                    Detecting and Understading rootkits,

                 an Introduction and just a little-bit-more

Copyright (c)  2003  Arturo Alberto Busleiman aka Buanzo.

      Permission is granted to copy, distribute and/or modify this document
      under the terms of the GNU Free Documentation License, Version 1.2 or
      any later version published by the Free Software Foundation; with no
      Invariant Sections, no Front-Cover Texts, and no Back-Cover Texts.  A
      copy of the license is included in the section entitled "GNU Free
      Documentation License"

             by Arturo 'Buanzo' Busleiman <buanzo@buanzo.com.ar>
                              September, 2003.


Well, well, well. You have installed the latest Linux distribution and
stopped all unnecessary services. You also set-up a set of Netfilter
rules that would make the Pentagon Security Department envy you. You drool
with delight.

But...

There's always one. You should remember this: there is ALWAYS, at least, one
flaw. Just one hole through which a cracker could get into your system and
do things you would not do to your worst enemy's laptop.

Talking seriously, the Golden Rule of Security is: "Security is just a
state of mind". That means that you THINK you are secured. When you come
to believe such a thing, you automatically stop worrying. And that is a Bad
Thing (tm).

This is, I am sad to say, what a lot of system administrators do. And that is
something attackers tend to take advantage of.

The first thing a cracker will do is among one of these: set up sniffers,
read eMail and crontab files, then try to discover the "when's and how's" of
the system administrator, etc. They, of course, try to hide their tracks.
But most of them just go and install a Rootkit.

What is a rootkit?

For me, it is the evolution of the Trojan Horse concept. It is, in these days,
a complete package of trojanized system utilities, with some interesting
add-on programs, like specially designed sniffers and, maybe the most
dangerous or frightening, kernel modules whose primary objective is to
hide certain processes, directories and/or files. Being at the kernel-level
can be quite amusing. Imagine: it is the kernel which gives the ability to
execute programs and manage filesystem security.

As system utilities and kernels evolve, so do rootkits. Especially the ones
that make use of kernel modules. These are called LKM rootkits. Most
rootkits used to be packaged as a set of pre-compiled binaries and an
installation script that overwrite files.

As time went on, rootkits started to be a bit more complex at the
installation stage: they included the source of the trojan utilities and
kernel modules. That gave the attacker the ability to analyze the original
utilities installed on the system and make the needed modifications to the
trojanized ones. This was done to minimize the differences between the
original binaries and the trojanized binaries. They also started requesting
a "Master Password" that would be inserted into every compiled trojan. The
Master Password is used to access the special features of a trojan, like a
passwordless root login.

Of course, a C compiler and a complete set of header files are needed. One
way to thwart installation of these rootkits is to remove all development
packages from a production system.

In any event, if the attacker now has the desired UID 0 then he can download
and install the needed packages, or just use a pre-compiled rootkit. In both
cases there are disadvantages to the cracker. But those disadvantages are
advantages from the system administrator's point of view.


Detecting new rootkits

All of this article is written with the GNU/Linux operating system in mind.
This is because it is easier to develop for it, as all of its parts, like
the kernel, libraries and utilities are open source free software.

A new rootkit can either be one that has never been seen before, or one that
uses new technologies or previously unused methods of attack. Or both. And
that is where our rootkit detection problems start.

How can we detect rootkits? There are simple and complex pseudo-solutions. I
say "pseudo" because of the number of false positives we may get. I believe
the probability of detecting a new rootkit in our system is directly
proportional to our knowledge of the subject. Or, in other words, we should
know about how rootkits behave.

As I will show later, there are utilities you can use to detect rootkits.
These utilities, which are good enough, sometimes give false positives. They
can also give false negatives, which in this case is terrible. This is the
reason to do behavioural analyses of rootkits. The only way to detect
something is to learn about it. It is sometimes a bit of a sixth sense. I
know people who can sit down, use the shell a bit, and suddenly they say
"I'm pretty sure you've been hacked".

Of course, you also need to know your system. But, well, that is something
that only experience gives. In the meantime, I really hope I can help you a
bit with this article.

As I stated before, a rootkit is usually a set of:

1) Trojanized system utilities and daemons
2) Additional programs
3) Kernel Modules (now quite common)

Let's look at each individually.

(1) Trojanized System Utilities and Daemons

Some examples and explanations: 

ls: usually enables the attacker to hide files and directories. It uses a
special configuration file.

du: again, hides certain directories and does not count them against disk
usage. It also uses a configuration file.

df: You guessed it! It gives more free space than you actually have, to
conceal the fact that a large part of the disk is being used to store
sniffer logs.

login: Gives automatic root access, usually after a special trigger is
activated. What is special about this root access through login is that
loggin can be disabled. It also allows direct login to users other than
root.

netstat: Hides connections, based upon system variables such as socket
pathname, uid, etc.

chfn/chsh/passwd: Usually has a hidden uid 0 shell.

inetd/xinetd: Usually binds an interactive shell to certain port. Most of
them can make use of access control features.

ifconfig: If a sniffer is running, it hides the fact that a network
interface is probably in promiscuous mode.

ps/top: Filters out processes from the listing, based on paremeters read
from a configuration file. Actually, if the proc pseudo filesystem were
unmounted, and a trojanized proc-like filesystem module is loaded and then
mounted, one could control a wide range of system utilities that read
required information from /proc.

syslogd: It will not write messages which contain configured substrings or
regular expressions.

md5sum: It returns a certain md5 hash for certain file. Completely
configurable. Scripts that use this binary to verify filesystem integrity
can be easily compromised this way.

rshd: (Not used very much anymore) Gives the ability to bind an interactive
root shell.

At this point you probably get the idea. As you can see, the pattern that
rootkit programmers follow for Trojanized Utilities looks like this:

a) Divide utilities into groups, or think about categories and then find
which utilities fit them.

b) Add trojan code based upon the category. This means that a utility that
sits in the "Login and/or Remote Access" category will probably have trojan
code to enable passwordless root login, for example. The same way, another
utility in the "Kernel-Related" category, like lsmod, will not show certain
kernel modules in the loaded kernel modules list lsmod provides by reading
/proc/modules.

Of course, this process can be applied to any installed program or utility.

As you can probably imagine, utilities that are used locally (i.e, when the
user is logged onto the system, either via network or at the console) at the
shell to show certain vital or important information (e.g, ps) are potential
victims. These kinds of utilities are frequently used by users and,
especially, sysadmins.

(2) Additional Programs

These are additional programs used by the attacker when he is logged onto
the compromised system. Among these utilities we can, and probably will,
find sniffers, zappers, encryption utilities, rootkit post-installation
configuration programs, file transmission utilities using a special
protocol (like ICMP encapsulation) and the like.

It is easy to figure out that these files need to be kept on the compromised
system for them to be worth using. The same applies for files generated by
programs like sniffers: sniffer logs do take a lot of disk space if not
properly tuned.

Usually, the directory where files will reside is going to be well
protected. For example, the rootkit can be configured only to allow certain
UIDs to get into certain directories. In other circumstances it will hide
the directories. This is achieved by: (1) Using trojanized ls/cd/etc
commands or by using a Linux Kernel Module (3). The second approach was some
kind of a revolution. Fewer infected files means a lower probability of
detection. And since using a kernel module gives a lot of power, a lot of
additional features can be conceived.

Usually, rootkit sniffers are developed with the "go to the background and
make no noise" approach. This means that they sniff traffic, especially
passwords, but they hide the fact that they are running, usually by changing
the name that appears on a ps. Trojanized ps/top utilities or /proc
filesystems are good approaches to hide processes based on certain
configuration parameteres.

Then you have wtmp/utmp/lastlog zappers. As you probably know, these are the
files read by the w and last utilities. Early rootkit zappers used to zero the
records you told them to (i.e which user to zero-overwrite). Current ones just
physically remove the record, instead of logically overwriting it with
zeroes. Some crackers forget that these are not the only places where their
tracks can appear.

Of course, there are a whole bunch of additional utilities, like
encryption/decryption utilities, but now there are steganography techniques
that are starting to be used. Steganography hides files inside other files,
by actually replacing the lower bits of an image or MP3 file, for example.
One cannot usually see (in the case of an image) or hear (mp3 file) the
difference between the real and the 'injected' version of the file. Of
course, the original file size grows, sometimes quite noticeably.

File transmission utilities that help the attacker get files out of the
system via methods that do not make system noise (i.e log files being
written) are not that common, but are still pretty interesting. I remember when
I coded a proof of concept utility that would allow me to send files over a
ping packet. From a traffic point of view, I was just pinging some remote
system. From my point of view, I was transmitting a file. In a very slow,
but largely undetectable, way.

(3) Kernel Modules

The main difference between a normal rootkit and an LKM Rootkit is very simple:
normal rootkits replace system utilities that enable the attacker to
hide files, processes and network connections. 

An LKM Rootkit, on the other hand, does something a bit more interesting: it
replaces the location of system calls, changing the original memory
addresses to something else, and in that different location there is a
trojanized version of the system call. So, they do not need to modify
utilities (or libraries), they simply replace what these utilities and
libraries use! Rootkits of this sort go by the names of Rkit and Adore LKM,
just to mention a couple of the most common ones.

Here is a list of the typically modified system calls: sys_clone, sys_close,
sys_execve, sys_fork, sys_ioctl, sys_kill, sys_mkdir, sys_read, sys_readdir,
sys_write.

Utilities to Detect Rootkits

* Chkrootkit

Rootkit detection utilities are usually a package of many utilities:
promiscuous mode detectors for NICs, utilities to detect removed entries
from lastlog and wtmp files, some system utility replacements (e.g. strings
and find) and utilities to search for sniffer and rootkit log files. In my
opinion, chkrootkit is one of the best packages out there: it's small, less
than 40kb, and complete. It is very useful and detects many rootkits, like
t0rn, lrk, Ark, both versions of Adore, T.R.K, etcetera.

Using it is as simple as "download, untar, make and execute" in most cases,
but Chkrootkit provides two command line switches that I find extremely
useful:

a) If you can get to the disk you want to analyze and mount it on a trustworthy
machine, the -r command line switch allows you to set up the "root" to
another directory. For example, if you mount the possibly compromised system
on /mnt/testing, you could just use "chkrootkit -r /mnt/testing".

b) If you cannot do this, you should always have trustworthy,
statically-linked copies of the following commands: awk, cut, egrep, find,
head, id, ls, netstat, ps, strings, sed, and uname. Chkrootkit makes use of
these system utilities to search and analyze binary and log files. As these
system utilities may already be compromised, it would not be a good idea to
use them. Provided you have these safe utilities in
/mnt/safebin, you can use "chkrootkit -p /mnt/safebin". You can specify
multiple directories, just by separating them with colons. Of course, it
would be a good idea to keep these safe binaries on a read-only medium, like
a CD-ROM or a protected floppy disk. 

Of course, you can use both the -r and -p switches in combination to provide
the maximum poddiblr level of safety.

Chkrootkit has an expert flag, -x, which outputs strings taken from the
binary files it analyzes. It generates a lot of output, so it is a good idea
to redirect all of it to a file so it can be throughly analyzed.

* LKM-Rootkit detection

The only way an LKM rootkit can be detected is by analyzing kernel memory
directly. One of way to do this is to compare system call addresses (you
will recall that LKM rootkits change them). This task can be easily 
performed by using tools such as kstat, which read kernel memory through
/dev/kmem. kstat provides information on running processes via its
'-P' switch, which includes hidden processes. Compare its output with what
"ps aef" tells you. Additionaly, you can query a specific process id with
the '-p <pid>' parameter. To analyze system call addresses you should
specify the '-s' switch. After an initial system installation and full
configuration, record "kstat -s" output. Memory addresses there will provide
correct values you can compare from time to time. Lines with a WARNING show
the possibility that your system has been compromised. kstat can also
act as a replacement for lsmod with the '-M' switch. You will be able to
read the trojan kernel module on the list.

* Tripwire and similar tools

If well configured, Tripwire can be an excellent tool. It uses GnuPG-like
encryption and signing of database files. These database files contain hashes
and other data like permissions and ownership for system files and
directories. A system administrator can execute periodic tests against this
database and, if differences appear between the stored and the current
status of the filesystem, Tripwire will send a very detailed report through
eMail. 

Of course, you could use a script to generate an initial md5 hash database
to be stored on a CD-ROM, along with the required md5sum utility (statically
linked). You could also add signature-checking capabilities through GnuPG. I
prefer this method over Tripwire, because I prefer doing things simply.
Tripwire requires a lot of effort, whereas you can use this method by using
built-in utilities.

* Port Scanning

Most rootkits open up an administrative port, or bind a remote shell.
Because of this, it would be a good idea to port scan the full range of TCP
and UDP ports, from 1 to 65535, and mix that output with "kstat -P" and
"lsof -i", so you can recognize which processes open which files/sockets.
One of the best tools out there, as we can see on Matrix Reloaded, is
Fyodor's most excellent Nmap. An external firewall (I mean a real firewall,
not a Netfilter on the same host), could be used to block traffic to these
ports, but this method usually causes big arguments. As Einstein would say:
All is relative.

Dealing With Rootkits Once You Find Them

It all depends, but this is usually the simplest step. This article is
intended for System Administrators, and not Honeynets or security
developers. The usual thing to do would be to re-install the system,
replacing the trojan files. Do not trust backups at all, unless you are
absolutely and completely sure that they are not infected. If possible, dump
all of your databases, all of your data, and do a fresh install, instead of
an overwriting one.

But you should always try to discover through which hole the attacker got
in. This way they will not be able to do it again after the system
reinstallation. Remember the Golden Rule. Remember to update packages,
either by compiling them yourself, which is what I preffer, or via your
vendor's Online Update service.

Final Comments

The only way to detect something is to understand what it does, how it
looks, and how it does what it does. For rootkits and LKM rootkits, this
means that we should know how they work (i.e trojanizing binaries or system
calls), how they look (a badly installed rootkit can make a system
unstable or unusable; the t0rn rootkit has a tendency to break console
logins if not correctly set up), and how they do it (replacing files or
system calls addresses). Setting up an Intrusion Detection System, like
Snort, would be a good idea.

I hope you have found this article useful. Please access the following URLs
to find commented software and additional documentation.

Greetings from Buenos Aires, Argentina!

URL list:

* Netfilter: http://www.netfilter.org - Linux 2.4 firewalling, NAT and packet
mangling subsystem and iptables user-space tools.
* Sniffers: Ettercap. http://ettercap.sf.net - An excellent modularized
sniffer, both for interactive and non-interactive usage.
* GNU/Linux: http://www.gnu.org - FSF's GNU Project.
http://www.kernel.org - The Linux Kernel
* Cryptography and Steganography: http://www.topology.org/soft/crypto.html -
Many URLs you will enjoy.
* Chkrootkit: http://www.chkrootkit.org - Chkrootkit and additional
documentation.
* Kstat: http://s0ftpj.org/en/site.html - 'soft' with zero, not o.
* Tripwire: http://www.tripwire.org
* Honeynets: http://www.honeynet.org - The Honeynet Project. Highly
Recommended. Quote from site: "To learn the tools, tactics, and motives of
the blackhat community, and share those lessons learned."
* Nmap: http://www.insecure.org/nmap/
Nmap+V: ftp://ftp.saurik.com/pub/nmap/ - Jay Saurik's excellent
modification. Provides services banners for the scanned ports.
* Snort: http://www.snort.org - IDS System.

GNU Free Documentation License

Version 1.2, November 2002 


Copyright (C) 2000,2001,2002  Free Software Foundation, Inc.
59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
Everyone is permitted to copy and distribute verbatim copies
of this license document, but changing it is not allowed.

0. PREAMBLE 

The purpose of this License is to make a manual, textbook, or other
functional and useful document "free" in the sense of freedom: to assure
everyone the effective freedom to copy and redistribute it, with or without
modifying it, either commercially or noncommercially. Secondarily, this
License preserves for the author and publisher a way to get credit for their
work, while not being considered responsible for modifications made by
others. 

This License is a kind of "copyleft", which means that derivative works of
the document must themselves be free in the same sense. It complements the
GNU General Public License, which is a copyleft license designed for free
software. 

We have designed this License in order to use it for manuals for free
software, because free software needs free documentation: a free program
should come with manuals providing the same freedoms that the software does.
But this License is not limited to software manuals; it can be used for any
textual work, regardless of subject matter or whether it is published as a
printed book. We recommend this License principally for works whose purpose
is instruction or reference. 

1. APPLICABILITY AND DEFINITIONS 

This License applies to any manual or other work, in any medium, that
contains a notice placed by the copyright holder saying it can be
distributed under the terms of this License. Such a notice grants a
world-wide, royalty-free license, unlimited in duration, to use that work
under the conditions stated herein. The "Document", below, refers to any
such manual or work. Any member of the public is a licensee, and is
addressed as "you". You accept the license if you copy, modify or distribute
the work in a way requiring permission under copyright law. 

A "Modified Version" of the Document means any work containing the Document
or a portion of it, either copied verbatim, or with modifications and/or
translated into another language. 

A "Secondary Section" is a named appendix or a front-matter section of the
Document that deals exclusively with the relationship of the publishers or
authors of the Document to the Document's overall subject (or to related
matters) and contains nothing that could fall directly within that overall
subject. (Thus, if the Document is in part a textbook of mathematics, a
Secondary Section may not explain any mathematics.) The relationship could
be a matter of historical connection with the subject or with related
matters, or of legal, commercial, philosophical, ethical or political
position regarding them. 

The "Invariant Sections" are certain Secondary Sections whose titles are
designated, as being those of Invariant Sections, in the notice that says
that the Document is released under this License. If a section does not fit
the above definition of Secondary then it is not allowed to be designated as
Invariant. The Document may contain zero Invariant Sections. If the Document
does not identify any Invariant Sections then there are none. 

The "Cover Texts" are certain short passages of text that are listed, as
Front-Cover Texts or Back-Cover Texts, in the notice that says that the
Document is released under this License. A Front-Cover Text may be at most 5
words, and a Back-Cover Text may be at most 25 words. 

A "Transparent" copy of the Document means a machine-readable copy,
represented in a format whose specification is available to the general
public, that is suitable for revising the document straightforwardly with
generic text editors or (for images composed of pixels) generic paint
programs or (for drawings) some widely available drawing editor, and that is
suitable for input to text formatters or for automatic translation to a
variety of formats suitable for input to text formatters. A copy made in an
otherwise Transparent file format whose markup, or absence of markup, has
been arranged to thwart or discourage subsequent modification by readers is
not Transparent. An image format is not Transparent if used for any
substantial amount of text. A copy that is not "Transparent" is called
"Opaque". 

Examples of suitable formats for Transparent copies include plain ASCII
without markup, Texinfo input format, LaTeX input format, SGML or XML using
a publicly available DTD, and standard-conforming simple HTML, PostScript or
PDF designed for human modification. Examples of transparent image formats
include PNG, XCF and JPG. Opaque formats include proprietary formats that
can be read and edited only by proprietary word processors, SGML or XML for
which the DTD and/or processing tools are not generally available, and the
machine-generated HTML, PostScript or PDF produced by some word processors
for output purposes only. 

The "Title Page" means, for a printed book, the title page itself, plus such
following pages as are needed to hold, legibly, the material this License
requires to appear in the title page. For works in formats which do not have
any title page as such, "Title Page" means the text near the most prominent
appearance of the work's title, preceding the beginning of the body of the
text. 

A section "Entitled XYZ" means a named subunit of the Document whose title
either is precisely XYZ or contains XYZ in parentheses following text that
translates XYZ in another language. (Here XYZ stands for a specific section
name mentioned below, such as "Acknowledgements", "Dedications",
"Endorsements", or "History".) To "Preserve the Title" of such a section
when you modify the Document means that it remains a section "Entitled XYZ"
according to this definition. 

The Document may include Warranty Disclaimers next to the notice which
states that this License applies to the Document. These Warranty Disclaimers
are considered to be included by reference in this License, but only as
regards disclaiming warranties: any other implication that these Warranty
Disclaimers may have is void and has no effect on the meaning of this
License. 

2. VERBATIM COPYING 

You may copy and distribute the Document in any medium, either commercially
or noncommercially, provided that this License, the copyright notices, and
the license notice saying this License applies to the Document are
reproduced in all copies, and that you add no other conditions whatsoever to
those of this License. You may not use technical measures to obstruct or
control the reading or further copying of the copies you make or distribute.
However, you may accept compensation in exchange for copies. If you
distribute a large enough number of copies you must also follow the
conditions in section 3. 

You may also lend copies, under the same conditions stated above, and you
may publicly display copies. 

3. COPYING IN QUANTITY 

If you publish printed copies (or copies in media that commonly have printed
covers) of the Document, numbering more than 100, and the Document's license
notice requires Cover Texts, you must enclose the copies in covers that
carry, clearly and legibly, all these Cover Texts: Front-Cover Texts on the
front cover, and Back-Cover Texts on the back cover. Both covers must also
clearly and legibly identify you as the publisher of these copies. The front
cover must present the full title with all words of the title equally
prominent and visible. You may add other material on the covers in addition.
Copying with changes limited to the covers, as long as they preserve the
title of the Document and satisfy these conditions, can be treated as
verbatim copying in other respects. 

If the required texts for either cover are too voluminous to fit legibly,
you should put the first ones listed (as many as fit reasonably) on the
actual cover, and continue the rest onto adjacent pages. 

If you publish or distribute Opaque copies of the Document numbering more
than 100, you must either include a machine-readable Transparent copy along
with each Opaque copy, or state in or with each Opaque copy a
computer-network location from which the general network-using public has
access to download using public-standard network protocols a complete
Transparent copy of the Document, free of added material. If you use the
latter option, you must take reasonably prudent steps, when you begin
distribution of Opaque copies in quantity, to ensure that this Transparent
copy will remain thus accessible at the stated location until at least one
year after the last time you distribute an Opaque copy (directly or through
your agents or retailers) of that edition to the public. 

It is requested, but not required, that you contact the authors of the
Document well before redistributing any large number of copies, to give them
a chance to provide you with an updated version of the Document. 

4. MODIFICATIONS 

You may copy and distribute a Modified Version of the Document under the
conditions of sections 2 and 3 above, provided that you release the Modified
Version under precisely this License, with the Modified Version filling the
role of the Document, thus licensing distribution and modification of the
Modified Version to whoever possesses a copy of it. In addition, you must do
these things in the Modified Version: 

A. Use in the Title Page (and on the covers, if any) a title distinct from
that of the Document, and from those of previous versions (which should, if
there were any, be listed in the History section of the Document). You may
use the same title as a previous version if the original publisher of that
version gives permission. 
B. List on the Title Page, as authors, one or more persons or entities
responsible for authorship of the modifications in the Modified Version,
together with at least five of the principal authors of the Document (all of
its principal authors, if it has fewer than five), unless they release you
from this requirement. 
C. State on the Title page the name of the publisher of the Modified
Version, as the publisher. 
D. Preserve all the copyright notices of the Document. 
E. Add an appropriate copyright notice for your modifications adjacent to
the other copyright notices. 
F. Include, immediately after the copyright notices, a license notice giving
the public permission to use the Modified Version under the terms of this
License, in the form shown in the Addendum below. 
G. Preserve in that license notice the full lists of Invariant Sections and
required Cover Texts given in the Document's license notice. 
H. Include an unaltered copy of this License. 
I. Preserve the section Entitled "History", Preserve its Title, and add to
it an item stating at least the title, year, new authors, and publisher of
the Modified Version as given on the Title Page. If there is no section
Entitled "History" in the Document, create one stating the title, year,
authors, and publisher of the Document as given on its Title Page, then add
an item describing the Modified Version as stated in the previous sentence. 
J. Preserve the network location, if any, given in the Document for public
access to a Transparent copy of the Document, and likewise the network
locations given in the Document for previous versions it was based on. These
may be placed in the "History" section. You may omit a network location for
a work that was published at least four years before the Document itself, or
if the original publisher of the version it refers to gives permission. 
K. For any section Entitled "Acknowledgements" or "Dedications", Preserve
the Title of the section, and preserve in the section all the substance and
tone of each of the contributor acknowledgements and/or dedications given
therein. 
L. Preserve all the Invariant Sections of the Document, unaltered in their
text and in their titles. Section numbers or the equivalent are not
considered part of the section titles. 
M. Delete any section Entitled "Endorsements". Such a section may not be
included in the Modified Version. 
N. Do not retitle any existing section to be Entitled "Endorsements" or to
conflict in title with any Invariant Section. 
O. Preserve any Warranty Disclaimers. 

If the Modified Version includes new front-matter sections or appendices
that qualify as Secondary Sections and contain no material copied from the
Document, you may at your option designate some or all of these sections as
invariant. To do this, add their titles to the list of Invariant Sections in
the Modified Version's license notice. These titles must be distinct from
any other section titles. 

You may add a section Entitled "Endorsements", provided it contains nothing
but endorsements of your Modified Version by various parties--for example,
statements of peer review or that the text has been approved by an
organization as the authoritative definition of a standard. 

You may add a passage of up to five words as a Front-Cover Text, and a
passage of up to 25 words as a Back-Cover Text, to the end of the list of
Cover Texts in the Modified Version. Only one passage of Front-Cover Text
and one of Back-Cover Text may be added by (or through arrangements made by)
any one entity. If the Document already includes a cover text for the same
cover, previously added by you or by arrangement made by the same entity you
are acting on behalf of, you may not add another; but you may replace the
old one, on explicit permission from the previous publisher that added the
old one. 

The author(s) and publisher(s) of the Document do not by this License give
permission to use their names for publicity for or to assert or imply
endorsement of any Modified Version. 

5. COMBINING DOCUMENTS 

You may combine the Document with other documents released under this
License, under the terms defined in section 4 above for modified versions,
provided that you include in the combination all of the Invariant Sections
of all of the original documents, unmodified, and list them all as Invariant
Sections of your combined work in its license notice, and that you preserve
all their Warranty Disclaimers. 

The combined work need only contain one copy of this License, and multiple
identical Invariant Sections may be replaced with a single copy. If there
are multiple Invariant Sections with the same name but different contents,
make the title of each such section unique by adding at the end of it, in
parentheses, the name of the original author or publisher of that section if
known, or else a unique number. Make the same adjustment to the section
titles in the list of Invariant Sections in the license notice of the
combined work. 

In the combination, you must combine any sections Entitled "History" in the
various original documents, forming one section Entitled "History"; likewise
combine any sections Entitled "Acknowledgements", and any sections Entitled
"Dedications". You must delete all sections Entitled "Endorsements." 

6. COLLECTIONS OF DOCUMENTS 

You may make a collection consisting of the Document and other documents
released under this License, and replace the individual copies of this
License in the various documents with a single copy that is included in the
collection, provided that you follow the rules of this License for verbatim
copying of each of the documents in all other respects. 

You may extract a single document from such a collection, and distribute it
individually under this License, provided you insert a copy of this License
into the extracted document, and follow this License in all other respects
regarding verbatim copying of that document. 

7. AGGREGATION WITH INDEPENDENT WORKS 

A compilation of the Document or its derivatives with other separate and
independent documents or works, in or on a volume of a storage or
distribution medium, is called an "aggregate" if the copyright resulting
from the compilation is not used to limit the legal rights of the
compilation's users beyond what the individual works permit. When the
Document is included in an aggregate, this License does not apply to the
other works in the aggregate which are not themselves derivative works of
the Document. 

If the Cover Text requirement of section 3 is applicable to these copies of
the Document, then if the Document is less than one half of the entire
aggregate, the Document's Cover Texts may be placed on covers that bracket
the Document within the aggregate, or the electronic equivalent of covers if
the Document is in electronic form. Otherwise they must appear on printed
covers that bracket the whole aggregate. 

8. TRANSLATION 

Translation is considered a kind of modification, so you may distribute
translations of the Document under the terms of section 4. Replacing
Invariant Sections with translations requires special permission from their
copyright holders, but you may include translations of some or all Invariant
Sections in addition to the original versions of these Invariant Sections.
You may include a translation of this License, and all the license notices
in the Document, and any Warranty Disclaimers, provided that you also
include the original English version of this License and the original
versions of those notices and disclaimers. In case of a disagreement between
the translation and the original version of this License or a notice or
disclaimer, the original version will prevail. 

If a section in the Document is Entitled "Acknowledgements", "Dedications",
or "History", the requirement (section 4) to Preserve its Title (section 1)
will typically require changing the actual title. 

9. TERMINATION 

You may not copy, modify, sublicense, or distribute the Document except as
expressly provided for under this License. Any other attempt to copy,
modify, sublicense or distribute the Document is void, and will
automatically terminate your rights under this License. However, parties who
have received copies, or rights, from you under this License will not have
their licenses terminated so long as such parties remain in full compliance. 

10. FUTURE REVISIONS OF THIS LICENSE 

The Free Software Foundation may publish new, revised versions of the GNU
Free Documentation License from time to time. Such new versions will be
similar in spirit to the present version, but may differ in detail to
address new problems or concerns. See http://www.gnu.org/copyleft/. 

Each version of the License is given a distinguishing version number. If the
Document specifies that a particular numbered version of this License "or
any later version" applies to it, you have the option of following the terms
and conditions either of that specified version or of any later version that
has been published (not as a draft) by the Free Software Foundation. If the
Document does not specify a version number of this License, you may choose
any version ever published (not as a draft) by the Free Software Foundation. 

How to use this License for your documents

To use this License in a document you have written, include a copy of the
License in the document and put the following copyright and license notices
just after the title page: 


      Copyright (c)  YEAR  YOUR NAME.
      Permission is granted to copy, distribute and/or modify this document
      under the terms of the GNU Free Documentation License, Version 1.2
      or any later version published by the Free Software Foundation;
      with no Invariant Sections, no Front-Cover Texts, and no Back-Cover
 Texts.  A copy of the license is included in the section entitled "GNU
      Free Documentation License".

If you have Invariant Sections, Front-Cover Texts and Back-Cover Texts,
replace the "with...Texts." line with this: 


    with the Invariant Sections being LIST THEIR TITLES, with the
    Front-Cover Texts being LIST, and with the Back-Cover Texts being LIST.

If you have Invariant Sections without Cover Texts, or some other
combination of the three, merge those two alternatives to suit the
situation. 

If your document contains nontrivial examples of program code, we recommend
releasing these examples in parallel under your choice of free software
license, such as the GNU General Public License, to permit their use in free
software.