tracee icon indicating copy to clipboard operation
tracee copied to clipboard

Published 20 hours ago verified publisher icon aquasecurity

magic_write: event doen't catch all file writes operations

Open AlonZivony opened this issue 3 years ago • 0 comments

Original Issue

The syscall sendfile which is another method for writing to files does not trigger the magic_write event.

Expanded Issue

After examining the file write operations in the kernel, it seems that there are 2 ways to write into a file:

  1. Using one of the following file operations (of the generic struct file_operations) - write, write_iter, splice_write, copy_file_range
  2. Writing to a mapped memory to a file (which created using the mmap file operation).

Our goal is to catch all cases in the event. This issue focus on the first one - unsupported file operations

Catching File Operations

To succeed catching file operations, we need to hook global-use functions which are the closest to the use of the operations. Unfortunately, even though each file operation has a envelope function (like do_splice_from for the splice_from file operation), these envelope functions are inline most of the times so they are not hookable.

One of the biggest problems of doing magic_write is that we need to extract the data written. However, all file operations except write work with files, not with buffer. To optimize their operations, they implement their logic by coping pages most of the times - not chunks of data. This means that the only interface we have with the data is through pages struct, so we need the functionality of translating page struct to its virtual address to be able to read the information. The implementation of translating struct page to its virtual address is a very complicated one, which depends on the kernel version, architecture and physical memory model. This means that we have to load the kconfig values to determine which physical memory is used. The code also need to be very flexible according to different kernel versions. Also, all algorithms use global variables in the kernel, so receiving their address is also mandatory.

Feature Implementation Roadmap

  1. Load environment values:
    • Kernel symbols #1505
    • Kconfigs #1504
    • Calculate consts/defines of the kernel (for CORE)
  2. Implement struct page to virtual address #1507
  3. Putting a hook for each file operation:
    • splice_from
      • do_splice #1551
      • direct_splice_actor #1552
    • write_iter
      • __kernel_write #1550
      • do_iter_readv_writev
    • copy_file_range
      • vfs_copy_file_range

AlonZivony avatar Jan 18 '22 12:01 AlonZivony