Re: [RFC PATCH 5/6] security/fbfam: Detect a fork brute force attack

[RESEND][RFC PATCH 0/6] Fork brute force attack mitigation (fbfam) · Kees Cook <hidden> · 2020-09-10
[RFC PATCH 1/6] security/fbfam: Add a Kconfig to enable the fbfam feature · Kees Cook <hidden> · 2020-09-10
Re: [RFC PATCH 1/6] security/fbfam: Add a Kconfig to enable the fbfam feature · Jann Horn <jannh@google.com> · 2020-09-10
Re: [RFC PATCH 1/6] security/fbfam: Add a Kconfig to enable the fbfam feature · John Wood <hidden> · 2020-09-17
Re: [RFC PATCH 1/6] security/fbfam: Add a Kconfig to enable the fbfam feature · Kees Cook <hidden> · 2020-09-10
Re: [RFC PATCH 1/6] security/fbfam: Add a Kconfig to enable the fbfam feature · John Wood <hidden> · 2020-09-17
Re: [RFC PATCH 1/6] security/fbfam: Add a Kconfig to enable the fbfam feature · Kees Cook <hidden> · 2020-09-17
Re: [RFC PATCH 1/6] security/fbfam: Add a Kconfig to enable the fbfam feature · John Wood <hidden> · 2020-09-18
[RFC PATCH 4/6] security/fbfam: Add a new sysctl to control the crashing rate threshold · Kees Cook <hidden> · 2020-09-10
Re: [RFC PATCH 4/6] security/fbfam: Add a new sysctl to control the crashing rate threshold · Kees Cook <hidden> · 2020-09-10
Re: [RFC PATCH 4/6] security/fbfam: Add a new sysctl to control the crashing rate threshold · John Wood <hidden> · 2020-09-13
[RFC PATCH 3/6] security/fbfam: Use the api to manage statistics · Kees Cook <hidden> · 2020-09-10
Re: [RFC PATCH 3/6] security/fbfam: Use the api to manage statistics · Jann Horn <jannh@google.com> · 2020-09-10
Re: [RFC PATCH 3/6] security/fbfam: Use the api to manage statistics · Kees Cook <hidden> · 2020-09-10
Re: [RFC PATCH 3/6] security/fbfam: Use the api to manage statistics · Steven Rostedt <rostedt@goodmis.org> · 2020-09-29
Re: [RFC PATCH 3/6] security/fbfam: Use the api to manage statistics · Steven Rostedt <rostedt@goodmis.org> · 2020-09-29
Re: [RFC PATCH 3/6] security/fbfam: Use the api to manage statistics · John Wood <hidden> · 2020-10-03
[RFC PATCH 5/6] security/fbfam: Detect a fork brute force attack · Kees Cook <hidden> · 2020-09-10
Re: [RFC PATCH 5/6] security/fbfam: Detect a fork brute force attack · Jann Horn <jannh@google.com> · 2020-09-10
Re: [RFC PATCH 5/6] security/fbfam: Detect a fork brute force attack · John Wood <hidden> · 2020-09-13
Re: [RFC PATCH 5/6] security/fbfam: Detect a fork brute force attack · Jann Horn <jannh@google.com> · 2020-09-14
Re: [RFC PATCH 5/6] security/fbfam: Detect a fork brute force attack · John Wood <hidden> · 2020-09-15
Re: [RFC PATCH 5/6] security/fbfam: Detect a fork brute force attack · Kees Cook <hidden> · 2020-09-10
Re: [RFC PATCH 5/6] security/fbfam: Detect a fork brute force attack · Jann Horn <jannh@google.com> · 2020-09-11
Re: [RFC PATCH 5/6] security/fbfam: Detect a fork brute force attack · John Wood <hidden> · 2020-09-13
Re: [RFC PATCH 5/6] security/fbfam: Detect a fork brute force attack · Jann Horn <jannh@google.com> · 2020-09-14
Re: [RFC PATCH 5/6] security/fbfam: Detect a fork brute force attack · John Wood <hidden> · 2020-09-15
[RFC PATCH 2/6] security/fbfam: Add the api to manage statistics · Kees Cook <hidden> · 2020-09-10
Re: [RFC PATCH 2/6] security/fbfam: Add the api to manage statistics · Kees Cook <hidden> · 2020-09-10
[RFC PATCH 6/6] security/fbfam: Mitigate a fork brute force attack · Kees Cook <hidden> · 2020-09-10
Re: [RFC PATCH 6/6] security/fbfam: Mitigate a fork brute force attack · Jann Horn <jannh@google.com> · 2020-09-10
Re: [RFC PATCH 6/6] security/fbfam: Mitigate a fork brute force attack · Kees Cook <hidden> · 2020-09-10
Re: [RFC PATCH 6/6] security/fbfam: Mitigate a fork brute force attack · Jann Horn <jannh@google.com> · 2020-09-11
Re: [RFC PATCH 6/6] security/fbfam: Mitigate a fork brute force attack · John Wood <hidden> · 2020-09-18
Re: [RFC PATCH 6/6] security/fbfam: Mitigate a fork brute force attack · Kees Cook <hidden> · 2020-09-18
Re: [RFC PATCH 6/6] security/fbfam: Mitigate a fork brute force attack · John Wood <hidden> · 2020-09-19
Re: [RESEND][RFC PATCH 0/6] Fork brute force attack mitigation (fbfam) · Jann Horn <jannh@google.com> · 2020-09-10
Re: [RESEND][RFC PATCH 0/6] Fork brute force attack mitigation (fbfam) · Kees Cook <hidden> · 2020-09-10
Re: [RESEND][RFC PATCH 0/6] Fork brute force attack mitigation (fbfam) · John Wood <hidden> · 2020-09-11
Re: [RESEND][RFC PATCH 0/6] Fork brute force attack mitigation (fbfam) · Kees Cook <hidden> · 2020-09-12
Re: [RESEND][RFC PATCH 0/6] Fork brute force attack mitigation (fbfam) · John Wood <hidden> · 2020-09-12
Re: [RESEND][RFC PATCH 0/6] Fork brute force attack mitigation (fbfam) · James Morris <jmorris@namei.org> · 2020-09-12
Re: [RESEND][RFC PATCH 0/6] Fork brute force attack mitigation (fbfam) · Kees Cook <hidden> · 2020-09-12
Re: [RESEND][RFC PATCH 0/6] Fork brute force attack mitigation (fbfam) · John Wood <hidden> · 2020-09-12
Re: [RESEND][RFC PATCH 0/6] Fork brute force attack mitigation (fbfam) · Mel Gorman <mgorman@suse.de> · 2020-09-12
Re: [RESEND][RFC PATCH 0/6] Fork brute force attack mitigation (fbfam) · Ondrej Mosnacek <omosnace@redhat.com> · 2020-09-12
Re: [RESEND][RFC PATCH 0/6] Fork brute force attack mitigation (fbfam) · John Wood <hidden> · 2020-09-13

From: Jann Horn <jannh@google.com>
Date: 2020-09-11 00:02:35
Also in: linux-doc, linux-fsdevel, lkml

On Fri, Sep 11, 2020 at 1:49 AM Kees Cook [off-list ref] wrote:

On Thu, Sep 10, 2020 at 01:21:06PM -0700, Kees Cook wrote:

quoted

From: John Wood <redacted>

To detect a fork brute force attack it is necessary to compute the
crashing rate of the application. This calculation is performed in each
fatal fail of a task, or in other words, when a core dump is triggered.
If this rate shows that the application is crashing quickly, there is a
clear signal that an attack is happening.

Since the crashing rate is computed in milliseconds per fault, if this
rate goes under a certain threshold a warning is triggered.

Signed-off-by: John Wood <redacted>
---
 fs/coredump.c          |  2 ++
 include/fbfam/fbfam.h  |  2 ++
 security/fbfam/fbfam.c | 39 +++++++++++++++++++++++++++++++++++++++
 3 files changed, 43 insertions(+)

diff --git a/fs/coredump.c b/fs/coredump.c
index 76e7c10edfc0..d4ba4e1828d5 100644
--- a/fs/coredump.c
+++ b/fs/coredump.c

@@ -51,6 +51,7 @@
 #include "internal.h"

 #include <trace/events/sched.h>
+#include <fbfam/fbfam.h>

 int core_uses_pid;
 unsigned int core_pipe_limit;

@@ -825,6 +826,7 @@ void do_coredump(const kernel_siginfo_t *siginfo)
 fail_creds:
      put_cred(cred);
 fail:
+     fbfam_handle_attack(siginfo->si_signo);

I don't think this is the right place for detecting a crash -- isn't
this only for the "dumping core" condition? In other words, don't you
want to do this in get_signal()'s "fatal" block? (i.e. very close to the
do_coredump, but without the "should I dump?" check?)

Hmm, but maybe I'm wrong? It looks like you're looking at noticing the
process taking a signal from SIG_KERNEL_COREDUMP_MASK ?

(Better yet: what are fatal conditions that do NOT match
SIG_KERNEL_COREDUMP_MASK, and should those be covered?)

Regardless, *this* looks like the only place without an LSM hook. And it
doesn't seem unreasonable to add one here. I assume it would probably
just take the siginfo pointer, which is also what you're checking.

Good point, making this an LSM might be a good idea.

e.g. for include/linux/lsm_hook_defs.h:

LSM_HOOK(int, 0, task_coredump, const kernel_siginfo_t *siginfo);

I guess it should probably be an LSM_RET_VOID hook? And since, as you
said, it's not really semantically about core dumping, maybe it should
be named task_fatal_signal or something like that.

`h`	back out one level
`j`	next message in thread
`k`	previous message in thread
`l`	drill in
`Esc`	close help / fold thread tree
`?`	toggle this help