Upgrade to Pro — share decks privately, control downloads, hide ads and more …

CVEHound: Audit Kernel Sources for Missing CVE ...

Denis
October 01, 2021
Programming
0
470

CVEHound: Audit Kernel Sources for Missing CVE Fixes

Video: https://www.youtube.com/watch?v=jIDnVeZNUA8

CVEHound is a tool for checking Linux kernel sources for missing CVE fixes. Usual ways to track CVE fixes are vendor security announcements and a git history of a particular kernel tree. However, many vendors provide sources as tarballs without development history and don't publish enough information about security fixes. Hence, it's not possible to check these releases automatically without manually inspecting sources. CVEHound takes into account only C source code during work. Internally, the tool uses semantic patches (coccinelle patterns) to find missing backports of CVE fixes. This allows the tool to be agnostic from the kernel version and detect a missing fix in a half-open interval starting from the first commit where a bug was introduced and ending with the fix/backport patch. Since the tool uses a source-based approach this allows also to detect partial/broken/missing backports of security fixes. The talk is a tool presentation with a corresponding approach that can be interesting to kernel developers for maintaining kernel trees, certification labs for compliance checking, system administrators, and penetration testers for security audits.

Denis

October 01, 2021
Tweet

More Decks by Denis

See All by Denis
CVEhound: check Linux sources for known CVEs
efremov
0
69
Инструменты тестирования ядра Linux
efremov
0
130
Formal verification of operating system kernels
efremov
0
30
Runtime Verification of Linux Kernel Security Module
efremov
0
86
Modifications in Frama-C framework for handling Linux kernel code
efremov
0
130
Continuous deductive verification with Frama-C
efremov
0
120
Deductive verification of unmodified Linux kernel library functions
efremov
1
47
Health Insurance Support System (Blockchain Based)
efremov
0
120
Formal Verification of a Linux Security Module
efremov
0
110

Other Decks in Programming

See All in Programming
Realtime API 入門
riofujimon
0
110
Modern Angular: Renovation for Your Applications
manfredsteyer
PRO
0
210
AWS IaCの注目アップデート 2024年10月版
konokenj
3
3.1k
Importmapを使ったJavaScriptの 読み込みとブラウザアドオンの影響
swamp09
4
1.3k
cXML という電子商取引の トランザクションを支える プロトコルと向きあっている話
phigasui
3
2.3k
PLoP 2024: The evolution of the microservice architecture pattern language
cer
PRO
0
1.7k
のびしろを広げる巻き込まれ力:偶然を活かすキャリアの作り方/oso2024
takahashiikki
1
410
【Kaigi on Rails 2024】YOUTRUST スポンサーLT
krpk1900
1
250
Golang と Erlang
taiyow
8
1.9k
Outline View in SwiftUI
1024jp
1
160
Sidekiqで実現する 長時間非同期処理の中断と再開 / Pausing and Resuming Long-Running Asynchronous Jobs with Sidekiq
hypermkt
6
2.7k
Synchronizationを支える技術
s_shimotori
1
150

Featured

See All Featured
Unsuck your backbone
ammeep
668
57k
Fight the Zombie Pattern Library - RWD Summit 2016
marcelosomers
231
17k
How to train your dragon (web standard)
notwaldorf
88
5.7k
Building Applications with DynamoDB
mza
90
6.1k
RailsConf 2023
tenderlove
29
880
Learning to Love Humans: Emotional Interface Design
aarron
272
40k
The Myth of the Modular Monolith - Day 2 Keynote - Rails World 2024
eileencodes
14
1.9k
How to Create Impact in a Changing Tech Landscape [PerfNow 2023]
tammyeverts
46
2.1k
Performance Is Good for Brains [We Love Speed 2024]
tammyeverts
3
370
StorybookのUI Testing Handbookを読んだ
zakiyama
26
5.2k
Responsive Adventures: Dirty Tricks From The Dark Corners of Front-End
smashingmag
250
21k
Design and Strategy: How to Deal with People Who Don’t "Get" Design
morganepeng
126
18k

Transcript

  1. @efrmv CVEhound Denis Efremov / Oracle

  2. What? • CVEhound tool to detect absence of patches in

    the kernel sources – Project started in December 2020 – GPLv3 for python code, GPLv2 for CVE detection rules • Doesn’t look at kernel version • Doesn’t require .git • Doesn’t need build information

  3. What? • CVEhound tool to detect absence of patches in

    the kernel sources – Project started in December 2020 – GPLv3 for python code, GPLv2 for CVE detection rules • Doesn’t look at kernel version • Doesn’t require .git • Doesn’t need build information • 223 CVEs described

  4. What? • CVEhound tool to detect absence of patches in

    the kernel sources – Project started in December 2020 – GPLv3 for python code, GPLv2 for CVE detection rules • Doesn’t look at kernel version • Doesn’t require .git • Doesn’t need build information • 223 CVEs described • Filters – CONFIG_ options • .config analysis based on undertaker project – Files, subdirectories – CWE, exploit status, …

  5. What? • CVEhound tool to detect absence of patches in

    the kernel sources – Project started in December 2020 – GPLv3 for python code, GPLv2 for CVE detection rules • Doesn’t look at kernel version • Doesn’t require .git • Doesn’t need build information • 223 CVEs described • Filters – CONFIG_ options • .config analysis based on undertaker project – Files, subdirectories – CWE, exploit status, … • CVE metadata from linuxkernelcves.com • Reports generation for CI

  6. Why? Context • Kernel vulnerabilities – > 3000 CVE records

    on MITRE and NIST – > 1800 CVE records on linuxkernelcves.com – > 700 CVE records and ~50 BDU records on FSTEC BDU (since 2014) – > 1400 DWF/UVI records (since 2021) – …

  7. Why? Context • Kernel vulnerabilities – > 3000 CVE records

    on MITRE and NIST – > 1800 CVE records on linuxkernelcves.com – > 700 CVE records and ~50 BDU records on FSTEC BDU (since 2014) – > 1400 DWF/UVI records (since 2021) – … • Stable, LTS, XLTS, SLTS (CIP) – 4.4, 4.9, 4.19, 5.4, 5.10, 5.14 • Distributions – 3.10, 4.1, 4.18, 4.15, 5.3 … • Embedded devices, mobile phones,…

  8. Why? Context • Kernel vulnerabilities – > 3000 CVE records

    on MITRE and NIST – > 1800 CVE records on linuxkernelcves.com – > 700 CVE records and ~50 BDU records on FSTEC BDU (since 2014) – > 1400 DWF/UVI records (since 2021) – … • Stable, LTS, XLTS, SLTS (CIP) – 4.4, 4.9, 4.19, 5.4, 5.10, 5.14 • Distributions – 3.10, 4.1, 4.18, 4.15, 5.3 … • Embedded devices, mobile phones,… • Many arches and CONFIG_* options – 17452 CONFIG_ options in v5.14

  9. Why? Context • Kernel vulnerabilities – > 3000 CVE records

    on MITRE and NIST – > 1800 CVE records on linuxkernelcves.com – > 700 CVE records and ~50 BDU records on FSTEC BDU (since 2014) – > 1400 DWF/UVI records (since 2021) – … • Stable, LTS, XLTS, SLTS (CIP) – 4.4, 4.9, 4.19, 5.4, 5.10, 5.14 • Distributions – 3.10, 4.1, 4.18, 4.15, 5.3 … • Embedded devices, mobile phones,… • Many arches and CONFIG_* options – 17452 CONFIG_ options in v5.14 • .git is not always available – only 427 commits with explicit CVE mentions (v5.14) • …

  10. Why? Context • Kernel vulnerabilities – > 3000 CVE records

    on MITRE and NIST – > 1800 CVE records on linuxkernelcves.com – > 700 CVE records and ~50 BDU records on FSTEC BDU (since 2014) – > 1400 DWF/UVI records (since 2021) – … • Stable, LTS, XLTS, SLTS (CIP) – 4.4, 4.9, 4.19, 5.4, 5.10, 5.14 • Distributions – 3.10, 4.1, 4.18, 4.15, 5.3 … • Embedded devices, mobile phones,… • Many arches and CONFIG_* options – 17452 CONFIG_ options in v5.14 • .git is not always available – only 427 commits with explicit CVE mentions (v5.14) • … Tool use cases • Certification Lab/Pentest Lab – Check all CVEs fixed for certification – Find unfixed CVEs to further check how they are mitigated with hardening options • Users/System Administrators – Check kernels when you can’t update it – Check sources before enabling kernel options • Kernel developers – another tool to check yourself (reverts, wrong backports, early versions of patches)

  11. How? • Detection rules – Coccinelle patterns // $ spatch

    rule.cocci . @@ expression E; @@ * copy_from_user(E, ...) ... when != E * \(strncmp\|strcmp\)(..., E, ...)

  12. How? • Detection rules – Coccinelle patterns // drivers/remoteproc/remoteproc_cdev.c ret

    = copy_from_user(cmd, buf, len); if (ret) return -EFAULT; if (!strncmp(cmd, "start", len)) { if (rproc->state == RPROC_RUNNING || rproc->state == RPROC_ATTACHED) return -EBUSY; // drivers/staging/rtl8723bs/os_dep/ioctl_linux.c if (copy_from_user(new_ifname, wrqu->data.pointer, IFNAMSIZ)) return -EFAULT; if (0 == strcmp(rereg_priv->old_ifname, new_ifname)) return ret; // net/core/pktgen.c if (copy_from_user(f, &user_buffer[i], len)) return -EFAULT; i += len; if (strcmp(f, "start_xmit") == 0) { pkt_dev->xmit_mode = M_START_XMIT; } else if (strcmp(f, "netif_receive") == 0) { // $ spatch rule.cocci . @@ expression E; @@ * copy_from_user(E, ...) ... when != E * \(strncmp\|strcmp\)(..., E, ...) … Generic

  13. How? • Detection rules – Coccinelle patterns // drivers/remoteproc/remoteproc_cdev.c ret

    = copy_from_user(cmd, buf, len); if (ret) return -EFAULT; if (!strncmp(cmd, "start", len)) { if (rproc->state == RPROC_RUNNING || rproc->state == RPROC_ATTACHED) return -EBUSY; // drivers/staging/rtl8723bs/os_dep/ioctl_linux.c if (copy_from_user(new_ifname, wrqu->data.pointer, IFNAMSIZ)) return -EFAULT; if (0 == strcmp(rereg_priv->old_ifname, new_ifname)) return ret; // net/core/pktgen.c if (copy_from_user(f, &user_buffer[i], len)) return -EFAULT; i += len; if (strcmp(f, "start_xmit") == 0) { pkt_dev->xmit_mode = M_START_XMIT; } else if (strcmp(f, "netif_receive") == 0) { // $ spatch rule.cocci . @@ expression E; @@ * copy_from_user(E, ...) ... when != E * \(strncmp\|strcmp\)(..., E, ...) … Generic

  14. How? • Detection rules – Coccinelle patterns // drivers/remoteproc/remoteproc_cdev.c ret

    = copy_from_user(cmd, buf, len); if (ret) return -EFAULT; if (!strncmp(cmd, "start", len)) { if (rproc->state == RPROC_RUNNING || rproc->state == RPROC_ATTACHED) return -EBUSY; // drivers/staging/rtl8723bs/os_dep/ioctl_linux.c if (copy_from_user(new_ifname, wrqu->data.pointer, IFNAMSIZ)) return -EFAULT; if (0 == strcmp(rereg_priv->old_ifname, new_ifname)) return ret; // net/core/pktgen.c if (copy_from_user(f, &user_buffer[i], len)) return -EFAULT; i += len; if (strcmp(f, "start_xmit") == 0) { pkt_dev->xmit_mode = M_START_XMIT; } else if (strcmp(f, "netif_receive") == 0) { // $ spatch rule.cocci . @@ expression E; @@ * copy_from_user(E, ...) ... when != E * \(strncmp\|strcmp\)(..., E, ...) … Generic

  15. How? • Detection rules – Coccinelle patterns // net/core/pktgen.c if

    (copy_from_user(f, &user_buffer[i], len)) return -EFAULT; i += len; if (strcmp(f, "start_xmit") == 0) { pkt_dev->xmit_mode = M_START_XMIT; // $ spatch rule.cocci . @@ expression E; @@ pktgen_if_write(...) { ... when any * copy_from_user(E, ...) ... when != E * strcmp(E, "start_xmit", ...) ... } Generic

  16. How? • Detection rules – Coccinelle patterns • Stats –

    since December 2020 – 42 days with new rules – ~5 rules a day – only 8 days with >=10 rules 2 9 7 14 22 18 41 61 48 2013 2014 2015 2016 2017 2018 2019 2020 2021 NUMBER OF CVE-YYYY RULES 16 7 11 10 10 0 5 10 15 20 RULES PER DAY

  17. How? • Detection rules – Coccinelle patterns • Stats –

    since December 2020 – 42 days with new rules – ~5 rules a day – only 8 days with >=10 rules • Testing – Detects between [fixes, fix) commits – Not detects on v2.6.12-rc2, fixes^, master, stable/linux-d.dd.y, next/master 2 9 7 14 22 18 41 61 48 2013 2014 2015 2016 2017 2018 2019 2020 2021 NUMBER OF CVE-YYYY RULES 16 7 11 10 10 0 5 10 15 20 RULES PER DAY

  18. How? • Detection rules – Coccinelle patterns • Stats –

    since December 2020 – 42 days with new rules – ~5 rules a day – only 8 days with >=10 rules • Testing – Detects between [fixes, fix) commits – Not detects on v2.6.12-rc2, fixes^, master, stable/linux-d.dd.y, next/master • How to write a rule 1. Find fix commit 2. Find fixes commit (only for testing) 3. Draft the rule (5-30 mins) 4. Test the rule (7-20 mins) 5. Refine the rule (repeat to 4) 2 9 7 14 22 18 41 61 48 2013 2014 2015 2016 2017 2018 2019 2020 2021 NUMBER OF CVE-YYYY RULES 16 7 11 10 10 0 5 10 15 20 RULES PER DAY

  19. Rule patterns (removed, added) @err exists@ position p; @@ vgacon_scrollback_init@p(...)

    { ... when any CONFIG_VGACON_SOFT_SCROLLBACK_SIZE ... when any } @script:python@ p << err.p; @@ coccilib.report.print_report(p[0], 'ERROR: CVE-2020-28097') @err exists@ identifier sock; position p; @@ rawsock_create(...) { ... when != if (!\(ns_capable\|capable\) (..., CAP_NET_RAW)) return -EPERM; sock->ops =@p &rawsock_raw_ops; ... } @script:python@ p << err.p; @@ coccilib.report.print_report(p[0], "ERROR: CVE-2020-26088") CVE-2020-28097 CVE-2020-26088

  20. Rule patterns (added alt., changed) @enum_status_code@ @@ enum nl80211_attrs {

    ..., NL80211_ATTR_STATUS_CODE, ... }; @fix@ @@ struct nla_policy nl80211_policy[...] = { ..., [NL80211_ATTR_STATUS_CODE] = { ... }, ... }; @err depends on enum_status_code && !fix@ position p; @@ struct nla_policy nl80211_policy@p[...] = { ... }; @err@ position p; @@ amd_energy_is_visible(...) { return 0444;@p } CVE-2020-27068 CVE-2020-12912

  21. Rule patterns (fix != bug) @close exists@ @@ spk_ttyio_ldisc_close(...) {

    ... kfree(speakup_tty->disc_data); ... } @err depends on close exists@ @@ spk_ttyio_ldisc_open(...) { ... when != mutex_lock(...); speakup_tty = tty; ... speakup_tty->disc_data = ldisc_data; ... when != mutex_unlock(...); } @struct_fields@ @@ struct mlx5_ib_create_qp_resp { __u32 bfreg_index; ... __u32 reserved; ... }; @err depends on struct_fields exists@ @@ create_qp_common(...) { ... struct mlx5_ib_create_qp_resp resp; ... when != memset(&resp, 0, ...) create_user_qp(..., &resp, ...) ... } CVE-2020-28941 CVE-2018-20855

  22. Rule patterns (non-C ld, .S) @initialize:python@ @@ int3 = False

    with open(vmlinux_lds, 'rt') as f: if re.search(':text\s*=\s*0xcccc', f.read()): int3 = True @err exists@ expression E; @@ can_optimize(...) { ... if (E.opcode.bytes[0] == \(INT3_INSN_OPCODE\|BREAKPOINT_INSTRUCTION\)) return 0; ... } @script:python@ p << err.p; @@ if int3: coccilib.report.print_report(p[0], 'ERROR: CVE-2021-3411') // Fallback mode with regular expressions. // grep –rePoz <regex1> && grep –rePoz <regex2> tm_enabled\(struct\s+task_struct\s+\*[\w]+\)\s+\{ EXC_COMMON_BEGIN\(program_check_common\)\s+EXCEPTIO N_PROLOG_COMMON\(0x700,\s+PACA_EXGEN\) CVE-2021-3411 CVE-2017-1000255

  23. Future Work • KernelCI integration • Support #ifdefs – More

    precise CONFIG_* analysis • Add option to check only specific drivers enabled by CONFIG_* option • Lightweight mode based on .git analysis – Check for Fixes and Fix commits – Based on commits titles and commits metadata – Reverts, multiple commits fixing one CVE, … – Useful primarily for kernel developers • Infer detection rules from commits
  24. None

  25. Just patch/patch -R! • Old kernels? – Let’s try LTS

    patches • What it means if a patch doesn’t apply/revert? – Already patched kernel with new changes on top of it? – Old non-vulnerable kernel? – There is no suitable backport of a patch to test? – Multiple patches fixing one CVE? • What it means if a patch applies? – Fix != Error – Check patches that introduce errors? • …