|
Message-ID: <202009101634.52ED6751AD@keescook> Date: Thu, 10 Sep 2020 16:49:08 -0700 From: Kees Cook <keescook@...omium.org> To: kernel-hardening@...ts.openwall.com Cc: John Wood <john.wood@....com>, Matthew Wilcox <willy@...radead.org>, Jonathan Corbet <corbet@....net>, Alexander Viro <viro@...iv.linux.org.uk>, Ingo Molnar <mingo@...hat.com>, Peter Zijlstra <peterz@...radead.org>, Juri Lelli <juri.lelli@...hat.com>, Vincent Guittot <vincent.guittot@...aro.org>, Dietmar Eggemann <dietmar.eggemann@....com>, Steven Rostedt <rostedt@...dmis.org>, Ben Segall <bsegall@...gle.com>, Mel Gorman <mgorman@...e.de>, Luis Chamberlain <mcgrof@...nel.org>, Iurii Zaikin <yzaikin@...gle.com>, James Morris <jmorris@...ei.org>, "Serge E. Hallyn" <serge@...lyn.com>, linux-doc@...r.kernel.org, linux-kernel@...r.kernel.org, linux-fsdevel@...r.kernel.org, linux-security-module@...r.kernel.org Subject: Re: [RFC PATCH 5/6] security/fbfam: Detect a fork brute force attack On Thu, Sep 10, 2020 at 01:21:06PM -0700, Kees Cook wrote: > From: John Wood <john.wood@....com> > > To detect a fork brute force attack it is necessary to compute the > crashing rate of the application. This calculation is performed in each > fatal fail of a task, or in other words, when a core dump is triggered. > If this rate shows that the application is crashing quickly, there is a > clear signal that an attack is happening. > > Since the crashing rate is computed in milliseconds per fault, if this > rate goes under a certain threshold a warning is triggered. > > Signed-off-by: John Wood <john.wood@....com> > --- > fs/coredump.c | 2 ++ > include/fbfam/fbfam.h | 2 ++ > security/fbfam/fbfam.c | 39 +++++++++++++++++++++++++++++++++++++++ > 3 files changed, 43 insertions(+) > > diff --git a/fs/coredump.c b/fs/coredump.c > index 76e7c10edfc0..d4ba4e1828d5 100644 > --- a/fs/coredump.c > +++ b/fs/coredump.c > @@ -51,6 +51,7 @@ > #include "internal.h" > > #include <trace/events/sched.h> > +#include <fbfam/fbfam.h> > > int core_uses_pid; > unsigned int core_pipe_limit; > @@ -825,6 +826,7 @@ void do_coredump(const kernel_siginfo_t *siginfo) > fail_creds: > put_cred(cred); > fail: > + fbfam_handle_attack(siginfo->si_signo); I don't think this is the right place for detecting a crash -- isn't this only for the "dumping core" condition? In other words, don't you want to do this in get_signal()'s "fatal" block? (i.e. very close to the do_coredump, but without the "should I dump?" check?) Hmm, but maybe I'm wrong? It looks like you're looking at noticing the process taking a signal from SIG_KERNEL_COREDUMP_MASK ? (Better yet: what are fatal conditions that do NOT match SIG_KERNEL_COREDUMP_MASK, and should those be covered?) Regardless, *this* looks like the only place without an LSM hook. And it doesn't seem unreasonable to add one here. I assume it would probably just take the siginfo pointer, which is also what you're checking. e.g. for include/linux/lsm_hook_defs.h: LSM_HOOK(int, 0, task_coredump, const kernel_siginfo_t *siginfo); > return; > } > > diff --git a/include/fbfam/fbfam.h b/include/fbfam/fbfam.h > index 2cfe51d2b0d5..9ac8e33d8291 100644 > --- a/include/fbfam/fbfam.h > +++ b/include/fbfam/fbfam.h > @@ -12,10 +12,12 @@ extern struct ctl_table fbfam_sysctls[]; > int fbfam_fork(struct task_struct *child); > int fbfam_execve(void); > int fbfam_exit(void); > +int fbfam_handle_attack(int signal); > #else > static inline int fbfam_fork(struct task_struct *child) { return 0; } > static inline int fbfam_execve(void) { return 0; } > static inline int fbfam_exit(void) { return 0; } > +static inline int fbfam_handle_attack(int signal) { return 0; } > #endif > > #endif /* _FBFAM_H_ */ > diff --git a/security/fbfam/fbfam.c b/security/fbfam/fbfam.c > index 9be4639b72eb..3aa669e4ea51 100644 > --- a/security/fbfam/fbfam.c > +++ b/security/fbfam/fbfam.c > @@ -4,7 +4,9 @@ > #include <linux/errno.h> > #include <linux/gfp.h> > #include <linux/jiffies.h> > +#include <linux/printk.h> > #include <linux/refcount.h> > +#include <linux/signal.h> > #include <linux/slab.h> > > /** > @@ -172,3 +174,40 @@ int fbfam_exit(void) > return 0; > } > > +/** > + * fbfam_handle_attack() - Fork brute force attack detection. > + * @signal: Signal number that causes the core dump. > + * > + * The crashing rate of an application is computed in milliseconds per fault in > + * each crash. So, if this rate goes under a certain threshold there is a clear > + * signal that the application is crashing quickly. At this moment, a fork brute > + * force attack is happening. > + * > + * Return: -EFAULT if the current task doesn't have statistical data. Zero > + * otherwise. > + */ > +int fbfam_handle_attack(int signal) > +{ > + struct fbfam_stats *stats = current->fbfam_stats; > + u64 delta_jiffies, delta_time; > + u64 crashing_rate; > + > + if (!stats) > + return -EFAULT; > + > + if (!(signal == SIGILL || signal == SIGBUS || signal == SIGKILL || > + signal == SIGSEGV || signal == SIGSYS)) > + return 0; This will only be called for: #define SIG_KERNEL_COREDUMP_MASK (\ rt_sigmask(SIGQUIT) | rt_sigmask(SIGILL) | \ rt_sigmask(SIGTRAP) | rt_sigmask(SIGABRT) | \ rt_sigmask(SIGFPE) | rt_sigmask(SIGSEGV) | \ rt_sigmask(SIGBUS) | rt_sigmask(SIGSYS) | \ rt_sigmask(SIGXCPU) | rt_sigmask(SIGXFSZ) | \ SIGEMT_MASK ) So you're skipping: SIGQUIT SIGTRAP SIGABRT SIGFPE SIGXCPU SIGXFSZ SIGEMT_MASK I would include SIGABRT (e.g. glibc will call abort() for stack canary, malloc, etc failures, which may indicate a mitigation has fired). -- Kees Cook
Powered by blists - more mailing lists
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.