[RFC,5/9] security/fbfam: Detect a fork brute force attack

Message ID	20200906152348.7259-1-john.wood@gmx.com (mailing list archive)
State	New, archived
Headers	show Return-Path: <SRS0=OZUD=CP=vger.kernel.org=linux-security-module-owner@kernel.org> From: John Wood <john.wood@gmx.com> To: Matthew Wilcox <willy@infradead.org> Cc: John Wood <john.wood@gmx.com> Subject: [RFC PATCH 5/9] security/fbfam: Detect a fork brute force attack Date: Sun, 6 Sep 2020 17:23:48 +0200 Message-Id: <20200906152348.7259-1-john.wood@gmx.com> MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable summary: Content analysis details: (-0.7 points) pts rule name description ---- ---------------------- -------------------------------------------------- -0.7 RCVD_IN_DNSWL_LOW RBL: Sender listed at https://www.dnswl.org/, low trust [212.227.15.18 listed in list.dnswl.org] 0.0 FREEMAIL_FROM Sender email is commonly abused enduser mail provider [john.wood[at]gmx.com] 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record -0.0 SPF_PASS SPF: sender matches SPF record -0.0 RCVD_IN_MSPIKE_H2 RBL: Average reputation (+2) [212.227.15.18 listed in wl.mailspike.net] 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature Sender: owner-linux-security-module@vger.kernel.org Precedence: bulk
Series	[RFC,1/9] security/fbfam: Add a Kconfig to enable the fbfam feature \| expand [RFC,1/9] security/fbfam: Add a Kconfig to enable the fbfam feature [RFC,2/9] security/fbfam: Add the api to manage statistics [RFC,3/9] security/fbfam: Use the api to manage statistics [RFC,4/9] security/fbfam: Add a new sysctl to control the crashing rate threshold [RFC,5/9] security/fbfam: Detect a fork brute force attack [RFC,6/9] security/fbfam: Mitigate a fork brute force attack

Message ID

20200906152348.7259-1-john.wood@gmx.com (mailing list archive)

State

New, archived

Headers

From: John Wood <john.wood@gmx.com>
To: Matthew Wilcox <willy@infradead.org>
Cc: John Wood <john.wood@gmx.com>
Subject: [RFC PATCH 5/9] security/fbfam: Detect a fork brute force attack
Date: Sun,  6 Sep 2020 17:23:48 +0200
Message-Id: <20200906152348.7259-1-john.wood@gmx.com>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Sender: owner-linux-security-module@vger.kernel.org
Precedence: bulk

Series

[RFC,1/9] security/fbfam: Add a Kconfig to enable the fbfam feature | expand

Commit Message

John Wood Sept. 6, 2020, 3:23 p.m. UTC

To detect a fork brute force attack it is necessary to compute the
crashing rate of the application. This calculation is performed in each
fatal fail of a task, or in other words, when a core dump is triggered.
If this rate shows that the application is crashing quickly, there is a
clear signal that an attack is happening.

Since the crashing rate is computed in milliseconds per fault, if this
rate goes under a certain threshold a warning is triggered.

Signed-off-by: John Wood <john.wood@gmx.com>
---
 fs/coredump.c          |  2 ++
 include/fbfam/fbfam.h  |  2 ++
 security/fbfam/fbfam.c | 39 +++++++++++++++++++++++++++++++++++++++
 3 files changed, 43 insertions(+)

--
2.25.1

diff --git a/fs/coredump.c b/fs/coredump.c
index 76e7c10edfc0..d4ba4e1828d5 100644
--- a/fs/coredump.c
+++ b/fs/coredump.c
@@ -51,6 +51,7 @@ 
 #include "internal.h"

 #include <trace/events/sched.h>
+#include <fbfam/fbfam.h>

 int core_uses_pid;
 unsigned int core_pipe_limit;
@@ -825,6 +826,7 @@  void do_coredump(const kernel_siginfo_t *siginfo)
 fail_creds:
 	put_cred(cred);
 fail:
+	fbfam_handle_attack(siginfo->si_signo);
 	return;
 }

diff --git a/include/fbfam/fbfam.h b/include/fbfam/fbfam.h
index 2cfe51d2b0d5..9ac8e33d8291 100644
--- a/include/fbfam/fbfam.h
+++ b/include/fbfam/fbfam.h
@@ -12,10 +12,12 @@  extern struct ctl_table fbfam_sysctls[];
 int fbfam_fork(struct task_struct *child);
 int fbfam_execve(void);
 int fbfam_exit(void);
+int fbfam_handle_attack(int signal);
 #else
 static inline int fbfam_fork(struct task_struct *child) { return 0; }
 static inline int fbfam_execve(void) { return 0; }
 static inline int fbfam_exit(void) { return 0; }
+static inline int fbfam_handle_attack(int signal) { return 0; }
 #endif

 #endif /* _FBFAM_H_ */
diff --git a/security/fbfam/fbfam.c b/security/fbfam/fbfam.c
index 9be4639b72eb..3aa669e4ea51 100644
--- a/security/fbfam/fbfam.c
+++ b/security/fbfam/fbfam.c
@@ -4,7 +4,9 @@ 
 #include <linux/errno.h>
 #include <linux/gfp.h>
 #include <linux/jiffies.h>
+#include <linux/printk.h>
 #include <linux/refcount.h>
+#include <linux/signal.h>
 #include <linux/slab.h>

 /**
@@ -172,3 +174,40 @@  int fbfam_exit(void)
 	return 0;
 }

+/**
+ * fbfam_handle_attack() - Fork brute force attack detection.
+ * @signal: Signal number that causes the core dump.
+ *
+ * The crashing rate of an application is computed in milliseconds per fault in
+ * each crash. So, if this rate goes under a certain threshold there is a clear
+ * signal that the application is crashing quickly. At this moment, a fork brute
+ * force attack is happening.
+ *
+ * Return: -EFAULT if the current task doesn't have statistical data. Zero
+ *         otherwise.
+ */
+int fbfam_handle_attack(int signal)
+{
+	struct fbfam_stats *stats = current->fbfam_stats;
+	u64 delta_jiffies, delta_time;
+	u64 crashing_rate;
+
+	if (!stats)
+		return -EFAULT;
+
+	if (!(signal == SIGILL || signal == SIGBUS || signal == SIGKILL ||
+	      signal == SIGSEGV || signal == SIGSYS))
+		return 0;
+
+	stats->faults += 1;
+
+	delta_jiffies = get_jiffies_64() - stats->jiffies;
+	delta_time = jiffies64_to_msecs(delta_jiffies);
+	crashing_rate = delta_time / (u64)stats->faults;
+
+	if (crashing_rate < (u64)sysctl_crashing_rate_threshold)
+		pr_warn("fbfam: Fork brute force attack detected\n");
+
+	return 0;
+}
+

[RFC,5/9] security/fbfam: Detect a fork brute force attack

Commit Message

Patch