Hardening the '-u' flag

liberize / ssc

Convert shell script to binary

GNU General Public License v3.0

66 stars 21 forks source link

Hardening the '-u' flag #17

Closed TJokiel closed 7 months ago

TJokiel commented 8 months ago

Unless I'm missing something here is a simple way to bypass the '-u' flag:

#!/bin/sh

strace -vf -p $$ -s 256 -o strace.log &
exec ./ssc-script

ssc-script is the real script compiled by the SSC utility.

Can we make that SSC will abort execution if strace is attached already to its process?

Thank you.

TJokiel commented 8 months ago

Perhaps the SSC utility could try to attach the 'ptrace' syscall to its own process. If success then stop 'ptrace' and continue with execution.

If fail: attach: ptrace(PTRACE_SEIZE, 11850): Operation not permitted

then abort the execution immediately as it means that some 3rd party strace utility is tracing us already.

liberize commented 8 months ago

It's exactly what ssc does currently. The problem is external strace can attach at any time point, if it attaches after we detach, it can attach successfully. Perhaps the solution is to keep it attached without detaching.

TJokiel commented 8 months ago

According to my tests the binary executes much slower with strace attached permanently. If this is the cost of being secure then we need to live with it I guess.

Unless we could use a parameter to tell SSC how often (in miliseconds) the 'ptrace' syscall should be checked, like: a) '0' for attaching it permanently (default) b) '500' for checking every 0.5 sec c) '1000' for checking every 1 second

This way the users could measure the impact on their script and tune the ssc app accordingly.

Thanks

liberize commented 8 months ago

Actually we only need to prevent two syscall from being traced: write to pipe and read from pipe.

TJokiel commented 8 months ago

If this is the case then I would enable this protection by default and would not bother with additional configuration flags for SSC.

TJokiel commented 8 months ago

Is it possible to implement this protection directly in SSC?

If not then perhaps I could run strace by the script. The problem is that my strace can be killed and replaced by 3rd party strace process so it is not ideal.

Thanks

liberize commented 8 months ago

It's pointless to call strace in your script, unless you mean another script which runs the generated binary. By the time script code starting to execute, the read/write syscall which leaks the script code would have been captured.

TJokiel commented 8 months ago

Is it possible to implement this protection directly in SSC or there is no hope?

liberize commented 8 months ago

I'm busy now, maybe sometime later.

liberize commented 7 months ago

I tried several times, and finally decide to give up. If someone make a pull request, I'm happy to merge it. Close this as won't fix.