Rooba
/
oss-fuzz
mirror of https://github.com/google/oss-fuzz.git
1
1
Fork 0
Code Issues Packages Projects Releases Wiki Activity
oss-fuzz/infra/experimental/sanitizers/ExecSan/README.md

34 lines
1.1 KiB
Markdown
Raw Normal View History

An attempt to detect shell injection with `ptrace` (#7757) * An attempt to detect shell injection with ptrace * Relocate sanitizer files * Add headers and file descriptions * Better cleanup * Name and analogy * TODOs * safer cleanup * More descriptive name * More descriptive README.md * More descriptive file names * One more TODOs
2022-05-26 05:37:04 +00:00
# Shell Injection Detection with `ptrace`
We use `ptrace` to instrument system calls made by the target program to detect if our `/tmp/tripwire` command in `vuln.dict` was injected into the shell of the testing target program and executed by the program to produce of a `/tmp/injected` file.
Our instrumentation verifies the existence of `/tmp/injected` after every `execve` or each process spawned via `clone`, which proves the existence of shell injection vulnerabilities.
## Quick test
### Cleanup
Note this will delete /tmp/tripwire and /tmp/injected if they exist
```shell
make clean
```
### Run test
Note this will overwrite /tmp/tripwire and /tmp/injected if they exist
```shell
make test
```
Look for the following line:
> ===BUG DETECTED: Shell injection===
which indicates the detection of shell injections
## TODOs
1. Trace the `execve` syscalls in child processes of the target, not the `clone`
and `wait4` in the target;
2. Flag syntax errors of shell commands, as they are suspicious enough even without
seeing the proof of error (i.e. `/tmp/injected`);
3. Suffix the injected file with the corresponding PID (e.g. `/tmp/injected_{PID}`).