of an ELF is efficient enough[^1]. Another
purpose of DVault is masking sensitive data like `PRNE_DATA_KEY_CNC_TXT_REC` and
`PRNE_DATA_KEY_CRED_DICT` so that they're not revealed when `strings` command is
run on the executable or when the process is core dumped. DVault is loaded when
@@ -133,13 +38,19 @@ only when needed.
The contents of DVault are XORed with a 256 byte array of random numbers
generated on each compilation. This process makes it impossible to compress the
-DVault binary block because of high entropy. Therefore it's not recommended to
-use DVault to store exceptionally large values. This issue may be solved by
-compressing the value separately at the cost of CPU time.
+DVault binary block because of high entropy. It's not a good idea to use DVault
+to store exceptionally large values. This issue may be solved by compressing the
+value separately at the cost of CPU time.
The **Binary Archive**("**BA**") is a binary block containing compressed
executables and an index of the executables.
+## Binary Recombination
+TODO
+
+## IPv6
+TODO: precedence
+
## Requirements
### Targetting Wide Range of Devices and Kernel Configurations
A number of methods has been employed in efforts to target a wide range of Linux
@@ -186,20 +97,19 @@ run on resource-scarce embedded devices. Most poorly-designed vulnerable devices
will be single core, anways. The strategy is getting the most small-powered
devices infected rather than having a few infected high-performance systems.
-### Volatile Operation
+### Ephemeral Presence
TODO
## Dependencies
-The dependencies for Proone have been kept to absolute necessities. **libssh2**
-is used for the SSH brute force vector. Coupled with libssh2's SSL backend
-is **Mbedtls** for TLS connection to public name servers and the Heartbeat
-protocol. **zlib** is used to implement binary archive. All the libraries are
-compiled with default configurations. **Pthsem** is used for threading.
+The dependencies for Proone have been kept to absolute necessities. libssh2 is
+used for the SSH brute force vector. Coupled with libssh2's SSL backend is
+Mbedtls for TLS connection to public name servers and the Heartbeat protocol.
+zlib is used to implement binary archive. All the libraries are compiled with
+default configurations. Pthsem is used for threading.
-**libyaml** and **mariadb-connector-c-devel** is required for **hostinfod**
-build. YAML has been chosen for the configuration file format and MariaDB for DB
-backend.
+libyaml and mariadb-connector-c-devel is required to build hostinfod. YAML has
+been chosen for the configuration file format and output format of
+proone-htbtclient. MariaDB for DB backend.
-[^1]: Maybe in the future when Toybox gains marketshare?
-[^2]: i.e. representing values in code: `int value = 123;`
+[^1]: i.e. representing values in code: `int value = 123;`
generated by cgit (git 2.34.1) at 2025-02-23 22:15:27 +0000