Hi,
one spello in 2 locations:
On 2/21/21 7:49 AM, John Wood wrote:
To detect a brute force attack it is necessary that the statistics shared by all the fork hierarchy processes be updated in every fatal crash and the most important data to update is the application crash period. To do so, use the new "task_fatal_signal" LSM hook added in a previous step.
The application crash period must be a value that is not prone to change due to spurious data and follows the real crash period. So, to compute it, the exponential moving average (EMA) is used.
There are two types of brute force attacks that need to be detected. The first one is an attack that happens through the fork system call and the second one is an attack that happens through the execve system call. The first type uses the statistics shared by all the fork hierarchy processes, but the second type cannot use this statistical data due to these statistics dissapear when the involved tasks finished. In this
disappear
last scenario the attack info should be tracked by the statistics of a higher fork hierarchy (the hierarchy that contains the process that forks before the execve system call).
Moreover, these two attack types have two variants. A slow brute force attack that is detected if the maximum number of faults per fork hierarchy is reached and a fast brute force attack that is detected if the application crash period falls below a certain threshold.
Also, this patch adds locking to protect the statistics pointer hold by every process.
Signed-off-by: John Wood john.wood@gmx.com
security/brute/brute.c | 488 +++++++++++++++++++++++++++++++++++++++-- 1 file changed, 474 insertions(+), 14 deletions(-)
diff --git a/security/brute/brute.c b/security/brute/brute.c index 70f812bb7763..645bd6e02638 100644 --- a/security/brute/brute.c +++ b/security/brute/brute.c
+/**
- brute_get_exec_stats() - Get the exec statistics.
- @stats: When this function is called, this parameter must point to the
current process' statistical data. When this function returns, this
parameter points to the parent process' statistics of the fork
hierarchy that hold the current process' statistics.
- To manage a brute force attack that happens through the execve system call it
- is not possible to use the statistical data hold by this process due to these
- statistics dissapear when this task is finished. In this scenario this data
disappear
- should be tracked by the statistics of a higher fork hierarchy (the hierarchy
- that contains the process that forks before the execve system call).
- To find these statistics the current fork hierarchy must be traversed up
- until new statistics are found.
- Context: Must be called with tasklist_lock and brute_stats_ptr_lock held.
- */
+static void brute_get_exec_stats(struct brute_stats **stats) +{