Skip to content

Commit

Permalink
Revert "SystemSan: arbitrary DNS resolution detection (#8448)"
Browse files Browse the repository at this point in the history
This reverts commit 98eda2b.
  • Loading branch information
oliverchang authored Dec 1, 2022
1 parent 98eda2b commit e8e7280
Show file tree
Hide file tree
Showing 8 changed files with 41 additions and 413 deletions.
10 changes: 3 additions & 7 deletions infra/experimental/SystemSan/Makefile
Original file line number Diff line number Diff line change
Expand Up @@ -2,9 +2,9 @@
CXX = clang++
CFLAGS = -std=c++17 -Wall -Wextra -O3 -g3

all: clean SystemSan target target_file target_dns
all: clean SystemSan target target_file

SystemSan: SystemSan.cpp inspect_dns.cpp inspect_utils.cpp
SystemSan: SystemSan.cpp
$(CXX) $(CFLAGS) -lpthread -o $@ $^

target: target.cpp
Expand All @@ -13,13 +13,9 @@ target: target.cpp
target_file: target_file.cpp
$(CXX) $(CFLAGS) -fsanitize=address,fuzzer -o $@ $^

target_dns: target_dns.cpp
$(CXX) $(CFLAGS) -fsanitize=address,fuzzer -o $@ $^

test: all vuln.dict
./SystemSan ./target -dict=vuln.dict
./SystemSan ./target_file -dict=vuln.dict
./SystemSan ./target_dns -dict=vuln.dict

pytorch-lightning-1.5.10:
cp SystemSan.cpp PoEs/pytorch-lightning-1.5.10/; \
Expand All @@ -34,4 +30,4 @@ node-shell-quote-v1.7.3:
docker run -t systemsan_node-shell-quote:latest;

clean:
rm -f SystemSan /tmp/tripwire target target_file target_dns
rm -f SystemSan /tmp/tripwire target target_file
43 changes: 38 additions & 5 deletions infra/experimental/SystemSan/SystemSan.cpp
Original file line number Diff line number Diff line change
Expand Up @@ -40,9 +40,6 @@
#include <string>
#include <vector>

#include "inspect_utils.h"
#include "inspect_dns.h"

#define DEBUG_LOGS 0

#if DEBUG_LOGS
Expand Down Expand Up @@ -165,6 +162,23 @@ pid_t run_child(char **argv) {
return pid;
}

std::vector<std::byte> read_memory(pid_t pid, unsigned long long address,
size_t size) {
std::vector<std::byte> memory;

for (size_t i = 0; i < size; i += sizeof(long)) {
long word = ptrace(PTRACE_PEEKTEXT, pid, address + i, 0);
if (word == -1) {
return memory;
}

std::byte *word_bytes = reinterpret_cast<std::byte *>(&word);
memory.insert(memory.end(), word_bytes, word_bytes + sizeof(long));
}

return memory;
}

// Construct a string with the memory specified in a register.
std::string read_string(pid_t pid, unsigned long reg, unsigned long length) {
auto memory = read_memory(pid, reg, length);
Expand All @@ -177,6 +191,27 @@ std::string read_string(pid_t pid, unsigned long reg, unsigned long length) {
return content;
}

void report_bug(std::string bug_type, pid_t tid) {
// Report the bug found based on the bug code.
std::cerr << "===BUG DETECTED: " << bug_type.c_str() << "===\n";
// Rely on sanitizers/libFuzzer to produce a stacktrace by sending SIGABRT
// to the root process.
// Note: this may not be reliable or consistent if shell injection happens
// in an async way.
// Find the thread group id, that is the pid.
pid_t pid = tid;
auto parent = root_pids[tid];
while (!parent.ran_exec) {
// Find the first parent which ran exec syscall.
if (parent.parent_tid == g_root_pid) {
break;
}
pid = parent.parent_tid;
parent = root_pids[parent.parent_tid];
}
tgkill(pid, tid, SIGABRT);
}

void inspect_for_injection(pid_t pid, const user_regs_struct &regs) {
// Inspect a PID's registers for the sign of shell injection.
std::string path = read_string(pid, regs.rdi, kTripWire.length());
Expand Down Expand Up @@ -424,8 +459,6 @@ int trace(std::map<pid_t, Tracee> pids) {
}
}

inspect_dns_syscalls(pid, regs);

if (regs.orig_rax == __NR_openat) {
inspect_for_arbitrary_file_open(pid, regs);
}
Expand Down
235 changes: 0 additions & 235 deletions infra/experimental/SystemSan/inspect_dns.cpp

This file was deleted.

26 changes: 0 additions & 26 deletions infra/experimental/SystemSan/inspect_dns.h

This file was deleted.

Loading

0 comments on commit e8e7280

Please sign in to comment.