Introduction to accurately detecting Linux kernel vulnerabilities

The usual mode of quoting open source software is to introduce the dynamic library or jar package of open source software. Therefore, the false alarm rate of vulnerabilities will be very low during vulnerability detection, but it is different for the Linux kernel. Since the Linux kernel function module is very It is rich and large, and will be tailored accordingly according to business needs during actual use. Therefore, how to achieve accurate vulnerability detection and reduce the false positive rate of vulnerability detection in this scenario is particularly prominent.

Linux kernel structure:

The Linux kernel is composed of seven parts, and each different part is composed of multiple kernel modules. The structural block diagram is as follows:

Linux cropping scene analysis:

By analyzing the Linux kernel source code, you can see that the implementation codes of different modules are stored in different directories. At the same time, you can use the information configured in config during compilation to control which modules are compiled into the final binary and which modules are trimmed. For example, taking the IPV6 module as an example, the configuration name that controls this module is CONFIG_IPV6. If the configuration item is set to y, it means that the function module has not been compiled into the final binary file, as shown below:

If the function module is cut, even if the vulnerability has not been patched, the vulnerabilities existing in the function module will not be affected in the binary. Therefore, vulnerabilities related to IPV6 will not be affected during vulnerability detection. It should be clearly marked in the report that it is not affected by this vulnerability, such as CVE-2013-0343 (the function ipv6_create_tempaddr in net/ipv6/addrconf.c in versions before Linux kernel 3.8 does not correctly handle the IPv6 temporary address generation problem. allows a remote attacker to cause a denial of service and then obtain sensitive information via ICMPv6 Router Advertisement (RA) messages.).

Analysis of the reasons why binary SCA tools in the industry cannot detect:

Why the usual binary SCA tools in the industry cannot achieve accurate detection? The reason is because the binary SCA tools in the industry associate a list of known vulnerabilities based on the name and version number of the detected open source software, and this through the tailoring function When applying the Linux kernel using the module method, the name and version number of the open source software will not change, so the tool cannot accurately detect it.

How the binary SCA tool implements this function:

To achieve accurate detection of known vulnerabilities in Linux kernel tailoring scenarios, binary SCA tools must implement updated fine-grained detection technology based on source code file granularity based on the original detection of open source software names and version numbers. , function granular detection capabilities, thereby achieving accurate detection of known vulnerabilities in tailoring scenarios, that is, you can know which codes are compiled into the final binary file and which codes are not included in the compilation. At the same time, the vulnerability library must also support fine-grained dimensions, that is, the vulnerability information must accurately locate the code fragments in which files and functions are introduced.
Taking CVE-2013-0343 as an example, by analyzing the vulnerability description information and the Linux kernel source code, we can obtain the positioning information related to the vulnerability and the following location codes:

"CVE-2013-0343": {
"net/ipv6/addrconf.c": [
“addrconf_add_ifaddr”,
“addrconf_dad_begin”,
“addrconf_dad_stop”,
“addrconf_dad_work”,
“addrconf_del_ifaddr”,
“addrconf_prefix_rcv”,
“addrconf_verify_rtnl”,
“addrconf_verify_work”,
“inet6_addr_add”,
“inet6_addr_del”,
“inet6_addr_modify”,
“inet6_rtm_deladdr”,
“inet6_rtm_newaddr”,
“inet6_set_iftoken”,
“inet6_set_link_af”,
“ipv6_create_tempaddr”,
“manage_tempaddrs”
]
}

Summarize

Based on the principle that if the source code that introduces the vulnerability does not participate in compiling the binary, then the compiled binary does not have the vulnerability; therefore, as long as the binary SCA tool can detect that the source code in the above location does not participate in compiling the final vmlinux binary file, then this vmlinux file is not affected by the CVE-2013-0343 vulnerability.

If binary SCA tools want to better assist security personnel in implementing security audits and reduce the false positive rate of vulnerability detection, they must develop to a more fine-grained detection dimension, not just at the level of open source software, but also on vulnerabilities. Library requirements also pose challenges for fine-grained accurate information.

The above is the detailed content of Introduction to accurately detecting Linux kernel vulnerabilities. For more information, please follow other related articles on the PHP Chinese website!