Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

rule to detect successful unprivileged userfaultfd events #1675

Merged

Conversation

leodido
Copy link
Member

@leodido leodido commented Jun 11, 2021

What type of PR is this?

Uncomment one (or more) /kind <> lines:

/kind feature

/kind rule-update

/kind rule-create

Any specific area of the project related to this PR?

/area rules

What this PR does / why we need it:

Adds a rule to alert the Falco users about the delegation of page faults to user-space through an unprivileged successful userfaultfd call.

Which issue(s) this PR fixes:

Refs #676

Special notes for your reviewer:

To try it out you need to build Falco against this branch in libs.

Holding this PR until that branch is merged into libs.

/hold

Also, while doing this PR I took the chance to include a simple addition on the rule detecting kernel module injections from containers: it was missing the container info in the output, I added it.

Does this PR introduce a user-facing change?:

rule(list user_known_userfaultfd_processes): list to exclude processes known to use userfaultfd syscall
rule(macro consider_userfaultfd_activities): macro to gate the "Unprivileged Delegation of Page Faults Handling to a Userspace Process" rule
rule(Unprivileged Delegation of Page Faults Handling to a Userspace Process): new rule to detect successful unprivileged userfaultfd syscalls
rule(Linux Kernel Module Injection Detected): adding container info to the output of the rule
update: bump the Falco engine version to version 9

@leodido
Copy link
Member Author

leodido commented Jun 11, 2021

/milestone 0.29.0

(tentatively)

@poiana poiana added this to the 0.29.0 milestone Jun 11, 2021
rules/falco_rules.yaml Show resolved Hide resolved
rules/falco_rules.yaml Show resolved Hide resolved
rules/falco_rules.yaml Outdated Show resolved Hide resolved
@maxgio92 maxgio92 mentioned this pull request Jun 15, 2021
15 tasks
@leogr
Copy link
Member

leogr commented Jun 15, 2021

I have updated #1669
It now includes the driver version required to support these rules.

@@ -3054,6 +3054,16 @@
priority: WARNING
tags: [container, cis, mitre_lateral_movement]

- rule: Unprivileged Delegation of Page Faults Handling to a Userspace Process
desc: Detect a successful unprivileged userfaultfd syscall which might act as an attack primitive to exploit other bugs
condition: >
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

just had another thought,

  1. Maybe we should limit the attack scenario in container as gaining into the node is a high privileged access.
  2. If we can assume the attack scenario in container, we may want to detect userfaultfd by all users including root, especially people still run root containers quite commonly nowadays.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@leodido let me know what you think

@leogr leogr modified the milestones: 0.29.0, 0.30.0 Jun 17, 2021
@poiana
Copy link

poiana commented Jun 17, 2021

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: leodido

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@poiana poiana added size/M and removed size/S labels Jun 17, 2021
@leodido leodido requested a review from Kaizhe June 17, 2021 12:11
leodido and others added 6 commits June 17, 2021 12:58
…ting kernel module injections from containers

Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>
Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>
Co-authored-by: Kaizhe Huang <derek0405@gmail.com>
Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>
…to act as a gate

Co-authored-by: Kaizhe Huang <derek0405@gmail.com>
Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>
…exclude processes known to use userfaultfd syscall

Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>
Co-authored-by: Kaizhe Huang <derek0405@gmail.com>
Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>
@leodido leodido force-pushed the new/detect-successful-unprivileged-userfaultfd-syscalls branch from bfbcbd3 to 3ac8122 Compare June 17, 2021 12:59
@leodido
Copy link
Member Author

leodido commented Jun 17, 2021

Rebased to let the CI pick latest changes (needed) from the master branch

Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>
Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>
@poiana poiana added the lgtm label Jun 21, 2021
@leogr
Copy link
Member

leogr commented Jun 23, 2021

/hold cancel

@poiana poiana merged commit d669031 into master Jun 23, 2021
12 of 13 checks passed
@poiana poiana deleted the new/detect-successful-unprivileged-userfaultfd-syscalls branch June 23, 2021 08:44
@leodido
Copy link
Member Author

leodido commented Jun 28, 2021

/milestone 0.29.1

@poiana poiana modified the milestones: 0.30.0, 0.29.1 Jun 28, 2021
@leodido leodido mentioned this pull request Jun 29, 2021
9 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

None yet

4 participants