michaelweiser
commented
4 years ago I opt to merge this unreviewed and deal with the fallout.
Closed michaelweiser closed 4 years ago
michaelweiser
commented
4 years ago I opt to merge this unreviewed and deal with the fallout.
Submission to Cuckoo with the original filename is problematic under some circumstances. Some are purely technical and arguably bugs that should be fixed (such as encoding problems), others are operational (such as intentionally not leaking filenames into the Cuckoo environment). Either way we should give users the option to choose to work around technical problems or implement their policy own on original filenames.
When submitting the original file name to cuckoo, we should also consider the name of the file in the filesystem, not just the optional declared name to be more consistent.
Previsously we would only obfuscate the original filename if we could determine an extension. This was an overly enthusiastic optimisation that undermined original filename obfuscation towards Cuckoo. Restore the previous behaviour of always using the sha256sum as basename and only leaking the file extension because that's required by Cuckoo to determine the analsysis package (or is it?).
Our current bookkeeping of running Cuckoo jobs did not take into account that jobs might never finish for whatever reason. This would leave us accumulating more and more samples in the running jobs list (think memory leak) and poll endlessly an ever increasing number of jobs.
This change adds job expiry based on age to the running job list. To keep the necessary data nicely bundled together we add a class CuckooJob that uses its creation time as submission time and can be interrogated as to its age. Otherwise it just stores the sample as before.
Add some wrapper methods to the Cuckoo class to wrap all accesses to the running jobs list and necessary locking as well as the CuckooJob abstraction.
Since this expiry might leave client starving, we also need a mechanism to tell them about our abandoning the job. To achive this we add the concept of Cuckoo analysis failure to Sample. If we drop a job because it became too old, we mark the analysis as failed in the sample and resubmit it to the work queue. In the ruleset we check this failure marker and return the same error value as for submit errors in the first place, leading to the same error message which incidentally already reads that analysis has failed. :)
As a side-effect this finally allows us to fail analysis if we're unable to get the report of a finished analysis for whatever reason.
Add a configuration option to influence the maximum Cuckoo job age. Have an explanatory comment regarding its use in the sample configuration.