Abstract: In order to assist security personnel in security audit and reduce the false positive rate of vulnerability detection, binary SCA tools must develop to the detection dimension of finer granularity, rather than just stay at the level of open source software. At the same time, the requirements of vulnerability database also need to challenge the precision information of finer granularity.

This article is shared by Huawei cloud community “Accurate Detection of Linux Kernel Vulnerabilities”, written by security technology expert.

Linux kernel Architecture

The Linux kernel is composed of seven parts, and each different part is composed of multiple kernel modules. The structure block diagram is as follows:

Image quote from blog.csdn.net/weixin\_447…

Linux clipping scenario analysis

By analyzing the Linux kernel source code, it can be seen that the implementation codes of different modules are stored in different directories. At the same time, during compilation, the information configured in config can be used to control which modules are compiled into the final binary and which modules are cut out. For example, the configuration name of IPV6 module is CONFIG_IPV6. If the configuration item is set to Y, it indicates that the function module is not compiled into the final binary file, as shown below:

If the function module is cut, even if the vulnerability is not patched, the vulnerabilities in the function module will not be affected in binary. Therefore, ipv6-related vulnerabilities should be clearly marked in the report during vulnerability detection. For example, the ipv6_create_tempADDR function in CVE-2013-0343 (net/ipv6/addrconf.c earlier than Linux Kernel 3.8) does not properly handle the generation of ipv6 temporary addresses. It allows remote attackers to obtain sensitive information through ICMPv6 Router Advertisement (RA) messages, causing denial of service. .

Analysis of the reason why industry binary SCA tools cannot detect

Why the industry usually binary SCA tools can’t accurate detection, because the binary SCA tool is based on the detected associated name and version number of open source software to come up with a list of known vulnerabilities, and that by cutting method to apply the Linux kernel function module, open source software name and version number will not change, So the tool can’t detect it accurately.

How does the binary SCA tool implement this functionality

To achieve precise cuts in the Linux kernel scenario known vulnerabilities detection, binary SCA tool must be in the original test, on the basis of open source software name and version number, you need to implement the update of fine granularity of detecting technology, based on source code files, functions, the particle size, particle degree detection ability, so as to realize the accurate detection of cutting scenario known vulnerabilities, That is, you know which code is compiled into the final binary and which code is not compiled. At the same time, the vulnerability library must support the fine particle dimension, that is, the vulnerability information must be precisely located from which files and code fragments in functions are introduced.

Take CVE-2013-0343 as an example. By analyzing the vulnerability description and Linux kernel source code, you can obtain the location information related to the vulnerability and the following location codes:

"CVE-2013-0343": { "net/ipv6/addrconf.c": "Addrconf_add_ifaddr", "addrConf_DAD_begin", "addrConf_DAD_stop", "addrconf_DAD_work", "addrconf_del_ifADDR", Addrconf_prefix_rcv, addrconf_verify_rtnl, addrconf_verify_work, inet6_addr_add, inet6_addr_del, Inet6_addr_modify, INet6_RTM_delADDR, INET6_RtM_newADDR, inET6_set_iftoken, inet6_set_link_AF, "Ipv6_create_tempaddr", "manage_tempaddrs]}"Copy the code

Based on the principle that if the source code introducing the vulnerability does not participate in compiling binary, then the compiled binary is not the existence of the vulnerability; Therefore, as long as the binary SCA tool can detect that the source code in the above location is not involved in compiling the final VMLinux binary, the VMLinux file is not affected by the CVE-2013-0343 vulnerability.

conclusion

In order to assist security personnel in security audit and reduce the false positive rate of vulnerability detection, binary SCA tools must develop to the detection dimension of finer granularity, rather than just stay at the level of open source software. At the same time, the requirements of vulnerability database also need to challenge the precision information of finer granularity.

Huawei Cloud Vulnerability Scanning Service VSS Basic Edition free experience for a limited time >>>

Click to follow, the first time to learn about Huawei cloud fresh technology ~