Received: by 2002:a05:6a10:22f:0:0:0:0 with SMTP id 15csp2417376pxk; Mon, 14 Sep 2020 12:46:52 -0700 (PDT) X-Google-Smtp-Source: ABdhPJzvSmiLk1JaMYxRWNuoWukwYegJBzDmyBa1fm74NhKLL14+Ci2Kf+MYW+lBmH4hdXbVMKW4 X-Received: by 2002:a17:906:1787:: with SMTP id t7mr17005316eje.173.1600112812050; Mon, 14 Sep 2020 12:46:52 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1600112812; cv=none; d=google.com; s=arc-20160816; b=MHJm6ikWvN+umorM97/q1PqcfPo5JNSTt87d/Cj/wb0S9uTrm5tUuB5yBuywrvYIVF oySVPOf+MJ/p+uySYO9xa0lAaHJy230KaGYiHIDFs5iTVKdsdSDNNRLRWUuawp5x0GJZ HkCRrnUrLYOKQZfRbyZudJg3i+//X7/wolV7ZtWyiI9O3VSI1PROLHKuDAqTxaOYH4I8 MurwdEi6TRlw0sD6mPO/EGfsKhj61N2goSt5ZsUC9KTTjOmodqwMypOiFjHPhsWOmpT3 W8/VrNKKWRExP085unAdiEjP1MCwSMEdGk1fhtiEFD14aoggwq5DBDQy6zS9t6pqnppb sh1A== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:dkim-signature; bh=B26ZPwSMQkEgl0FLKfBn1bcFzAEPMlr/0cRYgdbCJm4=; b=riK3HtrxbGwyWQjU06Pk5h1GhU/Ki8IoSN399dmlH8imcH1O0dj6zslHWJihrdzJrA qzMlsQo0bl/USLKnV761o/gn7gllOCAzW54hxA39As4m+/FZoC0xKteqCKogWDXex5eG Ou2v+C+HSpvDToMWzS8Zjmm3h8J7YL/RTUAP4uHoQKp/SGgl+hisgfrbNgIuldyI3enc tes2lEjkQ4UW675UIZIEqEo5q6xuFdGgBuaC3nPohRZhxlux/k1kfewlukcEogMcrrTg aTOBf0XHgxLI38btfXm8nbvc2Nsk1eNTcRG8mqKJRq5FdBo6Yl6TGDQCjJNFrm1lIHbO 4fog== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=MvgJXiZx; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id rh6si7502351ejb.709.2020.09.14.12.46.28; Mon, 14 Sep 2020 12:46:52 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=MvgJXiZx; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726025AbgINTnN (ORCPT + 99 others); Mon, 14 Sep 2020 15:43:13 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:58268 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726023AbgINTnG (ORCPT ); Mon, 14 Sep 2020 15:43:06 -0400 Received: from mail-ed1-x543.google.com (mail-ed1-x543.google.com [IPv6:2a00:1450:4864:20::543]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 60C6DC06178A for ; Mon, 14 Sep 2020 12:43:05 -0700 (PDT) Received: by mail-ed1-x543.google.com with SMTP id j2so738619eds.9 for ; Mon, 14 Sep 2020 12:43:05 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=B26ZPwSMQkEgl0FLKfBn1bcFzAEPMlr/0cRYgdbCJm4=; b=MvgJXiZx2nV1v+RFwDa0Ew2gpF/YMUm1Qzl9uP0JoeTwPkWschjlATZudFOjyAIymN jJB7CAfq+BpdKpEqeroG5Y7ueTlhTlgM+6LKj7M/TcVdvxK4rdi9pYpCVGasFgNnIweT 66+OK8SAHXNYBvklweFjzvmaa+Q7pxQDrOuyV4OSavfjbUh/GTOB0/dTGHcXB5og63fs hvyUH+1dQT5+qQQyzqRC8vgQa2klF9z87EZ56xelz5zRMKd7xRTRJDyE/7GPPA7Gsper vQGtuke/Cs2S3Z/KC4HPmMFtSHp3XPc5cMLPQw2vv+ytvQBW4AUOUbR1dxtFSHQYUW0E xajw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=B26ZPwSMQkEgl0FLKfBn1bcFzAEPMlr/0cRYgdbCJm4=; b=Q/GlNFiKtE0+cMSKg991n1I/3jC0z29JZ5fTVrOykPljqff9lGsEnZ9y1escoWUaMh x3+gA/qOKwe8GicJMHJ8L4EJ29CgjXZZEJtFRbWJlq+inImHdf1KK3ujgo6iFUGv07B1 WLr7S16ThFI6iLjnlzlsvjU4LmWrsCnHWv5STXb9EkWhp4VugeMyUaWtvTzrLtLnapID x+cw0QVEFpZrLxQhXm1Z2Pve9Dual78MkpUL8rRLVClZ4+EWsZOyj4bCwDiorbTbjsMz 0A+yMVZIn87n3TYkT2Vt3YfFQqfH6b7nobMmTlzCcu1zLaWo4NLNUqWHFsPDusbj1Gmb BCtA== X-Gm-Message-State: AOAM532DXNkxrzaIjRgasXbnBxQh+KwRRDSNrwo2EKFKls12eHJjeLo5 yMW/vShCP9eAhPIW3NCqu1wD4ZXE67sF3CTfbdoP5A== X-Received: by 2002:a05:6402:176c:: with SMTP id da12mr19288248edb.386.1600112583753; Mon, 14 Sep 2020 12:43:03 -0700 (PDT) MIME-Version: 1.0 References: <20200910202107.3799376-1-keescook@chromium.org> <20200910202107.3799376-6-keescook@chromium.org> <20200913172415.GA2880@ubuntu> In-Reply-To: <20200913172415.GA2880@ubuntu> From: Jann Horn Date: Mon, 14 Sep 2020 21:42:37 +0200 Message-ID: Subject: Re: [RFC PATCH 5/6] security/fbfam: Detect a fork brute force attack To: John Wood Cc: Kees Cook , Kernel Hardening , Matthew Wilcox , Jonathan Corbet , Alexander Viro , Ingo Molnar , Peter Zijlstra , Juri Lelli , Vincent Guittot , Dietmar Eggemann , Steven Rostedt , Ben Segall , Mel Gorman , Luis Chamberlain , Iurii Zaikin , James Morris , "Serge E. Hallyn" , linux-doc@vger.kernel.org, kernel list , linux-fsdevel , linux-security-module Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Sun, Sep 13, 2020 at 7:55 PM John Wood wrote: > On Thu, Sep 10, 2020 at 11:10:38PM +0200, Jann Horn wrote: > > On Thu, Sep 10, 2020 at 10:22 PM Kees Cook wrote: > > > To detect a fork brute force attack it is necessary to compute the > > > crashing rate of the application. This calculation is performed in each > > > fatal fail of a task, or in other words, when a core dump is triggered. > > > If this rate shows that the application is crashing quickly, there is a > > > clear signal that an attack is happening. > > > > > > Since the crashing rate is computed in milliseconds per fault, if this > > > rate goes under a certain threshold a warning is triggered. [...] > > > + delta_jiffies = get_jiffies_64() - stats->jiffies; > > > + delta_time = jiffies64_to_msecs(delta_jiffies); > > > + crashing_rate = delta_time / (u64)stats->faults; > > > > Do I see this correctly, is this computing the total runtime of this > > process hierarchy divided by the total number of faults seen in this > > process hierarchy? If so, you may want to reconsider whether that's > > really the behavior you want. For example, if I configure the minimum > > period between crashes to be 30s (as is the default in the sysctl > > patch), and I try to attack a server that has been running without any > > crashes for a month, I'd instantly be able to crash around > > 30*24*60*60/30 = 86400 times before the detection kicks in. That seems > > suboptimal. > > You are right. This is not the behaviour we want. So, for the next > version it would be better to compute the crashing period as the time > between two faults, or the time between the execve call and the first > fault (first fault case). > > However, I am afraid of a premature detection if a child process fails > twice in a short period. > > So, I think it would be a good idea add a new sysctl to setup a > minimum number of faults before the time between faults starts to be > computed. And so, the attack detection only will be triggered if the > application crashes quickly but after a number of crashes. > > What do you think? You could keep a list of the timestamps of the last five crashes or so, and then take action if the last five crashes happened within (5-1)*crash_period_limit time.