Upgrade to Pro — share decks privately, control downloads, hide ads and more …

CVEHound: Audit Kernel Sources for Missing CVE ...

Denis
October 01, 2021
Programming
0
470

CVEHound: Audit Kernel Sources for Missing CVE Fixes

Video: https://www.youtube.com/watch?v=jIDnVeZNUA8

CVEHound is a tool for checking Linux kernel sources for missing CVE fixes. Usual ways to track CVE fixes are vendor security announcements and a git history of a particular kernel tree. However, many vendors provide sources as tarballs without development history and don't publish enough information about security fixes. Hence, it's not possible to check these releases automatically without manually inspecting sources. CVEHound takes into account only C source code during work. Internally, the tool uses semantic patches (coccinelle patterns) to find missing backports of CVE fixes. This allows the tool to be agnostic from the kernel version and detect a missing fix in a half-open interval starting from the first commit where a bug was introduced and ending with the fix/backport patch. Since the tool uses a source-based approach this allows also to detect partial/broken/missing backports of security fixes. The talk is a tool presentation with a corresponding approach that can be interesting to kernel developers for maintaining kernel trees, certification labs for compliance checking, system administrators, and penetration testers for security audits.

Denis

October 01, 2021
Tweet

More Decks by Denis

See All by Denis
CVEhound: check Linux sources for known CVEs
efremov
0
70
Инструменты тестирования ядра Linux
efremov
0
130
Formal verification of operating system kernels
efremov
0
31
Runtime Verification of Linux Kernel Security Module
efremov
0
88
Modifications in Frama-C framework for handling Linux kernel code
efremov
0
130
Continuous deductive verification with Frama-C
efremov
0
120
Deductive verification of unmodified Linux kernel library functions
efremov
1
47
Health Insurance Support System (Blockchain Based)
efremov
0
120
Formal Verification of a Linux Security Module
efremov
0
110

Other Decks in Programming

See All in Programming
Ethereum_.pdf
nekomatu
0
470
Figma Dev Modeで変わる!Flutterの開発体験
watanave
0
150
What’s New in Compose Multiplatform - A Live Tour (droidcon London 2024)
zsmb
1
480
CSC509 Lecture 13
javiergs
PRO
0
110
Make Impossible States Impossibleを 意識してReactのPropsを設計しよう
ikumatadokoro
0
280
Hotwire or React? ~アフタートーク・本編に含めなかった話~ / Hotwire or React? after talk
harunatsujita
1
120
ローコードSaaSのUXを向上させるためのTypeScript
taro28
1
640
Tauriでネイティブアプリを作りたい
tsucchinoko
0
380
Duckdb-Wasmでローカルダッシュボードを作ってみた
nkforwork
0
130
WebフロントエンドにおけるGraphQL(あるいはバックエンドのAPI)との向き合い方 / #241106_plk_frontend
izumin5210
4
1.4k
flutterkaigi_2024.pdf
kyoheig3
0
160
Compose 1.7のTextFieldはPOBox Plusで日本語変換できない
tomoya0x00
0
200

Featured

See All Featured
The Cost Of JavaScript in 2023
addyosmani
45
6.8k
Code Review Best Practice
trishagee
64
17k
ReactJS: Keep Simple. Everything can be a component!
pedronauck
665
120k
We Have a Design System, Now What?
morganepeng
50
7.2k
For a Future-Friendly Web
brad_frost
175
9.4k
Save Time (by Creating Custom Rails Generators)
garrettdimon
PRO
27
840
Designing Dashboards & Data Visualisations in Web Apps
destraynor
229
52k
Rails Girls Zürich Keynote
gr2m
94
13k
Into the Great Unknown - MozCon
thekraken
32
1.5k
No one is an island. Learnings from fostering a developers community.
thoeni
19
3k
KATA
mclloyd
29
14k
The Invisible Side of Design
smashingmag
298
50k

Transcript

  1. @efrmv CVEhound Denis Efremov / Oracle

  2. What? • CVEhound tool to detect absence of patches in

    the kernel sources – Project started in December 2020 – GPLv3 for python code, GPLv2 for CVE detection rules • Doesn’t look at kernel version • Doesn’t require .git • Doesn’t need build information

  3. What? • CVEhound tool to detect absence of patches in

    the kernel sources – Project started in December 2020 – GPLv3 for python code, GPLv2 for CVE detection rules • Doesn’t look at kernel version • Doesn’t require .git • Doesn’t need build information • 223 CVEs described

  4. What? • CVEhound tool to detect absence of patches in

    the kernel sources – Project started in December 2020 – GPLv3 for python code, GPLv2 for CVE detection rules • Doesn’t look at kernel version • Doesn’t require .git • Doesn’t need build information • 223 CVEs described • Filters – CONFIG_ options • .config analysis based on undertaker project – Files, subdirectories – CWE, exploit status, …

  5. What? • CVEhound tool to detect absence of patches in

    the kernel sources – Project started in December 2020 – GPLv3 for python code, GPLv2 for CVE detection rules • Doesn’t look at kernel version • Doesn’t require .git • Doesn’t need build information • 223 CVEs described • Filters – CONFIG_ options • .config analysis based on undertaker project – Files, subdirectories – CWE, exploit status, … • CVE metadata from linuxkernelcves.com • Reports generation for CI

  6. Why? Context • Kernel vulnerabilities – > 3000 CVE records

    on MITRE and NIST – > 1800 CVE records on linuxkernelcves.com – > 700 CVE records and ~50 BDU records on FSTEC BDU (since 2014) – > 1400 DWF/UVI records (since 2021) – …

  7. Why? Context • Kernel vulnerabilities – > 3000 CVE records

    on MITRE and NIST – > 1800 CVE records on linuxkernelcves.com – > 700 CVE records and ~50 BDU records on FSTEC BDU (since 2014) – > 1400 DWF/UVI records (since 2021) – … • Stable, LTS, XLTS, SLTS (CIP) – 4.4, 4.9, 4.19, 5.4, 5.10, 5.14 • Distributions – 3.10, 4.1, 4.18, 4.15, 5.3 … • Embedded devices, mobile phones,…

  8. Why? Context • Kernel vulnerabilities – > 3000 CVE records

    on MITRE and NIST – > 1800 CVE records on linuxkernelcves.com – > 700 CVE records and ~50 BDU records on FSTEC BDU (since 2014) – > 1400 DWF/UVI records (since 2021) – … • Stable, LTS, XLTS, SLTS (CIP) – 4.4, 4.9, 4.19, 5.4, 5.10, 5.14 • Distributions – 3.10, 4.1, 4.18, 4.15, 5.3 … • Embedded devices, mobile phones,… • Many arches and CONFIG_* options – 17452 CONFIG_ options in v5.14

  9. Why? Context • Kernel vulnerabilities – > 3000 CVE records

    on MITRE and NIST – > 1800 CVE records on linuxkernelcves.com – > 700 CVE records and ~50 BDU records on FSTEC BDU (since 2014) – > 1400 DWF/UVI records (since 2021) – … • Stable, LTS, XLTS, SLTS (CIP) – 4.4, 4.9, 4.19, 5.4, 5.10, 5.14 • Distributions – 3.10, 4.1, 4.18, 4.15, 5.3 … • Embedded devices, mobile phones,… • Many arches and CONFIG_* options – 17452 CONFIG_ options in v5.14 • .git is not always available – only 427 commits with explicit CVE mentions (v5.14) • …

  10. Why? Context • Kernel vulnerabilities – > 3000 CVE records

    on MITRE and NIST – > 1800 CVE records on linuxkernelcves.com – > 700 CVE records and ~50 BDU records on FSTEC BDU (since 2014) – > 1400 DWF/UVI records (since 2021) – … • Stable, LTS, XLTS, SLTS (CIP) – 4.4, 4.9, 4.19, 5.4, 5.10, 5.14 • Distributions – 3.10, 4.1, 4.18, 4.15, 5.3 … • Embedded devices, mobile phones,… • Many arches and CONFIG_* options – 17452 CONFIG_ options in v5.14 • .git is not always available – only 427 commits with explicit CVE mentions (v5.14) • … Tool use cases • Certification Lab/Pentest Lab – Check all CVEs fixed for certification – Find unfixed CVEs to further check how they are mitigated with hardening options • Users/System Administrators – Check kernels when you can’t update it – Check sources before enabling kernel options • Kernel developers – another tool to check yourself (reverts, wrong backports, early versions of patches)

  11. How? • Detection rules – Coccinelle patterns // $ spatch

    rule.cocci . @@ expression E; @@ * copy_from_user(E, ...) ... when != E * \(strncmp\|strcmp\)(..., E, ...)

  12. How? • Detection rules – Coccinelle patterns // drivers/remoteproc/remoteproc_cdev.c ret

    = copy_from_user(cmd, buf, len); if (ret) return -EFAULT; if (!strncmp(cmd, "start", len)) { if (rproc->state == RPROC_RUNNING || rproc->state == RPROC_ATTACHED) return -EBUSY; // drivers/staging/rtl8723bs/os_dep/ioctl_linux.c if (copy_from_user(new_ifname, wrqu->data.pointer, IFNAMSIZ)) return -EFAULT; if (0 == strcmp(rereg_priv->old_ifname, new_ifname)) return ret; // net/core/pktgen.c if (copy_from_user(f, &user_buffer[i], len)) return -EFAULT; i += len; if (strcmp(f, "start_xmit") == 0) { pkt_dev->xmit_mode = M_START_XMIT; } else if (strcmp(f, "netif_receive") == 0) { // $ spatch rule.cocci . @@ expression E; @@ * copy_from_user(E, ...) ... when != E * \(strncmp\|strcmp\)(..., E, ...) … Generic

  13. How? • Detection rules – Coccinelle patterns // drivers/remoteproc/remoteproc_cdev.c ret

    = copy_from_user(cmd, buf, len); if (ret) return -EFAULT; if (!strncmp(cmd, "start", len)) { if (rproc->state == RPROC_RUNNING || rproc->state == RPROC_ATTACHED) return -EBUSY; // drivers/staging/rtl8723bs/os_dep/ioctl_linux.c if (copy_from_user(new_ifname, wrqu->data.pointer, IFNAMSIZ)) return -EFAULT; if (0 == strcmp(rereg_priv->old_ifname, new_ifname)) return ret; // net/core/pktgen.c if (copy_from_user(f, &user_buffer[i], len)) return -EFAULT; i += len; if (strcmp(f, "start_xmit") == 0) { pkt_dev->xmit_mode = M_START_XMIT; } else if (strcmp(f, "netif_receive") == 0) { // $ spatch rule.cocci . @@ expression E; @@ * copy_from_user(E, ...) ... when != E * \(strncmp\|strcmp\)(..., E, ...) … Generic

  14. How? • Detection rules – Coccinelle patterns // drivers/remoteproc/remoteproc_cdev.c ret

    = copy_from_user(cmd, buf, len); if (ret) return -EFAULT; if (!strncmp(cmd, "start", len)) { if (rproc->state == RPROC_RUNNING || rproc->state == RPROC_ATTACHED) return -EBUSY; // drivers/staging/rtl8723bs/os_dep/ioctl_linux.c if (copy_from_user(new_ifname, wrqu->data.pointer, IFNAMSIZ)) return -EFAULT; if (0 == strcmp(rereg_priv->old_ifname, new_ifname)) return ret; // net/core/pktgen.c if (copy_from_user(f, &user_buffer[i], len)) return -EFAULT; i += len; if (strcmp(f, "start_xmit") == 0) { pkt_dev->xmit_mode = M_START_XMIT; } else if (strcmp(f, "netif_receive") == 0) { // $ spatch rule.cocci . @@ expression E; @@ * copy_from_user(E, ...) ... when != E * \(strncmp\|strcmp\)(..., E, ...) … Generic

  15. How? • Detection rules – Coccinelle patterns // net/core/pktgen.c if

    (copy_from_user(f, &user_buffer[i], len)) return -EFAULT; i += len; if (strcmp(f, "start_xmit") == 0) { pkt_dev->xmit_mode = M_START_XMIT; // $ spatch rule.cocci . @@ expression E; @@ pktgen_if_write(...) { ... when any * copy_from_user(E, ...) ... when != E * strcmp(E, "start_xmit", ...) ... } Generic

  16. How? • Detection rules – Coccinelle patterns • Stats –

    since December 2020 – 42 days with new rules – ~5 rules a day – only 8 days with >=10 rules 2 9 7 14 22 18 41 61 48 2013 2014 2015 2016 2017 2018 2019 2020 2021 NUMBER OF CVE-YYYY RULES 16 7 11 10 10 0 5 10 15 20 RULES PER DAY

  17. How? • Detection rules – Coccinelle patterns • Stats –

    since December 2020 – 42 days with new rules – ~5 rules a day – only 8 days with >=10 rules • Testing – Detects between [fixes, fix) commits – Not detects on v2.6.12-rc2, fixes^, master, stable/linux-d.dd.y, next/master 2 9 7 14 22 18 41 61 48 2013 2014 2015 2016 2017 2018 2019 2020 2021 NUMBER OF CVE-YYYY RULES 16 7 11 10 10 0 5 10 15 20 RULES PER DAY

  18. How? • Detection rules – Coccinelle patterns • Stats –

    since December 2020 – 42 days with new rules – ~5 rules a day – only 8 days with >=10 rules • Testing – Detects between [fixes, fix) commits – Not detects on v2.6.12-rc2, fixes^, master, stable/linux-d.dd.y, next/master • How to write a rule 1. Find fix commit 2. Find fixes commit (only for testing) 3. Draft the rule (5-30 mins) 4. Test the rule (7-20 mins) 5. Refine the rule (repeat to 4) 2 9 7 14 22 18 41 61 48 2013 2014 2015 2016 2017 2018 2019 2020 2021 NUMBER OF CVE-YYYY RULES 16 7 11 10 10 0 5 10 15 20 RULES PER DAY

  19. Rule patterns (removed, added) @err exists@ position p; @@ vgacon_scrollback_init@p(...)

    { ... when any CONFIG_VGACON_SOFT_SCROLLBACK_SIZE ... when any } @script:python@ p << err.p; @@ coccilib.report.print_report(p[0], 'ERROR: CVE-2020-28097') @err exists@ identifier sock; position p; @@ rawsock_create(...) { ... when != if (!\(ns_capable\|capable\) (..., CAP_NET_RAW)) return -EPERM; sock->ops =@p &rawsock_raw_ops; ... } @script:python@ p << err.p; @@ coccilib.report.print_report(p[0], "ERROR: CVE-2020-26088") CVE-2020-28097 CVE-2020-26088

  20. Rule patterns (added alt., changed) @enum_status_code@ @@ enum nl80211_attrs {

    ..., NL80211_ATTR_STATUS_CODE, ... }; @fix@ @@ struct nla_policy nl80211_policy[...] = { ..., [NL80211_ATTR_STATUS_CODE] = { ... }, ... }; @err depends on enum_status_code && !fix@ position p; @@ struct nla_policy nl80211_policy@p[...] = { ... }; @err@ position p; @@ amd_energy_is_visible(...) { return 0444;@p } CVE-2020-27068 CVE-2020-12912

  21. Rule patterns (fix != bug) @close exists@ @@ spk_ttyio_ldisc_close(...) {

    ... kfree(speakup_tty->disc_data); ... } @err depends on close exists@ @@ spk_ttyio_ldisc_open(...) { ... when != mutex_lock(...); speakup_tty = tty; ... speakup_tty->disc_data = ldisc_data; ... when != mutex_unlock(...); } @struct_fields@ @@ struct mlx5_ib_create_qp_resp { __u32 bfreg_index; ... __u32 reserved; ... }; @err depends on struct_fields exists@ @@ create_qp_common(...) { ... struct mlx5_ib_create_qp_resp resp; ... when != memset(&resp, 0, ...) create_user_qp(..., &resp, ...) ... } CVE-2020-28941 CVE-2018-20855

  22. Rule patterns (non-C ld, .S) @initialize:python@ @@ int3 = False

    with open(vmlinux_lds, 'rt') as f: if re.search(':text\s*=\s*0xcccc', f.read()): int3 = True @err exists@ expression E; @@ can_optimize(...) { ... if (E.opcode.bytes[0] == \(INT3_INSN_OPCODE\|BREAKPOINT_INSTRUCTION\)) return 0; ... } @script:python@ p << err.p; @@ if int3: coccilib.report.print_report(p[0], 'ERROR: CVE-2021-3411') // Fallback mode with regular expressions. // grep –rePoz <regex1> && grep –rePoz <regex2> tm_enabled\(struct\s+task_struct\s+\*[\w]+\)\s+\{ EXC_COMMON_BEGIN\(program_check_common\)\s+EXCEPTIO N_PROLOG_COMMON\(0x700,\s+PACA_EXGEN\) CVE-2021-3411 CVE-2017-1000255

  23. Future Work • KernelCI integration • Support #ifdefs – More

    precise CONFIG_* analysis • Add option to check only specific drivers enabled by CONFIG_* option • Lightweight mode based on .git analysis – Check for Fixes and Fix commits – Based on commits titles and commits metadata – Reverts, multiple commits fixing one CVE, … – Useful primarily for kernel developers • Infer detection rules from commits
  24. None

  25. Just patch/patch -R! • Old kernels? – Let’s try LTS

    patches • What it means if a patch doesn’t apply/revert? – Already patched kernel with new changes on top of it? – Old non-vulnerable kernel? – There is no suitable backport of a patch to test? – Multiple patches fixing one CVE? • What it means if a patch applies? – Fix != Error – Check patches that introduce errors? • …