mirror of https://github.com/google/oss-fuzz.git
e249bcc669
* An attempt to detect shell injection with ptrace * Relocate sanitizer files * Add headers and file descriptions * Better cleanup * Name and analogy * TODOs * safer cleanup * More descriptive name * More descriptive README.md * More descriptive file names * One more TODOs |
||
|---|---|---|
| .. | ||
| Makefile | ||
| README.md | ||
| execSan.c | ||
| target.cpp | ||
| tripwire.cpp | ||
| vuln.dict | ||
README.md
Shell Injection Detection with ptrace
We use ptrace to instrument system calls made by the target program to detect if our /tmp/tripwire command in vuln.dict was injected into the shell of the testing target program and executed by the program to produce of a /tmp/injected file.
Our instrumentation verifies the existence of /tmp/injected after every execve or each process spawned via clone, which proves the existence of shell injection vulnerabilities.
Quick test
Cleanup
Note this will delete /tmp/tripwire and /tmp/injected if they exist
make clean
Run test
Note this will overwrite /tmp/tripwire and /tmp/injected if they exist
make test
Look for the following line:
===BUG DETECTED: Shell injection===
which indicates the detection of shell injections
TODOs
- Trace the
execvesyscalls in child processes of the target, not thecloneandwait4in the target; - Flag syntax errors of shell commands, as they are suspicious enough even without
seeing the proof of error (i.e.
/tmp/injected); - Suffix the injected file with the corresponding PID (e.g.
/tmp/injected_{PID}).