From patchwork Thu Sep 10 20:21:02 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Kees Cook X-Patchwork-Id: 11769085 Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 9BD1314F6 for ; Thu, 10 Sep 2020 20:22:12 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 7186D221E2 for ; Thu, 10 Sep 2020 20:22:12 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org header.b="BclfH4h6" Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1725820AbgIJUVt (ORCPT ); Thu, 10 Sep 2020 16:21:49 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:54792 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726588AbgIJUVS (ORCPT ); Thu, 10 Sep 2020 16:21:18 -0400 Received: from mail-pf1-x444.google.com (mail-pf1-x444.google.com [IPv6:2607:f8b0:4864:20::444]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 50816C061757 for ; Thu, 10 Sep 2020 13:21:18 -0700 (PDT) Received: by mail-pf1-x444.google.com with SMTP id k15so5360477pfc.12 for ; Thu, 10 Sep 2020 13:21:18 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=t7QYn1yhWQ40fqsjl2bkOVXNzJEardYI1LG85/i6U4Y=; b=BclfH4h6+3Bniz3hlYX1B8/uwcukDuLERmdv/too1YSZlXK9dBtB6T76hiHYKxbvf9 ygrdCHBb2d1zvH8fNVjO46IvyeFd1UQ1/ZyJKm4z7MgXVjH3rg/TxqlBaSg381uGWgSp a0ksHPHgB/X4oFDK2ba/ovfJCDRHiImWHRs4Y= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=t7QYn1yhWQ40fqsjl2bkOVXNzJEardYI1LG85/i6U4Y=; b=nAkMbq03JsQLB7kE9TBd/G+V3cEDTznBKs3fvnGxFyPl5ftP/OILc6iQAATdftDGKQ Qe5iEocuQohZCxLAATrLzbJDhJBIxqQxvleMIyUpKYzyaoHczjPxbQsiuoC682O+qxbY 5H94vxvCPYIuYt/0CwOSOhl8BzmLIXXkFe0dcxrT9KUU3zLrODyxLeBPjuuGlLmgEFFl VMzfGTq0oEnU0N3wzuc8xkI0IJEv9sSfyE4kvB4jLkF1Hp0WMblkpbhfxfnfZLP5Eeom i5oSFkK+pRT9YxSfuT3M/iZkZd38b2Pvvp1WkD+LrwVOvWZ8vREFB/PD8y+wwzwqEblI XXMw== X-Gm-Message-State: AOAM5303UCb1yb64Q3mCvQJ5ctqZ6UJYg5Qfa3q9o2PMYqOpIqL8MMG+ tHELlJJdGQrgrdN0/DcIkdkfCQ== X-Google-Smtp-Source: ABdhPJx0DRsV2uk7XRhN5WyrdQ3GN+smsELZkM+SGtSpILq3ccN5AWUrZdo9DI6cB7SYJM/QqYly8g== X-Received: by 2002:a63:4418:: with SMTP id r24mr5838961pga.8.1599769277620; Thu, 10 Sep 2020 13:21:17 -0700 (PDT) Received: from www.outflux.net (smtp.outflux.net. [198.145.64.163]) by smtp.gmail.com with ESMTPSA id a13sm5241229pgq.41.2020.09.10.13.21.16 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 10 Sep 2020 13:21:16 -0700 (PDT) From: Kees Cook To: kernel-hardening@lists.openwall.com Cc: Kees Cook , John Wood , Matthew Wilcox , Jonathan Corbet , Alexander Viro , Ingo Molnar , Peter Zijlstra , Juri Lelli , Vincent Guittot , Dietmar Eggemann , Steven Rostedt , Ben Segall , Mel Gorman , Luis Chamberlain , Iurii Zaikin , James Morris , "Serge E. Hallyn" , linux-doc@vger.kernel.org, linux-kernel@vger.kernel.org, linux-fsdevel@vger.kernel.org, linux-security-module@vger.kernel.org Subject: [RFC PATCH 1/6] security/fbfam: Add a Kconfig to enable the fbfam feature Date: Thu, 10 Sep 2020 13:21:02 -0700 Message-Id: <20200910202107.3799376-2-keescook@chromium.org> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20200910202107.3799376-1-keescook@chromium.org> References: <20200910202107.3799376-1-keescook@chromium.org> MIME-Version: 1.0 Sender: linux-fsdevel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-fsdevel@vger.kernel.org From: John Wood Add a menu entry under "Security options" to enable the "Fork brute force attack mitigation" feature. Signed-off-by: John Wood --- security/Kconfig | 1 + security/fbfam/Kconfig | 10 ++++++++++ 2 files changed, 11 insertions(+) create mode 100644 security/fbfam/Kconfig diff --git a/security/Kconfig b/security/Kconfig index 7561f6f99f1d..00a90e25b8d5 100644 --- a/security/Kconfig +++ b/security/Kconfig @@ -290,6 +290,7 @@ config LSM If unsure, leave this as the default. source "security/Kconfig.hardening" +source "security/fbfam/Kconfig" endmenu diff --git a/security/fbfam/Kconfig b/security/fbfam/Kconfig new file mode 100644 index 000000000000..bbe7f6aad369 --- /dev/null +++ b/security/fbfam/Kconfig @@ -0,0 +1,10 @@ +# SPDX-License-Identifier: GPL-2.0 +config FBFAM + bool "Fork brute force attack mitigation" + default n + help + This is a user defense that detects any fork brute force attack + based on the application's crashing rate. When this measure is + triggered the fork system call is blocked. + + If you are unsure how to answer this question, answer N. From patchwork Thu Sep 10 20:21:03 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Kees Cook X-Patchwork-Id: 11769107 Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 31BD9698 for ; Thu, 10 Sep 2020 20:23:23 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id F0763221E5 for ; Thu, 10 Sep 2020 20:23:22 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org header.b="BA7gUYJD" Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726419AbgIJUXC (ORCPT ); Thu, 10 Sep 2020 16:23:02 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:54832 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726987AbgIJUVz (ORCPT ); Thu, 10 Sep 2020 16:21:55 -0400 Received: from mail-pf1-x442.google.com (mail-pf1-x442.google.com [IPv6:2607:f8b0:4864:20::442]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 7E057C0617A9 for ; Thu, 10 Sep 2020 13:21:21 -0700 (PDT) Received: by mail-pf1-x442.google.com with SMTP id c196so5521629pfc.0 for ; Thu, 10 Sep 2020 13:21:21 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=wJZHFZKfNNyC67jwisOmBZgnX1BFNcIrFx6Hk0CVZj0=; b=BA7gUYJDUrV86/gK5hnjBVttT9NwmYMFnA1+ImWoiBLcN5oOXU8QthOaJfPt9gc2ug B5tOcCRa23Jdbs1ij+K+aQKZUmgVALJupA7J8lhiEDDLKiF7mOFMbBz14LJWznBzsC5z XqB2DX5w0vVnuDESFdM8sqC7YdTMb8v+p7xZM= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=wJZHFZKfNNyC67jwisOmBZgnX1BFNcIrFx6Hk0CVZj0=; b=arAhhyGPIzq6ZqbLVjhgNc2EJrbqo9SvQzLlsG/+txGZGQwFyxKCYS/+cFc2IeknoF cUoD+0XBG2INUyWxG7Esj2nsG3tEOFjGVOpycAig9XPeMlfAepIhJgagMZzMAA5tUQYM b4QiMmulAkMOn3qcK60DH6JxKV33/6mI8Rtlkiwap5fMxK2AwfMaG88iC5Uv/RpdJDuu Y4fHf2lXXTJWvbxsDJiKJL3G6eU7nBcbS/aiHBHqdxxPx9uBqFl46oX8A6a/P2ON34iz eViGcwtbPVKJt6I65M8oXLHlwI8d/NdA9joQi3wdFbiM2xisDq5vJD7aKYUXAud5Od39 135g== X-Gm-Message-State: AOAM532AYd37WPjW+muKMSAvj8E1mFj7oKiUeqS+4JncCoJ8eAupt0Pw pSPD3RhRgNYPp2UrSYNYDW/2fg== X-Google-Smtp-Source: ABdhPJy1DAtvKfpKmGtbdkGGrHoagYjMTqm33L0ZJJiXD+9dPEL9PIt+9mXnYTzSYOcasBfTp3U2vg== X-Received: by 2002:a17:902:b901:: with SMTP id bf1mr6995903plb.153.1599769280963; Thu, 10 Sep 2020 13:21:20 -0700 (PDT) Received: from www.outflux.net (smtp.outflux.net. [198.145.64.163]) by smtp.gmail.com with ESMTPSA id u27sm5698081pgm.60.2020.09.10.13.21.16 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 10 Sep 2020 13:21:16 -0700 (PDT) From: Kees Cook To: kernel-hardening@lists.openwall.com Cc: Kees Cook , John Wood , Matthew Wilcox , Jonathan Corbet , Alexander Viro , Ingo Molnar , Peter Zijlstra , Juri Lelli , Vincent Guittot , Dietmar Eggemann , Steven Rostedt , Ben Segall , Mel Gorman , Luis Chamberlain , Iurii Zaikin , James Morris , "Serge E. Hallyn" , linux-doc@vger.kernel.org, linux-kernel@vger.kernel.org, linux-fsdevel@vger.kernel.org, linux-security-module@vger.kernel.org Subject: [RFC PATCH 2/6] security/fbfam: Add the api to manage statistics Date: Thu, 10 Sep 2020 13:21:03 -0700 Message-Id: <20200910202107.3799376-3-keescook@chromium.org> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20200910202107.3799376-1-keescook@chromium.org> References: <20200910202107.3799376-1-keescook@chromium.org> MIME-Version: 1.0 Sender: linux-fsdevel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-fsdevel@vger.kernel.org From: John Wood Create a statistical data structure to hold all the necessary information involve in a fork brute force attack. This info is a timestamp for the first fork or execve and the number of crashes since then. Moreover, due to this statitistical data will be shared between different tasks, a reference counter it is necessary. For a correct management of an attack it is also necessary that all the tasks hold statistical data. The same statistical data needs to be shared between all the tasks that hold the same memory contents or in other words, between all the tasks that have been forked without any execve call. When a forked task calls the execve system call, the memory contents are set with new values. So, in this scenario the parent's statistical data no need to be share. Instead, a new statistical data structure must be allocated to start a new cycle. The statistical data that every task holds needs to be clear when a task exits. Due to this data is shared across multiples tasks, the reference counter is useful to free the previous allocated data only when there are not other pointers to the same data. Or in other words, when the reference counter reaches zero. So, based in all the previous information add the api to manage all the commented cases. Also, add to the struct task_struct a new field to point to the statitistical data related to an attack. This way, all the tasks will have access to this information. Signed-off-by: John Wood --- include/fbfam/fbfam.h | 18 +++++ include/linux/sched.h | 4 + security/Makefile | 4 + security/fbfam/Makefile | 2 + security/fbfam/fbfam.c | 163 ++++++++++++++++++++++++++++++++++++++++ 5 files changed, 191 insertions(+) create mode 100644 include/fbfam/fbfam.h create mode 100644 security/fbfam/Makefile create mode 100644 security/fbfam/fbfam.c diff --git a/include/fbfam/fbfam.h b/include/fbfam/fbfam.h new file mode 100644 index 000000000000..b5b7d1127a52 --- /dev/null +++ b/include/fbfam/fbfam.h @@ -0,0 +1,18 @@ +/* SPDX-License-Identifier: GPL-2.0 */ +#ifndef _FBFAM_H_ +#define _FBFAM_H_ + +#include + +#ifdef CONFIG_FBFAM +int fbfam_fork(struct task_struct *child); +int fbfam_execve(void); +int fbfam_exit(void); +#else +static inline int fbfam_fork(struct task_struct *child) { return 0; } +static inline int fbfam_execve(void) { return 0; } +static inline int fbfam_exit(void) { return 0; } +#endif + +#endif /* _FBFAM_H_ */ + diff --git a/include/linux/sched.h b/include/linux/sched.h index afe01e232935..00e1aa5e00cd 100644 --- a/include/linux/sched.h +++ b/include/linux/sched.h @@ -1315,6 +1315,10 @@ struct task_struct { struct callback_head mce_kill_me; #endif +#ifdef CONFIG_FBFAM + struct fbfam_stats *fbfam_stats; +#endif + /* * New fields for task_struct should be added above here, so that * they are included in the randomized portion of task_struct. diff --git a/security/Makefile b/security/Makefile index 3baf435de541..36dc4b536349 100644 --- a/security/Makefile +++ b/security/Makefile @@ -36,3 +36,7 @@ obj-$(CONFIG_BPF_LSM) += bpf/ # Object integrity file lists subdir-$(CONFIG_INTEGRITY) += integrity obj-$(CONFIG_INTEGRITY) += integrity/ + +# Object fbfam file lists +subdir-$(CONFIG_FBFAM) += fbfam +obj-$(CONFIG_FBFAM) += fbfam/ diff --git a/security/fbfam/Makefile b/security/fbfam/Makefile new file mode 100644 index 000000000000..f4b9f0b19c44 --- /dev/null +++ b/security/fbfam/Makefile @@ -0,0 +1,2 @@ +# SPDX-License-Identifier: GPL-2.0 +obj-$(CONFIG_FBFAM) += fbfam.o diff --git a/security/fbfam/fbfam.c b/security/fbfam/fbfam.c new file mode 100644 index 000000000000..0387f95f6408 --- /dev/null +++ b/security/fbfam/fbfam.c @@ -0,0 +1,163 @@ +// SPDX-License-Identifier: GPL-2.0 +#include +#include +#include +#include +#include +#include +#include + +/** + * struct fbfam_stats - Fork brute force attack mitigation statistics. + * @refc: Reference counter. + * @faults: Number of crashes since jiffies. + * @jiffies: First fork or execve timestamp. + * + * The purpose of this structure is to manage all the necessary information to + * compute the crashing rate of an application. So, it holds a first fork or + * execve timestamp and a number of crashes since then. This way the crashing + * rate in milliseconds per fault can be compute when necessary with the + * following formula: + * + * u64 delta_jiffies = get_jiffies_64() - fbfam_stats::jiffies; + * u64 delta_time = jiffies64_to_msecs(delta_jiffies); + * u64 crashing_rate = delta_time / (u64)fbfam_stats::faults; + * + * If the fbfam_stats::faults is zero, the above formula can't be used. In this + * case, the crashing rate is zero. + * + * Moreover, since the same allocated structure will be used in every fork + * since the first one or execve, it's also necessary a reference counter. + */ +struct fbfam_stats { + refcount_t refc; + unsigned int faults; + u64 jiffies; +}; + +/** + * fbfam_new_stats() - Allocation of new statistics structure. + * + * If the allocation is successful the reference counter is set to one to + * indicate that there will be one task that points to this structure. The + * faults field is initialize to zero and the timestamp for this moment is set. + * + * Return: NULL if the allocation fails. A pointer to the new allocated + * statistics structure if it success. + */ +static struct fbfam_stats *fbfam_new_stats(void) +{ + struct fbfam_stats *stats = kmalloc(sizeof(struct fbfam_stats), + GFP_KERNEL); + + if (stats) { + refcount_set(&stats->refc, 1); + stats->faults = 0; + stats->jiffies = get_jiffies_64(); + } + + return stats; +} + +/* + * fbfam_fork() - Fork management. + * @child: Pointer to the child task that will be created with the fork system + * call. + * + * For a correct management of a fork brute force attack it is necessary that + * all the tasks hold statistical data. The same statistical data needs to be + * shared between all the tasks that hold the same memory contents or in other + * words, between all the tasks that have been forked without any execve call. + * + * To ensure this, if the current task doesn't have statistical data when forks + * (only possible in the first fork of the zero task), it is mandatory to + * allocate a new one. This way, the child task always will share the statistics + * with its parent. + * + * Return: -ENOMEN if the allocation of the new statistics structure fails. + * Zero otherwise. + */ +int fbfam_fork(struct task_struct *child) +{ + struct fbfam_stats **stats = ¤t->fbfam_stats; + + if (!*stats) { + *stats = fbfam_new_stats(); + if (!*stats) + return -ENOMEM; + } + + refcount_inc(&(*stats)->refc); + child->fbfam_stats = *stats; + return 0; +} + +/** + * fbfam_execve() - Execve management. + * + * When a forked task calls the execve system call, the memory contents are set + * with new values. So, in this scenario the parent's statistical data no need + * to be share. Instead, a new statistical data structure must be allocated to + * start a new cycle. This condition is detected when the statistics reference + * counter holds a value greater than or equal to two (a fork always sets the + * statistics reference counter to two since the parent and the child task are + * sharing the same data). + * + * However, if the execve function is called immediately after another execve + * call, althought the memory contents are reset, there is no need to allocate + * a new statistical data structure. This is possible because at this moment + * only one task (the task that calls the execve function) points to the data. + * In this case, the previous allocation is used and only the faults and time + * fields are reset. + * + * Return: -ENOMEN if the allocation of the new statistics structure fails. + * -EFAULT if the current task doesn't have statistical data. Zero + * otherwise. + */ +int fbfam_execve(void) +{ + struct fbfam_stats **stats = ¤t->fbfam_stats; + + if (!*stats) + return -EFAULT; + + if (!refcount_dec_not_one(&(*stats)->refc)) { + /* execve call after an execve call */ + (*stats)->faults = 0; + (*stats)->jiffies = get_jiffies_64(); + return 0; + } + + /* execve call after a fork call */ + *stats = fbfam_new_stats(); + if (!*stats) + return -ENOMEM; + + return 0; +} + +/** + * fbfam_exit() - Exit management. + * + * The statistical data that every task holds needs to be clear when a task + * exits. Due to this data is shared across multiples tasks, the reference + * counter is useful to free the previous allocated data only when there are + * not other pointers to the same data. Or in other words, when the reference + * counter reaches zero. + * + * Return: -EFAULT if the current task doesn't have statistical data. Zero + * otherwise. + */ +int fbfam_exit(void) +{ + struct fbfam_stats *stats = current->fbfam_stats; + + if (!stats) + return -EFAULT; + + if (refcount_dec_and_test(&stats->refc)) + kfree(stats); + + return 0; +} + From patchwork Thu Sep 10 20:21:04 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Kees Cook X-Patchwork-Id: 11769097 Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 21096698 for ; Thu, 10 Sep 2020 20:22:46 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 02351221E2 for ; Thu, 10 Sep 2020 20:22:45 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org header.b="N4ZcvLio" Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726680AbgIJUWk (ORCPT ); Thu, 10 Sep 2020 16:22:40 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:54846 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726811AbgIJUVe (ORCPT ); Thu, 10 Sep 2020 16:21:34 -0400 Received: from mail-pg1-x541.google.com (mail-pg1-x541.google.com [IPv6:2607:f8b0:4864:20::541]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 9BC7CC06179A for ; Thu, 10 Sep 2020 13:21:19 -0700 (PDT) Received: by mail-pg1-x541.google.com with SMTP id w186so4896045pgb.8 for ; Thu, 10 Sep 2020 13:21:19 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=i8Xslrycj3wZ0DMCYzlf3YsQvnbbwZR8oamVvMIeqd8=; b=N4ZcvLionYWpbEK4gXbRvbCv+cTM7NTQkjTbl0t2d2YCT5Z4d+Pb1z8TvbVJH3NLQu pGdG+OrRpe7FlA0k0vXQGINZGk4uSXR4KYfpS8yuHC0joRvBUjoVnIeUFSsCA/gsUHG4 bFvqJk8qJ7J0u2QmvU3MrRgUt8CMZ24ZyDXQs= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=i8Xslrycj3wZ0DMCYzlf3YsQvnbbwZR8oamVvMIeqd8=; b=Owv0a2uuU/ivY03ORN6muqP42BFY4qdWAhYJ9qhFhJmsmLnU4SwkvpyvlS1C1kRlL+ RQmjzgSZ/p45A/cxiTPVWvjMyYja8y7F+dD7QwHXLccPuBRZZZjOn9G5iV7YxkkKJuJH Q51BCJ0S6/CxmBLLl4C93kfceo+UssNYyZTFIh33e5qa5hjE4NgNOznblADOo1nuNS66 NVCofSoouTZs38jow2+HdoqyW+1ejFO+Kcbs1Oxna7+JGdomBZaPxyBTXyfrAB5SOI9B 3OIcPLMCwuYuNK9EKSUJH3oRIFU7206j/wbviiLeal6D34Vt8bDOrswFk4QQq84y7QWN pYmQ== X-Gm-Message-State: AOAM530WrCwBGWkryqUgaDKKtyl40OzK4WlgdUIJOTlIP6Kr81J2+svA Uc2jAoq/CdnwcHtAcFRS6lRL3A== X-Google-Smtp-Source: ABdhPJxSVZUjjKCu/Z5pQSZqImDe/VdPv6+D1mXG7RzqnqfYRqC3IutbHGDwngQP/fzV/pFV1UOO8w== X-Received: by 2002:a62:5f02:0:b029:13c:1611:6536 with SMTP id t2-20020a625f020000b029013c16116536mr6870569pfb.8.1599769278853; Thu, 10 Sep 2020 13:21:18 -0700 (PDT) Received: from www.outflux.net (smtp.outflux.net. [198.145.64.163]) by smtp.gmail.com with ESMTPSA id h1sm2709801pji.52.2020.09.10.13.21.16 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 10 Sep 2020 13:21:16 -0700 (PDT) From: Kees Cook To: kernel-hardening@lists.openwall.com Cc: Kees Cook , John Wood , Matthew Wilcox , Jonathan Corbet , Alexander Viro , Ingo Molnar , Peter Zijlstra , Juri Lelli , Vincent Guittot , Dietmar Eggemann , Steven Rostedt , Ben Segall , Mel Gorman , Luis Chamberlain , Iurii Zaikin , James Morris , "Serge E. Hallyn" , linux-doc@vger.kernel.org, linux-kernel@vger.kernel.org, linux-fsdevel@vger.kernel.org, linux-security-module@vger.kernel.org Subject: [RFC PATCH 3/6] security/fbfam: Use the api to manage statistics Date: Thu, 10 Sep 2020 13:21:04 -0700 Message-Id: <20200910202107.3799376-4-keescook@chromium.org> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20200910202107.3799376-1-keescook@chromium.org> References: <20200910202107.3799376-1-keescook@chromium.org> MIME-Version: 1.0 Sender: linux-fsdevel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-fsdevel@vger.kernel.org From: John Wood Use the previous defined api to manage statistics calling it accordingly when a task forks, calls execve or exits. Signed-off-by: John Wood --- fs/exec.c | 2 ++ kernel/exit.c | 2 ++ kernel/fork.c | 4 ++++ 3 files changed, 8 insertions(+) diff --git a/fs/exec.c b/fs/exec.c index a91003e28eaa..b30118674d32 100644 --- a/fs/exec.c +++ b/fs/exec.c @@ -71,6 +71,7 @@ #include "internal.h" #include +#include static int bprm_creds_from_file(struct linux_binprm *bprm); @@ -1940,6 +1941,7 @@ static int bprm_execve(struct linux_binprm *bprm, task_numa_free(current, false); if (displaced) put_files_struct(displaced); + fbfam_execve(); return retval; out: diff --git a/kernel/exit.c b/kernel/exit.c index 733e80f334e7..39a6139dcf31 100644 --- a/kernel/exit.c +++ b/kernel/exit.c @@ -67,6 +67,7 @@ #include #include #include +#include static void __unhash_process(struct task_struct *p, bool group_dead) { @@ -852,6 +853,7 @@ void __noreturn do_exit(long code) __this_cpu_add(dirty_throttle_leaks, tsk->nr_dirtied); exit_rcu(); exit_tasks_rcu_finish(); + fbfam_exit(); lockdep_free_task(tsk); do_task_dead(); diff --git a/kernel/fork.c b/kernel/fork.c index 49677d668de4..c933838450a8 100644 --- a/kernel/fork.c +++ b/kernel/fork.c @@ -107,6 +107,8 @@ #define CREATE_TRACE_POINTS #include +#include + /* * Minimum number of threads to boot the kernel */ @@ -941,6 +943,8 @@ static struct task_struct *dup_task_struct(struct task_struct *orig, int node) #ifdef CONFIG_MEMCG tsk->active_memcg = NULL; #endif + + fbfam_fork(tsk); return tsk; free_stack: From patchwork Thu Sep 10 20:21:05 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Kees Cook X-Patchwork-Id: 11769087 Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id E0E7F618 for ; Thu, 10 Sep 2020 20:22:15 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id BF614221E2 for ; Thu, 10 Sep 2020 20:22:15 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org header.b="WSKxrRh1" Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726899AbgIJUWM (ORCPT ); Thu, 10 Sep 2020 16:22:12 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:54874 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726968AbgIJUVm (ORCPT ); Thu, 10 Sep 2020 16:21:42 -0400 Received: from mail-pg1-x542.google.com (mail-pg1-x542.google.com [IPv6:2607:f8b0:4864:20::542]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id C6C8FC0617A0 for ; Thu, 10 Sep 2020 13:21:20 -0700 (PDT) Received: by mail-pg1-x542.google.com with SMTP id f2so2882944pgd.3 for ; Thu, 10 Sep 2020 13:21:20 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=7r1rfre30aGq4hYAj5mMZd9aKhfhtSFtGbHwMdeYlE0=; b=WSKxrRh1zgAfDwGMo9L1sYHyOSqjXp+wb+YwpqiJT/Zb3NKDCzaVVT0HbYRYHs8jtw syDcuriSzwueAxNmNoSgZJ3aO/+dNCwSIlBAmgYX5A9wHlOOfBJPa/yeELcCY0MiEm+v nylpABXf8ROfraF5ukN6PNGINg1dckKo/9qxQ= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=7r1rfre30aGq4hYAj5mMZd9aKhfhtSFtGbHwMdeYlE0=; b=mF8ZTCMc8qTMDCfeVvaV5VI6KqZTMdBTTZePjlYII9iTgxC5/fMc86DzxF5+cVxAXt gp6Xtc2lLg6F5K5hE2MqUsBOqfcXE6feg+10+Hcs4eaEyWuuL2JGzesmj719kTDDxFic xn3BtcK7n1M4hx3gisHSlcbTh6U8HbIIbIpnEqd6jVgISGze9a9RV7Ez2oV+sVY0AOwk VUH75VVSgzrYeNn/ZFQ3vvgJSqyrEoS2rTqKyGTGSI3zF52xuAoVzdEER0ribb0jw5nd F6KMtE/nflMSQxADELGKLf0aTzHoCb4z8kPl142KEDB5jk04kfsbjpZqQkSThtBgMOqc j6Ig== X-Gm-Message-State: AOAM5316S0svpkgfr6gQcOYS9ZI2tJOEyysZ7Ocj45nrXmBTHbqiKmlp 9Psu4PKCe1OIbKAAMFClKpaYVA== X-Google-Smtp-Source: ABdhPJzItNXJVhR75anYSdIs4NQSDmbgQALJfcnBGhftyYgbxgDuvZlpz5suFQW/PoYrnFwTWnHvYQ== X-Received: by 2002:a62:7809:: with SMTP id t9mr6934123pfc.105.1599769280337; Thu, 10 Sep 2020 13:21:20 -0700 (PDT) Received: from www.outflux.net (smtp.outflux.net. [198.145.64.163]) by smtp.gmail.com with ESMTPSA id j9sm6655836pfe.170.2020.09.10.13.21.16 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 10 Sep 2020 13:21:16 -0700 (PDT) From: Kees Cook To: kernel-hardening@lists.openwall.com Cc: Kees Cook , John Wood , Matthew Wilcox , Jonathan Corbet , Alexander Viro , Ingo Molnar , Peter Zijlstra , Juri Lelli , Vincent Guittot , Dietmar Eggemann , Steven Rostedt , Ben Segall , Mel Gorman , Luis Chamberlain , Iurii Zaikin , James Morris , "Serge E. Hallyn" , linux-doc@vger.kernel.org, linux-kernel@vger.kernel.org, linux-fsdevel@vger.kernel.org, linux-security-module@vger.kernel.org Subject: [RFC PATCH 4/6] security/fbfam: Add a new sysctl to control the crashing rate threshold Date: Thu, 10 Sep 2020 13:21:05 -0700 Message-Id: <20200910202107.3799376-5-keescook@chromium.org> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20200910202107.3799376-1-keescook@chromium.org> References: <20200910202107.3799376-1-keescook@chromium.org> MIME-Version: 1.0 Sender: linux-fsdevel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-fsdevel@vger.kernel.org From: John Wood This is a previous step to add the detection feature. A fork brute force attack will be detected when an application crashes quickly. Since, a rate can be defined as a time per fault, add a new sysctl to control the crashing rate threshold. This way, each system can tune the detection's sensibility adjusting the milliseconds per fault. So, if the application's crashing rate falls under this threshold an attack will be detected. So, the higher this value, the faster an attack will be detected. Signed-off-by: John Wood --- include/fbfam/fbfam.h | 4 ++++ kernel/sysctl.c | 9 +++++++++ security/fbfam/Makefile | 1 + security/fbfam/fbfam.c | 11 +++++++++++ security/fbfam/sysctl.c | 20 ++++++++++++++++++++ 5 files changed, 45 insertions(+) create mode 100644 security/fbfam/sysctl.c diff --git a/include/fbfam/fbfam.h b/include/fbfam/fbfam.h index b5b7d1127a52..2cfe51d2b0d5 100644 --- a/include/fbfam/fbfam.h +++ b/include/fbfam/fbfam.h @@ -3,8 +3,12 @@ #define _FBFAM_H_ #include +#include #ifdef CONFIG_FBFAM +#ifdef CONFIG_SYSCTL +extern struct ctl_table fbfam_sysctls[]; +#endif int fbfam_fork(struct task_struct *child); int fbfam_execve(void); int fbfam_exit(void); diff --git a/kernel/sysctl.c b/kernel/sysctl.c index 09e70ee2332e..c3b4d737bef3 100644 --- a/kernel/sysctl.c +++ b/kernel/sysctl.c @@ -77,6 +77,8 @@ #include #include +#include + #ifdef CONFIG_X86 #include #include @@ -2660,6 +2662,13 @@ static struct ctl_table kern_table[] = { .extra1 = SYSCTL_ZERO, .extra2 = SYSCTL_ONE, }, +#endif +#ifdef CONFIG_FBFAM + { + .procname = "fbfam", + .mode = 0555, + .child = fbfam_sysctls, + }, #endif { } }; diff --git a/security/fbfam/Makefile b/security/fbfam/Makefile index f4b9f0b19c44..b8d5751ecea4 100644 --- a/security/fbfam/Makefile +++ b/security/fbfam/Makefile @@ -1,2 +1,3 @@ # SPDX-License-Identifier: GPL-2.0 obj-$(CONFIG_FBFAM) += fbfam.o +obj-$(CONFIG_SYSCTL) += sysctl.o diff --git a/security/fbfam/fbfam.c b/security/fbfam/fbfam.c index 0387f95f6408..9be4639b72eb 100644 --- a/security/fbfam/fbfam.c +++ b/security/fbfam/fbfam.c @@ -7,6 +7,17 @@ #include #include +/** + * sysctl_crashing_rate_threshold - Crashing rate threshold. + * + * The rate's units are in milliseconds per fault. + * + * A fork brute force attack will be detected if the application's crashing rate + * falls under this threshold. So, the higher this value, the faster an attack + * will be detected. + */ +unsigned long sysctl_crashing_rate_threshold = 30000; + /** * struct fbfam_stats - Fork brute force attack mitigation statistics. * @refc: Reference counter. diff --git a/security/fbfam/sysctl.c b/security/fbfam/sysctl.c new file mode 100644 index 000000000000..430323ad8e9f --- /dev/null +++ b/security/fbfam/sysctl.c @@ -0,0 +1,20 @@ +// SPDX-License-Identifier: GPL-2.0 +#include + +extern unsigned long sysctl_crashing_rate_threshold; +static unsigned long ulong_one = 1; +static unsigned long ulong_max = ULONG_MAX; + +struct ctl_table fbfam_sysctls[] = { + { + .procname = "crashing_rate_threshold", + .data = &sysctl_crashing_rate_threshold, + .maxlen = sizeof(sysctl_crashing_rate_threshold), + .mode = 0644, + .proc_handler = proc_doulongvec_minmax, + .extra1 = &ulong_one, + .extra2 = &ulong_max, + }, + { } +}; + From patchwork Thu Sep 10 20:21:06 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Kees Cook X-Patchwork-Id: 11769101 Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 5E5A0698 for ; Thu, 10 Sep 2020 20:23:03 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 3BCC520829 for ; Thu, 10 Sep 2020 20:23:03 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org header.b="QqSA5OLv" Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1725992AbgIJUWx (ORCPT ); Thu, 10 Sep 2020 16:22:53 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:54912 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726994AbgIJUVz (ORCPT ); Thu, 10 Sep 2020 16:21:55 -0400 Received: from mail-pj1-x1044.google.com (mail-pj1-x1044.google.com [IPv6:2607:f8b0:4864:20::1044]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 295B4C0617AA for ; Thu, 10 Sep 2020 13:21:23 -0700 (PDT) Received: by mail-pj1-x1044.google.com with SMTP id u3so580907pjr.3 for ; Thu, 10 Sep 2020 13:21:23 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=fekJawXuRCxGrjYQI8OQvxsZTGlCFbLJj9FaUGr/A7E=; b=QqSA5OLvk2Qdik/W7fOSu9hkPXdjQzGi3H6oVrZUyklZ+UzgX6HE9UM609d6dK+kyh 54tXPlf8gvwGJYpP5jiKL4Mqt3GvS4R+0mJa2dhY7V+8gDdXSbCJ3tIl9uerrba1ObNl fq3FyNkenrkMAEkbOEdq32NFyGXYfubBxsfyo= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=fekJawXuRCxGrjYQI8OQvxsZTGlCFbLJj9FaUGr/A7E=; b=NZoUcXrLHE4GkV1WEqJmC0A3CnpxagOv9R1ZM6FmUplxnqZoJo/0+dsWLcrbg0QWdq ZEyyPoWWK5l1pghkFj6sFU7nfe1S0vVft2nsK/fXnEN3o+by9kKU5lJ5qNbIdJH+HOfi mn/ZveJNGpKg/hl9J6Zp/y8bAgY2Py4zYgUzhskly8Tje7D4eSmeHtdHKJTypyMTb+7Z iotsS+ALPK7V+gCsRumsCOkj70PWSc0Z4FxXmK9tN6TJClx8HqWZyeXOv4/O7fs8I/Zq ydVrlcbUMrFebSs6bz0b36KStKGUmfUnVQ0YtkeKA7WrP7XEgaVjbKCdEmSITa7K0eRQ jO3Q== X-Gm-Message-State: AOAM533TtVjclRd6RbMq4ehcjA9SZCcfOBFf5g8EUrry11JmLYSWvrtJ jasObNk7sXxCt6m4apg1COxX/g== X-Google-Smtp-Source: ABdhPJymFVJ+9HWBVHudVut19/nL7d3aLa8ZpMZHZNa4qlaiqrKo1FAhdiapRQw62yOFnHB/LJtf8A== X-Received: by 2002:a17:90b:a51:: with SMTP id gw17mr1654063pjb.118.1599769282707; Thu, 10 Sep 2020 13:21:22 -0700 (PDT) Received: from www.outflux.net (smtp.outflux.net. [198.145.64.163]) by smtp.gmail.com with ESMTPSA id i17sm6876859pfa.2.2020.09.10.13.21.18 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 10 Sep 2020 13:21:21 -0700 (PDT) From: Kees Cook To: kernel-hardening@lists.openwall.com Cc: Kees Cook , John Wood , Matthew Wilcox , Jonathan Corbet , Alexander Viro , Ingo Molnar , Peter Zijlstra , Juri Lelli , Vincent Guittot , Dietmar Eggemann , Steven Rostedt , Ben Segall , Mel Gorman , Luis Chamberlain , Iurii Zaikin , James Morris , "Serge E. Hallyn" , linux-doc@vger.kernel.org, linux-kernel@vger.kernel.org, linux-fsdevel@vger.kernel.org, linux-security-module@vger.kernel.org Subject: [RFC PATCH 5/6] security/fbfam: Detect a fork brute force attack Date: Thu, 10 Sep 2020 13:21:06 -0700 Message-Id: <20200910202107.3799376-6-keescook@chromium.org> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20200910202107.3799376-1-keescook@chromium.org> References: <20200910202107.3799376-1-keescook@chromium.org> MIME-Version: 1.0 Sender: linux-fsdevel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-fsdevel@vger.kernel.org From: John Wood To detect a fork brute force attack it is necessary to compute the crashing rate of the application. This calculation is performed in each fatal fail of a task, or in other words, when a core dump is triggered. If this rate shows that the application is crashing quickly, there is a clear signal that an attack is happening. Since the crashing rate is computed in milliseconds per fault, if this rate goes under a certain threshold a warning is triggered. Signed-off-by: John Wood --- fs/coredump.c | 2 ++ include/fbfam/fbfam.h | 2 ++ security/fbfam/fbfam.c | 39 +++++++++++++++++++++++++++++++++++++++ 3 files changed, 43 insertions(+) diff --git a/fs/coredump.c b/fs/coredump.c index 76e7c10edfc0..d4ba4e1828d5 100644 --- a/fs/coredump.c +++ b/fs/coredump.c @@ -51,6 +51,7 @@ #include "internal.h" #include +#include int core_uses_pid; unsigned int core_pipe_limit; @@ -825,6 +826,7 @@ void do_coredump(const kernel_siginfo_t *siginfo) fail_creds: put_cred(cred); fail: + fbfam_handle_attack(siginfo->si_signo); return; } diff --git a/include/fbfam/fbfam.h b/include/fbfam/fbfam.h index 2cfe51d2b0d5..9ac8e33d8291 100644 --- a/include/fbfam/fbfam.h +++ b/include/fbfam/fbfam.h @@ -12,10 +12,12 @@ extern struct ctl_table fbfam_sysctls[]; int fbfam_fork(struct task_struct *child); int fbfam_execve(void); int fbfam_exit(void); +int fbfam_handle_attack(int signal); #else static inline int fbfam_fork(struct task_struct *child) { return 0; } static inline int fbfam_execve(void) { return 0; } static inline int fbfam_exit(void) { return 0; } +static inline int fbfam_handle_attack(int signal) { return 0; } #endif #endif /* _FBFAM_H_ */ diff --git a/security/fbfam/fbfam.c b/security/fbfam/fbfam.c index 9be4639b72eb..3aa669e4ea51 100644 --- a/security/fbfam/fbfam.c +++ b/security/fbfam/fbfam.c @@ -4,7 +4,9 @@ #include #include #include +#include #include +#include #include /** @@ -172,3 +174,40 @@ int fbfam_exit(void) return 0; } +/** + * fbfam_handle_attack() - Fork brute force attack detection. + * @signal: Signal number that causes the core dump. + * + * The crashing rate of an application is computed in milliseconds per fault in + * each crash. So, if this rate goes under a certain threshold there is a clear + * signal that the application is crashing quickly. At this moment, a fork brute + * force attack is happening. + * + * Return: -EFAULT if the current task doesn't have statistical data. Zero + * otherwise. + */ +int fbfam_handle_attack(int signal) +{ + struct fbfam_stats *stats = current->fbfam_stats; + u64 delta_jiffies, delta_time; + u64 crashing_rate; + + if (!stats) + return -EFAULT; + + if (!(signal == SIGILL || signal == SIGBUS || signal == SIGKILL || + signal == SIGSEGV || signal == SIGSYS)) + return 0; + + stats->faults += 1; + + delta_jiffies = get_jiffies_64() - stats->jiffies; + delta_time = jiffies64_to_msecs(delta_jiffies); + crashing_rate = delta_time / (u64)stats->faults; + + if (crashing_rate < (u64)sysctl_crashing_rate_threshold) + pr_warn("fbfam: Fork brute force attack detected\n"); + + return 0; +} + From patchwork Thu Sep 10 20:21:07 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Kees Cook X-Patchwork-Id: 11769111 Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id A7A6714F6 for ; Thu, 10 Sep 2020 20:23:29 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 847AF221E2 for ; Thu, 10 Sep 2020 20:23:29 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org header.b="IcAkD4z1" Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726434AbgIJUXT (ORCPT ); Thu, 10 Sep 2020 16:23:19 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:54936 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727001AbgIJUWC (ORCPT ); Thu, 10 Sep 2020 16:22:02 -0400 Received: from mail-pj1-x1041.google.com (mail-pj1-x1041.google.com [IPv6:2607:f8b0:4864:20::1041]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id D57AEC0617BC for ; Thu, 10 Sep 2020 13:21:23 -0700 (PDT) Received: by mail-pj1-x1041.google.com with SMTP id gf14so576573pjb.5 for ; Thu, 10 Sep 2020 13:21:23 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=AfgkhWr5TvQdUsjIexLihHefc7s9wXFiV4jpjvqj+P4=; b=IcAkD4z1/2S2dWxK0asptEvpDVQMKoSNKpWAR+6zYzikYLiAPypGc6/bX5F0imPsE7 MkE0O1TZK8LaTu5qFlEQkg4K5glh23k39a6UqEbwmlwKwof7KYPT/0hXh4MNToieMUdR JYV1fCi//9FyuuJt8WiHG8zeHG9pAxzJd/fSw= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=AfgkhWr5TvQdUsjIexLihHefc7s9wXFiV4jpjvqj+P4=; b=uSzEhDUkiL4e6I9fF7nmyqGx62sMSAgWko74nyz1KqEsbJcgRlkZtXwTaEJ0CTBaP9 EI9U7ZSmoSwtcXHy2cjRHOBIkmLeTDx7CtnshvHdEPA1bmRt21xezVPlu4qeRK8WPwnf Eru+m3LwBpWiw7Kqx3a3G/6Lp5yH0sNES2RgyEHwBN6xb1a++IfqyZX1i2I11BesRJKT JdbwYTg1PoWf3DqLCmecYjikrLMrlBSlspFDMBAiGoDDR3wHSY5MX3nHBDKGe7QcJOLg XB2udBzhYAd4TlBLNKKhyQ1AVtEvudpyG4LrDG+xHg98JwXsASRRiEB8zjc47BrMTowM rH7Q== X-Gm-Message-State: AOAM530jHtSShfPeABUfsEH3YPUwvXtCs6igHXLvyYhGSRnyAYEDHOlV 2vnprgb47Le6QRg3ZnywAfgXZw== X-Google-Smtp-Source: ABdhPJzB6YHe1rp5zg2xo+FQRvAQwCLx++qVkJQa5at9cU43jBjrpf+5y4Cf716aA6XzEhbVIBp+Zw== X-Received: by 2002:a17:90a:cc0e:: with SMTP id b14mr1520840pju.166.1599769283338; Thu, 10 Sep 2020 13:21:23 -0700 (PDT) Received: from www.outflux.net (smtp.outflux.net. [198.145.64.163]) by smtp.gmail.com with ESMTPSA id r123sm7002776pfc.187.2020.09.10.13.21.18 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 10 Sep 2020 13:21:21 -0700 (PDT) From: Kees Cook To: kernel-hardening@lists.openwall.com Cc: Kees Cook , John Wood , Matthew Wilcox , Jonathan Corbet , Alexander Viro , Ingo Molnar , Peter Zijlstra , Juri Lelli , Vincent Guittot , Dietmar Eggemann , Steven Rostedt , Ben Segall , Mel Gorman , Luis Chamberlain , Iurii Zaikin , James Morris , "Serge E. Hallyn" , linux-doc@vger.kernel.org, linux-kernel@vger.kernel.org, linux-fsdevel@vger.kernel.org, linux-security-module@vger.kernel.org Subject: [RFC PATCH 6/6] security/fbfam: Mitigate a fork brute force attack Date: Thu, 10 Sep 2020 13:21:07 -0700 Message-Id: <20200910202107.3799376-7-keescook@chromium.org> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20200910202107.3799376-1-keescook@chromium.org> References: <20200910202107.3799376-1-keescook@chromium.org> MIME-Version: 1.0 Sender: linux-fsdevel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-fsdevel@vger.kernel.org From: John Wood In order to mitigate a fork brute force attack it is necessary to kill all the offending tasks. This tasks are all the ones that share the statistical data with the current task (the task that has crashed). Since the attack detection is done in the function fbfam_handle_attack() that is called every time a core dump is triggered, only is needed to kill the others tasks that share the same statistical data, not the current one as this is in the path to be killed. When the SIGKILL signal is sent to the offending tasks from the function fbfam_kill_tasks(), this one will be called again during the core dump due to the shared statistical data shows a quickly crashing rate. So, to avoid kill again the same tasks due to a recursive call of this function, it is necessary to disable the attack detection. To disable this attack detection, add a condition in the function fbfam_handle_attack() to not compute the crashing rate when the jiffies stored in the statistical data are set to zero. Signed-off-by: John Wood --- security/fbfam/fbfam.c | 76 +++++++++++++++++++++++++++++++++++++++--- 1 file changed, 71 insertions(+), 5 deletions(-) diff --git a/security/fbfam/fbfam.c b/security/fbfam/fbfam.c index 3aa669e4ea51..173a6122390f 100644 --- a/security/fbfam/fbfam.c +++ b/security/fbfam/fbfam.c @@ -4,8 +4,11 @@ #include #include #include +#include #include +#include #include +#include #include #include @@ -24,7 +27,8 @@ unsigned long sysctl_crashing_rate_threshold = 30000; * struct fbfam_stats - Fork brute force attack mitigation statistics. * @refc: Reference counter. * @faults: Number of crashes since jiffies. - * @jiffies: First fork or execve timestamp. + * @jiffies: First fork or execve timestamp. If zero, the attack detection is + * disabled. * * The purpose of this structure is to manage all the necessary information to * compute the crashing rate of an application. So, it holds a first fork or @@ -175,13 +179,69 @@ int fbfam_exit(void) } /** - * fbfam_handle_attack() - Fork brute force attack detection. + * fbfam_kill_tasks() - Kill the offending tasks + * + * When a fork brute force attack is detected it is necessary to kill all the + * offending tasks. Since this function is called from fbfam_handle_attack(), + * and so, every time a core dump is triggered, only is needed to kill the + * others tasks that share the same statistical data, not the current one as + * this is in the path to be killed. + * + * When the SIGKILL signal is sent to the offending tasks, this function will be + * called again during the core dump due to the shared statistical data shows a + * quickly crashing rate. So, to avoid kill again the same tasks due to a + * recursive call of this function, it is necessary to disable the attack + * detection setting the jiffies to zero. + * + * To improve the for_each_process loop it is possible to end it when all the + * tasks that shared the same statistics are found. + * + * Return: -EFAULT if the current task doesn't have statistical data. Zero + * otherwise. + */ +static int fbfam_kill_tasks(void) +{ + struct fbfam_stats *stats = current->fbfam_stats; + struct task_struct *p; + unsigned int to_kill, killed = 0; + + if (!stats) + return -EFAULT; + + to_kill = refcount_read(&stats->refc) - 1; + if (!to_kill) + return 0; + + /* Disable the attack detection */ + stats->jiffies = 0; + rcu_read_lock(); + + for_each_process(p) { + if (p == current || p->fbfam_stats != stats) + continue; + + do_send_sig_info(SIGKILL, SEND_SIG_PRIV, p, PIDTYPE_PID); + pr_warn("fbfam: Offending process with PID %d killed\n", + p->pid); + + killed += 1; + if (killed >= to_kill) + break; + } + + rcu_read_unlock(); + return 0; +} + +/** + * fbfam_handle_attack() - Fork brute force attack detection and mitigation. * @signal: Signal number that causes the core dump. * * The crashing rate of an application is computed in milliseconds per fault in * each crash. So, if this rate goes under a certain threshold there is a clear * signal that the application is crashing quickly. At this moment, a fork brute - * force attack is happening. + * force attack is happening. Under this scenario it is necessary to kill all + * the offending tasks in order to mitigate the attack. * * Return: -EFAULT if the current task doesn't have statistical data. Zero * otherwise. @@ -195,6 +255,10 @@ int fbfam_handle_attack(int signal) if (!stats) return -EFAULT; + /* The attack detection is disabled */ + if (!stats->jiffies) + return 0; + if (!(signal == SIGILL || signal == SIGBUS || signal == SIGKILL || signal == SIGSEGV || signal == SIGSYS)) return 0; @@ -205,9 +269,11 @@ int fbfam_handle_attack(int signal) delta_time = jiffies64_to_msecs(delta_jiffies); crashing_rate = delta_time / (u64)stats->faults; - if (crashing_rate < (u64)sysctl_crashing_rate_threshold) - pr_warn("fbfam: Fork brute force attack detected\n"); + if (crashing_rate >= (u64)sysctl_crashing_rate_threshold) + return 0; + pr_warn("fbfam: Fork brute force attack detected\n"); + fbfam_kill_tasks(); return 0; }