From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-11.4 required=3.0 tests=BAYES_00,DKIMWL_WL_MED, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED,USER_IN_DEF_DKIM_WL autolearn=no autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id D2C8DC433E2 for ; Mon, 14 Sep 2020 19:43:14 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 9818921BE5 for ; Mon, 14 Sep 2020 19:43:14 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b="MvgJXiZx" Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726046AbgINTnN (ORCPT ); Mon, 14 Sep 2020 15:43:13 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:58268 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726023AbgINTnG (ORCPT ); Mon, 14 Sep 2020 15:43:06 -0400 Received: from mail-ed1-x543.google.com (mail-ed1-x543.google.com [IPv6:2a00:1450:4864:20::543]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 60C6DC06178A for ; Mon, 14 Sep 2020 12:43:05 -0700 (PDT) Received: by mail-ed1-x543.google.com with SMTP id j2so738619eds.9 for ; Mon, 14 Sep 2020 12:43:05 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=B26ZPwSMQkEgl0FLKfBn1bcFzAEPMlr/0cRYgdbCJm4=; b=MvgJXiZx2nV1v+RFwDa0Ew2gpF/YMUm1Qzl9uP0JoeTwPkWschjlATZudFOjyAIymN jJB7CAfq+BpdKpEqeroG5Y7ueTlhTlgM+6LKj7M/TcVdvxK4rdi9pYpCVGasFgNnIweT 66+OK8SAHXNYBvklweFjzvmaa+Q7pxQDrOuyV4OSavfjbUh/GTOB0/dTGHcXB5og63fs hvyUH+1dQT5+qQQyzqRC8vgQa2klF9z87EZ56xelz5zRMKd7xRTRJDyE/7GPPA7Gsper vQGtuke/Cs2S3Z/KC4HPmMFtSHp3XPc5cMLPQw2vv+ytvQBW4AUOUbR1dxtFSHQYUW0E xajw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=B26ZPwSMQkEgl0FLKfBn1bcFzAEPMlr/0cRYgdbCJm4=; b=Q/GlNFiKtE0+cMSKg991n1I/3jC0z29JZ5fTVrOykPljqff9lGsEnZ9y1escoWUaMh x3+gA/qOKwe8GicJMHJ8L4EJ29CgjXZZEJtFRbWJlq+inImHdf1KK3ujgo6iFUGv07B1 WLr7S16ThFI6iLjnlzlsvjU4LmWrsCnHWv5STXb9EkWhp4VugeMyUaWtvTzrLtLnapID x+cw0QVEFpZrLxQhXm1Z2Pve9Dual78MkpUL8rRLVClZ4+EWsZOyj4bCwDiorbTbjsMz 0A+yMVZIn87n3TYkT2Vt3YfFQqfH6b7nobMmTlzCcu1zLaWo4NLNUqWHFsPDusbj1Gmb BCtA== X-Gm-Message-State: AOAM532DXNkxrzaIjRgasXbnBxQh+KwRRDSNrwo2EKFKls12eHJjeLo5 yMW/vShCP9eAhPIW3NCqu1wD4ZXE67sF3CTfbdoP5A== X-Google-Smtp-Source: ABdhPJwIyj+9kqnlMOpAnTl++v/tLI6DikXxNqu6vECzgkcVLWCncCazo3lOF4hNj+FGq7wU79q5bP4k/TU5T/il6ac= X-Received: by 2002:a05:6402:176c:: with SMTP id da12mr19288248edb.386.1600112583753; Mon, 14 Sep 2020 12:43:03 -0700 (PDT) MIME-Version: 1.0 References: <20200910202107.3799376-1-keescook@chromium.org> <20200910202107.3799376-6-keescook@chromium.org> <20200913172415.GA2880@ubuntu> In-Reply-To: <20200913172415.GA2880@ubuntu> From: Jann Horn Date: Mon, 14 Sep 2020 21:42:37 +0200 Message-ID: Subject: Re: [RFC PATCH 5/6] security/fbfam: Detect a fork brute force attack To: John Wood Cc: Kees Cook , Kernel Hardening , Matthew Wilcox , Jonathan Corbet , Alexander Viro , Ingo Molnar , Peter Zijlstra , Juri Lelli , Vincent Guittot , Dietmar Eggemann , Steven Rostedt , Ben Segall , Mel Gorman , Luis Chamberlain , Iurii Zaikin , James Morris , "Serge E. Hallyn" , linux-doc@vger.kernel.org, kernel list , linux-fsdevel , linux-security-module Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Sun, Sep 13, 2020 at 7:55 PM John Wood wrote: > On Thu, Sep 10, 2020 at 11:10:38PM +0200, Jann Horn wrote: > > On Thu, Sep 10, 2020 at 10:22 PM Kees Cook wrote: > > > To detect a fork brute force attack it is necessary to compute the > > > crashing rate of the application. This calculation is performed in each > > > fatal fail of a task, or in other words, when a core dump is triggered. > > > If this rate shows that the application is crashing quickly, there is a > > > clear signal that an attack is happening. > > > > > > Since the crashing rate is computed in milliseconds per fault, if this > > > rate goes under a certain threshold a warning is triggered. [...] > > > + delta_jiffies = get_jiffies_64() - stats->jiffies; > > > + delta_time = jiffies64_to_msecs(delta_jiffies); > > > + crashing_rate = delta_time / (u64)stats->faults; > > > > Do I see this correctly, is this computing the total runtime of this > > process hierarchy divided by the total number of faults seen in this > > process hierarchy? If so, you may want to reconsider whether that's > > really the behavior you want. For example, if I configure the minimum > > period between crashes to be 30s (as is the default in the sysctl > > patch), and I try to attack a server that has been running without any > > crashes for a month, I'd instantly be able to crash around > > 30*24*60*60/30 = 86400 times before the detection kicks in. That seems > > suboptimal. > > You are right. This is not the behaviour we want. So, for the next > version it would be better to compute the crashing period as the time > between two faults, or the time between the execve call and the first > fault (first fault case). > > However, I am afraid of a premature detection if a child process fails > twice in a short period. > > So, I think it would be a good idea add a new sysctl to setup a > minimum number of faults before the time between faults starts to be > computed. And so, the attack detection only will be triggered if the > application crashes quickly but after a number of crashes. > > What do you think? You could keep a list of the timestamps of the last five crashes or so, and then take action if the last five crashes happened within (5-1)*crash_period_limit time.