All of lore.kernel.org
 help / color / mirror / Atom feed
* [PATCH 1/9] Known exploit detection
@ 2013-12-12 16:52 vegard.nossum
  2013-12-12 16:52 ` [PATCH 2/9] exploit: report to audit subsystem when available vegard.nossum
                   ` (11 more replies)
  0 siblings, 12 replies; 49+ messages in thread
From: vegard.nossum @ 2013-12-12 16:52 UTC (permalink / raw)
  To: linux-kernel
  Cc: Vegard Nossum, Tommi Rantala, Ingo Molnar, Eric W. Biederman,
	Andy Lutomirski, Kees Cook, Daniel Vetter, Alan Cox,
	Greg Kroah-Hartman, Jason Wang, David S. Miller, Dan Carpenter,
	James Morris

From: Vegard Nossum <vegard.nossum@oracle.com>

The idea is simple -- since different kernel versions are vulnerable to
different root exploits, hackers most likely try multiple exploits before
they actually succeed.

Fixing an exploitable kernel bug usually means adding a check to see if
what a userspace program tried to do is allowed and makes sense (for
example, writing beyond the end of an array is a bug and can be fixed by
checking that the index provided by userspace is indeed within the array
bounds).

Instead of just returning an error when these extra checks fail, we can
also give the system administrator a heads up that somebody supplied this
invalid input that would have lead to elevated privileges on earlier
versions of the kernel.

This serves as a practical, low-overhead early-detection of malicious users
(and/or buggy userspace programs) to system administrators.

I propose limiting the annotation of known exploits to the most serious
type of exploit, namely where the attacker otherwise silently gains
root/elevated capabilities. For sure, there is little point in calling
exploit() where an older kernel would just panic or OOM.

I also propose to keep each exploit() annotation around for only ~5 years
after the bug was discovered/fixed. This will allow us to catch most of the
intrusion attempts while still not littering the kernel code forever.

Cc: Tommi Rantala <tt.rantala@gmail.com>
Cc: Ingo Molnar <mingo@kernel.org>
Cc: "Eric W. Biederman" <ebiederm@xmission.com>
Cc: Andy Lutomirski <luto@amacapital.net>
Cc: Kees Cook <keescook@chromium.org>
Cc: Daniel Vetter <daniel.vetter@ffwll.ch>
Cc: Alan Cox <alan@linux.intel.com>
Cc: Ingo Molnar <mingo@kernel.org>
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Cc: Jason Wang <jasowang@redhat.com>
Cc: David S. Miller <davem@davemloft.net>
Cc: Dan Carpenter <dan.carpenter@oracle.com>
Cc: James Morris <james.l.morris@oracle.com>
Signed-off-by: Vegard Nossum <vegard.nossum@oracle.com>
---
 include/linux/exploit.h |   23 +++++++++++++++++++++++
 security/Kconfig        |   14 +++++++++++++-
 security/Makefile       |    2 ++
 security/exploit.c      |   28 ++++++++++++++++++++++++++++
 4 files changed, 66 insertions(+), 1 deletion(-)
 create mode 100644 include/linux/exploit.h
 create mode 100644 security/exploit.c

diff --git a/include/linux/exploit.h b/include/linux/exploit.h
new file mode 100644
index 0000000..a8df72a
--- /dev/null
+++ b/include/linux/exploit.h
@@ -0,0 +1,23 @@
+#ifndef _LINUX_EXPLOIT_H
+#define _LINUX_EXPLOIT_H
+
+#ifdef CONFIG_EXPLOIT_DETECTION
+extern void _exploit(const char *id);
+
+#define exploit_on(cond, id) \
+	do { \
+		if (unlikely(cond)) \
+			_exploit(id); \
+	} while (0)
+
+#else
+
+#define exploit_on(cond, id) \
+	do { \
+	} while (0)
+
+#endif
+
+#define exploit(id) exploit_on(true, id)
+
+#endif
diff --git a/security/Kconfig b/security/Kconfig
index e9c6ac7..a828dfb 100644
--- a/security/Kconfig
+++ b/security/Kconfig
@@ -167,5 +167,17 @@ config DEFAULT_SECURITY
 	default "yama" if DEFAULT_SECURITY_YAMA
 	default "" if DEFAULT_SECURITY_DAC
 
-endmenu
+config EXPLOIT_DETECTION
+	bool "Known exploit detection"
+	depends on PRINTK
+	default y
+	help
+	  This option enables the detection of users/programs who attempt to
+	  break into the kernel using publicly known (past) exploits.
+
+	  Upon detection, a message will be printed in the kernel log.
 
+	  The runtime overhead of enabling this option is extremely small, so
+	  you are recommended to say Y.
+
+endmenu
diff --git a/security/Makefile b/security/Makefile
index c26c81e..d152a1d 100644
--- a/security/Makefile
+++ b/security/Makefile
@@ -28,3 +28,5 @@ obj-$(CONFIG_CGROUP_DEVICE)		+= device_cgroup.o
 # Object integrity file lists
 subdir-$(CONFIG_INTEGRITY)		+= integrity
 obj-$(CONFIG_INTEGRITY)			+= integrity/built-in.o
+
+obj-$(CONFIG_EXPLOIT_DETECTION)		+= exploit.o
diff --git a/security/exploit.c b/security/exploit.c
new file mode 100644
index 0000000..a732613
--- /dev/null
+++ b/security/exploit.c
@@ -0,0 +1,28 @@
+#include <linux/cred.h>
+#include <linux/exploit.h>
+#include <linux/printk.h>
+#include <linux/ratelimit.h>
+#include <linux/sched.h>
+
+void _exploit(const char *id)
+{
+	/*
+	 * This function needs to be super defensive/conservative, since
+	 * userspace can easily get to it from several different contexts.
+	 * We don't want it to become an attack vector in itself!
+	 *
+	 * We can assume that we're in process context, but spinlocks may
+	 * be held, etc.
+	 */
+
+	struct task_struct *task = current;
+	pid_t pid = task_pid_nr(task);
+	uid_t uid = from_kuid(&init_user_ns, current_uid());
+	char comm[sizeof(task->comm)];
+
+	get_task_comm(comm, task);
+
+	pr_warn_ratelimited("warning: possible %s exploit attempt by pid=%u uid=%u comm=%s\n",
+		id, pid, uid, comm);
+}
+EXPORT_SYMBOL(_exploit);
-- 
1.7.10.4


^ permalink raw reply related	[flat|nested] 49+ messages in thread

end of thread, other threads:[~2013-12-19  6:14 UTC | newest]

Thread overview: 49+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2013-12-12 16:52 [PATCH 1/9] Known exploit detection vegard.nossum
2013-12-12 16:52 ` [PATCH 2/9] exploit: report to audit subsystem when available vegard.nossum
2013-12-12 16:52 ` [PATCH 3/9] hfs: Known exploit detection for CVE-2011-4330 vegard.nossum
2013-12-13  8:00   ` Dan Carpenter
2013-12-12 16:52 ` [PATCH 4/9] net: Known exploit detection for CVE-2012-2136 vegard.nossum
2013-12-12 16:52 ` [PATCH 5/9] hfsplus: Known exploit detection for CVE-2012-2319 vegard.nossum
2013-12-13  1:40   ` Greg Kroah-Hartman
2013-12-13 11:14   ` One Thousand Gnomes
2013-12-12 16:52 ` [PATCH 6/9] x86: Known exploit detection for CVE-2013-0268 vegard.nossum
2013-12-12 16:52 ` [PATCH 7/9] drm/i915: Known exploit detection for CVE-2013-0913 vegard.nossum
2013-12-12 16:52 ` [PATCH 8/9] userns: Known exploit detection for CVE-2013-1959 vegard.nossum
2013-12-12 16:52 ` [PATCH 9/9] perf: Known exploit detection for CVE-2013-2094 vegard.nossum
2013-12-12 19:06 ` [PATCH 1/9] Known exploit detection Theodore Ts'o
2013-12-12 21:13   ` Kees Cook
2013-12-12 23:50     ` Ryan Mallon
2013-12-12 23:55       ` Kees Cook
2013-12-13 11:10         ` One Thousand Gnomes
2013-12-13 14:21           ` Jiri Kosina
2013-12-13  9:20       ` Vegard Nossum
2013-12-13 22:49         ` Ryan Mallon
2013-12-13 13:06       ` Ingo Molnar
2013-12-13 15:55         ` Jason Cooper
2013-12-13 23:07         ` Ryan Mallon
2013-12-13  0:25     ` Dave Jones
2013-12-13  0:45       ` Andy Lutomirski
2013-12-13  1:42       ` Greg Kroah-Hartman
2013-12-13  1:44         ` Dave Jones
2013-12-13  5:09         ` James Morris
2013-12-13  5:46           ` Theodore Ts'o
2013-12-13 13:19             ` Ingo Molnar
2013-12-13 10:21           ` Vegard Nossum
2013-12-13 10:31         ` Alexander Holler
2013-12-13 11:48           ` Dan Carpenter
2013-12-13 11:57             ` Greg Kroah-Hartman
2013-12-13 13:23             ` Ingo Molnar
2013-12-13 18:00               ` Kees Cook
2013-12-13 17:58         ` Kees Cook
2013-12-13 18:14           ` Linus Torvalds
2013-12-13 18:37             ` Kees Cook
2013-12-13  5:27     ` Theodore Ts'o
2013-12-13  9:32       ` Jiri Kosina
2013-12-13 18:07       ` Kees Cook
2013-12-13  9:12     ` Vegard Nossum
2013-12-13 13:27       ` Ingo Molnar
2013-12-13  8:20   ` Vegard Nossum
2013-12-14 23:59   ` Ryan Mallon
2013-12-13 12:54 ` Ingo Molnar
2013-12-16  5:17 ` Sasha Levin
2013-12-19  6:14 ` David Rientjes

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.