Received: by 2002:a05:6a10:22f:0:0:0:0 with SMTP id 15csp1475334pxk; Thu, 10 Sep 2020 16:50:43 -0700 (PDT) X-Google-Smtp-Source: ABdhPJxADD3uB5r6HTc2KlYL1SXfd9SqHVxt0O/Rc7MC0jVj9cM0uzLTJHa4ll8x+hECCWCTUkVl X-Received: by 2002:a17:906:c830:: with SMTP id dd16mr11834001ejb.196.1599781843169; Thu, 10 Sep 2020 16:50:43 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1599781843; cv=none; d=google.com; s=arc-20160816; b=dbNc60tPn993fc1gPpxASPVfweTyUP3O5haAXe3I5FSxIz8BXK+9qrT0tzQN5Q2yzl 8cwOnUwmyk5F76gsmdF4uacykfB21germn5SmobC70zq6qTAh1weRdaMRZyk3Un12FdP X47Ff28q8HBVBLeSxU1LVwaue8ayGVnWTLe37lguJnK/aFKxxHcXN1Qq3K8drrZflRr3 PMFqhAUQ4IBhTIS635wYnODl6pRBN5+65gJQSl2UrsSCrtDWjrzrqPkOY4pqaPNDgoLf PUUneyNmwnw2XjpxYRoslsiSv0ObHBuW9+k9X2GE4uSbbG3RpbVcYWkcLT/0w3l9NyOF X53w== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:in-reply-to:content-disposition :mime-version:references:message-id:subject:cc:to:from:date :dkim-signature; bh=IaBh+ddcuDpz6mDgalgDYidOFzTPwsq/h7xo4uSnjys=; b=ndvXd/98y+gnnNofRsjxy3heqvT5A4so4/nc0+XALuAhqUADA+Y+PPSAr967QK5FUY GkKR6nKQJMxFv38+VaG7uW7uerEIoBcTRAynfya7C/TVcQyJonq2/L1fWtUt11d68OVj 98W/PiXOQVpOeEyPV16jZK/RBywBhPkGMVRafna8WVh5zXyZKg5Sitv4TzhvDlAOTTU9 twd2+OPyQ5HFwiIfMMuo/vebKiB2GB5891rdSEw0Jt5aaHvXHKjReNG6pYdU08fgEC3o /PlHtkaTl/kqfiVXKmU3fnGdUVlNJzj42gRXi5dBh5huJZ8axBwaoE18Q0uJ07+U5Zt0 wPlQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@chromium.org header.s=google header.b=OZvRIiWx; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id dn20si169289ejc.196.2020.09.10.16.50.21; Thu, 10 Sep 2020 16:50:43 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@chromium.org header.s=google header.b=OZvRIiWx; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1725306AbgIJXtQ (ORCPT + 99 others); Thu, 10 Sep 2020 19:49:16 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:58848 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1725280AbgIJXtL (ORCPT ); Thu, 10 Sep 2020 19:49:11 -0400 Received: from mail-pf1-x442.google.com (mail-pf1-x442.google.com [IPv6:2607:f8b0:4864:20::442]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id C5AD6C061573 for ; Thu, 10 Sep 2020 16:49:10 -0700 (PDT) Received: by mail-pf1-x442.google.com with SMTP id v196so5932362pfc.1 for ; Thu, 10 Sep 2020 16:49:10 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=date:from:to:cc:subject:message-id:references:mime-version :content-disposition:in-reply-to; bh=IaBh+ddcuDpz6mDgalgDYidOFzTPwsq/h7xo4uSnjys=; b=OZvRIiWxvgbgV7rDrzwW/mo7pKOcUBLaRM/3F39IPc1E9icQFqomZHx0N4US35FTp7 vSsnel87R3svfqBGdMoOlyN5B8k6YMqAy64tGhVQUCa1SGGb6+xnGqr9dmXdn7NgrUmc d/YNAWAvalvIjWW1alPmRiVUPHjkZXuTlKro4= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:from:to:cc:subject:message-id:references :mime-version:content-disposition:in-reply-to; bh=IaBh+ddcuDpz6mDgalgDYidOFzTPwsq/h7xo4uSnjys=; b=MGQDC3qB5ZHkfk687FMa+wBuTKpkW1ZFFud5CqB3h1UxbjkVD0A6q/s9hfbvOXxSh6 bTKLuDa6qSnkoBsqgPnd0V7jUa0Lza5o+4nPq+Ol3qnitMTnkNUFa2lNGMI45Zp9QFB0 ET0If56v7dTBGqvN9reGI9c0mn3V3TSCKsW88q2xPSQFN52upi7B8pKZ6lE2bVJR4Mro TXxHhBtIimGwBBGWxSozp4RGs7kC8tmKm6RjEDct9qazn9SdeeujeN4KBS4hSSUw1CWt Fmii6D7NIpAERvZ2cJZorFfuaqGIoO7xGlrViaxmfiWMwyJU3H0pqdsiKBJ6mD4jitCO RwWg== X-Gm-Message-State: AOAM531Iz+qG4tAQf4+/N8x+C+G3/XnjvtnUh5Y8l8Jb6pQktVvHfyE9 iOQgcpDtappo3dl3NhxC+3+bJA== X-Received: by 2002:a05:6a00:f:b029:13e:d13d:a089 with SMTP id h15-20020a056a00000fb029013ed13da089mr7496884pfk.32.1599781750231; Thu, 10 Sep 2020 16:49:10 -0700 (PDT) Received: from www.outflux.net (smtp.outflux.net. [198.145.64.163]) by smtp.gmail.com with ESMTPSA id p190sm215398pfp.9.2020.09.10.16.49.09 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 10 Sep 2020 16:49:09 -0700 (PDT) Date: Thu, 10 Sep 2020 16:49:08 -0700 From: Kees Cook To: kernel-hardening@lists.openwall.com Cc: John Wood , Matthew Wilcox , Jonathan Corbet , Alexander Viro , Ingo Molnar , Peter Zijlstra , Juri Lelli , Vincent Guittot , Dietmar Eggemann , Steven Rostedt , Ben Segall , Mel Gorman , Luis Chamberlain , Iurii Zaikin , James Morris , "Serge E. Hallyn" , linux-doc@vger.kernel.org, linux-kernel@vger.kernel.org, linux-fsdevel@vger.kernel.org, linux-security-module@vger.kernel.org Subject: Re: [RFC PATCH 5/6] security/fbfam: Detect a fork brute force attack Message-ID: <202009101634.52ED6751AD@keescook> References: <20200910202107.3799376-1-keescook@chromium.org> <20200910202107.3799376-6-keescook@chromium.org> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20200910202107.3799376-6-keescook@chromium.org> Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Thu, Sep 10, 2020 at 01:21:06PM -0700, Kees Cook wrote: > From: John Wood > > To detect a fork brute force attack it is necessary to compute the > crashing rate of the application. This calculation is performed in each > fatal fail of a task, or in other words, when a core dump is triggered. > If this rate shows that the application is crashing quickly, there is a > clear signal that an attack is happening. > > Since the crashing rate is computed in milliseconds per fault, if this > rate goes under a certain threshold a warning is triggered. > > Signed-off-by: John Wood > --- > fs/coredump.c | 2 ++ > include/fbfam/fbfam.h | 2 ++ > security/fbfam/fbfam.c | 39 +++++++++++++++++++++++++++++++++++++++ > 3 files changed, 43 insertions(+) > > diff --git a/fs/coredump.c b/fs/coredump.c > index 76e7c10edfc0..d4ba4e1828d5 100644 > --- a/fs/coredump.c > +++ b/fs/coredump.c > @@ -51,6 +51,7 @@ > #include "internal.h" > > #include > +#include > > int core_uses_pid; > unsigned int core_pipe_limit; > @@ -825,6 +826,7 @@ void do_coredump(const kernel_siginfo_t *siginfo) > fail_creds: > put_cred(cred); > fail: > + fbfam_handle_attack(siginfo->si_signo); I don't think this is the right place for detecting a crash -- isn't this only for the "dumping core" condition? In other words, don't you want to do this in get_signal()'s "fatal" block? (i.e. very close to the do_coredump, but without the "should I dump?" check?) Hmm, but maybe I'm wrong? It looks like you're looking at noticing the process taking a signal from SIG_KERNEL_COREDUMP_MASK ? (Better yet: what are fatal conditions that do NOT match SIG_KERNEL_COREDUMP_MASK, and should those be covered?) Regardless, *this* looks like the only place without an LSM hook. And it doesn't seem unreasonable to add one here. I assume it would probably just take the siginfo pointer, which is also what you're checking. e.g. for include/linux/lsm_hook_defs.h: LSM_HOOK(int, 0, task_coredump, const kernel_siginfo_t *siginfo); > return; > } > > diff --git a/include/fbfam/fbfam.h b/include/fbfam/fbfam.h > index 2cfe51d2b0d5..9ac8e33d8291 100644 > --- a/include/fbfam/fbfam.h > +++ b/include/fbfam/fbfam.h > @@ -12,10 +12,12 @@ extern struct ctl_table fbfam_sysctls[]; > int fbfam_fork(struct task_struct *child); > int fbfam_execve(void); > int fbfam_exit(void); > +int fbfam_handle_attack(int signal); > #else > static inline int fbfam_fork(struct task_struct *child) { return 0; } > static inline int fbfam_execve(void) { return 0; } > static inline int fbfam_exit(void) { return 0; } > +static inline int fbfam_handle_attack(int signal) { return 0; } > #endif > > #endif /* _FBFAM_H_ */ > diff --git a/security/fbfam/fbfam.c b/security/fbfam/fbfam.c > index 9be4639b72eb..3aa669e4ea51 100644 > --- a/security/fbfam/fbfam.c > +++ b/security/fbfam/fbfam.c > @@ -4,7 +4,9 @@ > #include > #include > #include > +#include > #include > +#include > #include > > /** > @@ -172,3 +174,40 @@ int fbfam_exit(void) > return 0; > } > > +/** > + * fbfam_handle_attack() - Fork brute force attack detection. > + * @signal: Signal number that causes the core dump. > + * > + * The crashing rate of an application is computed in milliseconds per fault in > + * each crash. So, if this rate goes under a certain threshold there is a clear > + * signal that the application is crashing quickly. At this moment, a fork brute > + * force attack is happening. > + * > + * Return: -EFAULT if the current task doesn't have statistical data. Zero > + * otherwise. > + */ > +int fbfam_handle_attack(int signal) > +{ > + struct fbfam_stats *stats = current->fbfam_stats; > + u64 delta_jiffies, delta_time; > + u64 crashing_rate; > + > + if (!stats) > + return -EFAULT; > + > + if (!(signal == SIGILL || signal == SIGBUS || signal == SIGKILL || > + signal == SIGSEGV || signal == SIGSYS)) > + return 0; This will only be called for: #define SIG_KERNEL_COREDUMP_MASK (\ rt_sigmask(SIGQUIT) | rt_sigmask(SIGILL) | \ rt_sigmask(SIGTRAP) | rt_sigmask(SIGABRT) | \ rt_sigmask(SIGFPE) | rt_sigmask(SIGSEGV) | \ rt_sigmask(SIGBUS) | rt_sigmask(SIGSYS) | \ rt_sigmask(SIGXCPU) | rt_sigmask(SIGXFSZ) | \ SIGEMT_MASK ) So you're skipping: SIGQUIT SIGTRAP SIGABRT SIGFPE SIGXCPU SIGXFSZ SIGEMT_MASK I would include SIGABRT (e.g. glibc will call abort() for stack canary, malloc, etc failures, which may indicate a mitigation has fired). -- Kees Cook