Received: by 2002:a05:6a10:22f:0:0:0:0 with SMTP id 15csp1356832pxk; Thu, 10 Sep 2020 13:24:24 -0700 (PDT) X-Google-Smtp-Source: ABdhPJwatCK2MhY0qJgn6vi8Xty5DjS/QjqBc6mQRVkVjekUu/qmlJ827sYeKJG+RpOMmvjdwppU X-Received: by 2002:a17:906:a88a:: with SMTP id ha10mr11531562ejb.532.1599769464217; Thu, 10 Sep 2020 13:24:24 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1599769464; cv=none; d=google.com; s=arc-20160816; b=npKYDQAEqmBOPCzOV4zcvUiDT6s4xMaU0Twna9wu6o84uBJgrMf0pe26cE2bJsRmIs /Jrplp2jEqXCpHdm2Jze4VbCVpb68HbALO05RIzgs8S3ZWqo0ty0vE1Mb3nCSSEr1Jod ASjp0JMhozTvnbnzy76YEu2BfLpWANFp0xh8uW1lAeXS7pI6HnqbtKK9/n2W4hE7WlIT +q5/YFB3RsWjU+D6Sl1X366QR0HoimLMIzIAfqeLftgD68TaAmGS6iu6b33ZIo12sfQY Lhm3xjFjuG/YIn7MtLXMI/XhnYbM7nerjlbvkY52YoQwbQYnIjAcdr2PGAtLFp25ikf4 G2ug== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :references:in-reply-to:message-id:date:subject:cc:to:from :dkim-signature; bh=fekJawXuRCxGrjYQI8OQvxsZTGlCFbLJj9FaUGr/A7E=; b=vvD59jk9H5rbL7YUhX1nLsqWtMfWg1b7cQNGKtDrerWBjwTOsNcDJpcvwA1HI2jePX UMAxUloK23SzwHhtKHRKbZ0ztfZLxwAxHQqNrzlp2Pl/3TH8nnh+6X7wstw/ETHR0c4g +/yoIqsDULdiEOEzwTsO59+bNKkaJ1jO2e9DmvRbN6EIB5/MZVOXPabfspzjxkTJryUW sz/SI++k/zirNYIMVXQGS+BhGWpETTZDbqvCv2Lb6i0aB45dwYIYbPPaIYHSrtnmWKZA hnQZZVv2cOvRWrN0ICZdRfEovTAOiwc3LxgQueW9ad4Rq5SdvvVPhPp98eTzn6x4busx 26rA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@chromium.org header.s=google header.b=QqSA5OLv; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id s4si4336294ejr.369.2020.09.10.13.24.01; Thu, 10 Sep 2020 13:24:24 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@chromium.org header.s=google header.b=QqSA5OLv; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726662AbgIJUX0 (ORCPT + 99 others); Thu, 10 Sep 2020 16:23:26 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:54846 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726474AbgIJUWD (ORCPT ); Thu, 10 Sep 2020 16:22:03 -0400 Received: from mail-pj1-x1042.google.com (mail-pj1-x1042.google.com [IPv6:2607:f8b0:4864:20::1042]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 2B64CC0617B9 for ; Thu, 10 Sep 2020 13:21:23 -0700 (PDT) Received: by mail-pj1-x1042.google.com with SMTP id kk9so583138pjb.2 for ; Thu, 10 Sep 2020 13:21:23 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=fekJawXuRCxGrjYQI8OQvxsZTGlCFbLJj9FaUGr/A7E=; b=QqSA5OLvk2Qdik/W7fOSu9hkPXdjQzGi3H6oVrZUyklZ+UzgX6HE9UM609d6dK+kyh 54tXPlf8gvwGJYpP5jiKL4Mqt3GvS4R+0mJa2dhY7V+8gDdXSbCJ3tIl9uerrba1ObNl fq3FyNkenrkMAEkbOEdq32NFyGXYfubBxsfyo= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=fekJawXuRCxGrjYQI8OQvxsZTGlCFbLJj9FaUGr/A7E=; b=JtXHTFB1nUiEbBW+OdTzGvhPANQGAk/VZH4fgroKWRqZ5XQh/I2km95WkkQ8B1ZwNB ySvIcLr4B/rtnYGIsh8OMALSjUODrQrWb1Yh+dXcDZkOtdUhum85YZggSmdC6QL4NIip 2l5ncKVcRlyevGwNWzwL1akTGFARZ7Dmxycr2DWAhgtndMsLOhmxPD8i8Kmp6tFWfeks 1A9RgEVdfmZT2KSaP54DX3jJF2myT99PjHk2euNcGbSHRi4V4nC1XebtX8ZE1kgYfKC2 LrPWT0WHdR3IRcasOw2WPa1+r3Euiyp3g+IHgYvx05tY68NEOjhuNa+K5k16Hw3n7RCo otKg== X-Gm-Message-State: AOAM531K4e7x0uCCBRLqt8H9+0KiKRwKerZUhhtCDENhdqieXT/lM4WI 77KFKBdqtmJ3nxiJbhP5G5Vxyw== X-Received: by 2002:a17:90b:a51:: with SMTP id gw17mr1654063pjb.118.1599769282707; Thu, 10 Sep 2020 13:21:22 -0700 (PDT) Received: from www.outflux.net (smtp.outflux.net. [198.145.64.163]) by smtp.gmail.com with ESMTPSA id i17sm6876859pfa.2.2020.09.10.13.21.18 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 10 Sep 2020 13:21:21 -0700 (PDT) From: Kees Cook To: kernel-hardening@lists.openwall.com Cc: Kees Cook , John Wood , Matthew Wilcox , Jonathan Corbet , Alexander Viro , Ingo Molnar , Peter Zijlstra , Juri Lelli , Vincent Guittot , Dietmar Eggemann , Steven Rostedt , Ben Segall , Mel Gorman , Luis Chamberlain , Iurii Zaikin , James Morris , "Serge E. Hallyn" , linux-doc@vger.kernel.org, linux-kernel@vger.kernel.org, linux-fsdevel@vger.kernel.org, linux-security-module@vger.kernel.org Subject: [RFC PATCH 5/6] security/fbfam: Detect a fork brute force attack Date: Thu, 10 Sep 2020 13:21:06 -0700 Message-Id: <20200910202107.3799376-6-keescook@chromium.org> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20200910202107.3799376-1-keescook@chromium.org> References: <20200910202107.3799376-1-keescook@chromium.org> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: John Wood To detect a fork brute force attack it is necessary to compute the crashing rate of the application. This calculation is performed in each fatal fail of a task, or in other words, when a core dump is triggered. If this rate shows that the application is crashing quickly, there is a clear signal that an attack is happening. Since the crashing rate is computed in milliseconds per fault, if this rate goes under a certain threshold a warning is triggered. Signed-off-by: John Wood --- fs/coredump.c | 2 ++ include/fbfam/fbfam.h | 2 ++ security/fbfam/fbfam.c | 39 +++++++++++++++++++++++++++++++++++++++ 3 files changed, 43 insertions(+) diff --git a/fs/coredump.c b/fs/coredump.c index 76e7c10edfc0..d4ba4e1828d5 100644 --- a/fs/coredump.c +++ b/fs/coredump.c @@ -51,6 +51,7 @@ #include "internal.h" #include +#include int core_uses_pid; unsigned int core_pipe_limit; @@ -825,6 +826,7 @@ void do_coredump(const kernel_siginfo_t *siginfo) fail_creds: put_cred(cred); fail: + fbfam_handle_attack(siginfo->si_signo); return; } diff --git a/include/fbfam/fbfam.h b/include/fbfam/fbfam.h index 2cfe51d2b0d5..9ac8e33d8291 100644 --- a/include/fbfam/fbfam.h +++ b/include/fbfam/fbfam.h @@ -12,10 +12,12 @@ extern struct ctl_table fbfam_sysctls[]; int fbfam_fork(struct task_struct *child); int fbfam_execve(void); int fbfam_exit(void); +int fbfam_handle_attack(int signal); #else static inline int fbfam_fork(struct task_struct *child) { return 0; } static inline int fbfam_execve(void) { return 0; } static inline int fbfam_exit(void) { return 0; } +static inline int fbfam_handle_attack(int signal) { return 0; } #endif #endif /* _FBFAM_H_ */ diff --git a/security/fbfam/fbfam.c b/security/fbfam/fbfam.c index 9be4639b72eb..3aa669e4ea51 100644 --- a/security/fbfam/fbfam.c +++ b/security/fbfam/fbfam.c @@ -4,7 +4,9 @@ #include #include #include +#include #include +#include #include /** @@ -172,3 +174,40 @@ int fbfam_exit(void) return 0; } +/** + * fbfam_handle_attack() - Fork brute force attack detection. + * @signal: Signal number that causes the core dump. + * + * The crashing rate of an application is computed in milliseconds per fault in + * each crash. So, if this rate goes under a certain threshold there is a clear + * signal that the application is crashing quickly. At this moment, a fork brute + * force attack is happening. + * + * Return: -EFAULT if the current task doesn't have statistical data. Zero + * otherwise. + */ +int fbfam_handle_attack(int signal) +{ + struct fbfam_stats *stats = current->fbfam_stats; + u64 delta_jiffies, delta_time; + u64 crashing_rate; + + if (!stats) + return -EFAULT; + + if (!(signal == SIGILL || signal == SIGBUS || signal == SIGKILL || + signal == SIGSEGV || signal == SIGSYS)) + return 0; + + stats->faults += 1; + + delta_jiffies = get_jiffies_64() - stats->jiffies; + delta_time = jiffies64_to_msecs(delta_jiffies); + crashing_rate = delta_time / (u64)stats->faults; + + if (crashing_rate < (u64)sysctl_crashing_rate_threshold) + pr_warn("fbfam: Fork brute force attack detected\n"); + + return 0; +} + -- 2.25.1