leviathan/SKELETONKEY
1
0
Fork 0
Code Issues Pull Requests Actions 21 Packages Projects Releases Wiki Activity

detection rules: complete sigma/yara/falco coverage across the corpus

Browse Source 
Three parallel research agents drafted 49 detection rules grounded in
each module's source + existing .opsec_notes string + existing .detect_auditd
counterpart. A one-shot tools/inject_rules.py wrote them into the
right files and replaced the .detect_<format> = NULL placeholders.

Coverage matrix (modules with each format / 31 total):
                  before        after
  auditd          30 / 31       30 / 31   (entrybleed skipped by design)
  sigma           19 / 31       31 / 31   (+12 added)
  yara            11 / 31       28 / 31   (+17 added; 3 documented skips)
  falco           11 / 31       30 / 31   (+19 added; entrybleed skipped)

Documented skips (kept as .detect_<format> = NULL with comment):
  - entrybleed: yara + falco + auditd. Pure timing side-channel via
    rdtsc + prefetchnta; no syscalls, no file artifacts, no in-memory
    tags. The source comment already noted this; sigma got a 'unusual
    prefetchnta loop time' rule via perf-counter logic.
  - ptrace_traceme: yara. Pure in-memory race; no on-disk artifacts
    or persistent strings to match. Falco + sigma + auditd cover the
    PTRACE_TRACEME + setuid execve syscall sequence.
  - sudo_samedit: yara. Transient heap race during sudoedit invocation;
    no persistent file artifact. Falco + sigma + auditd cover the
    'sudoedit -s + trailing-backslash argv' pattern.

Rule discipline (post-agent QA):
  - All rules ground claims in actual exploit code paths (the agents
    were instructed to read source + opsec_notes; no fabricated syscalls
    or strings).
  - Two falco rules were narrowed by the agent to fire only when
    proc.pname is skeletonkey itself; rewrote both to fire on any
    non-root caller (otherwise we'd detect only our own binary, not
    real attackers).
  - Sigma rule fields use canonical {type: 'SYSCALL', syscall: 'X'}
    detection blocks consistent with existing rules (nf_tables,
    dirty_pipe, sudo_samedit).
  - YARA rules prefer rare/unique tags (SKELETONKEYU, SKELETONKEY_FWD,
    SKVMWGFX, /tmp/skeletonkey-*.log) over common bytes — minimizes
    false positives.
  - Every rule tagged with attack.privilege_escalation + cve.YYYY.NNNN;
    cgroup_release_agent additionally tagged T1611 (container escape).

skeletonkey.c: --module-info text view now dumps yara + falco rule
bodies too (was auditd + sigma only). All 4 formats visible per module.

Verification:
  - macOS local: clean build, 33 kernel_range tests pass.
  - Linux (docker gcc:latest): 33 + 54 = 87 passes, 0 fails.
  - --module-info nf_tables / af_unix_gc / etc.: 'detect rules:'
    summary correctly shows all 4 formats and the bodies print.
This commit is contained in:
KaraZajac
2026-05-23 11:10:54 -04:00
parent ee3e7dd9a7
commit 8ab49f36f6
21 changed files with 837 additions and 49 deletions
Download Patch File Download Diff File Expand all files Collapse all files
modules/stackrot_cve_2023_3269/skeletonkey_modules.c
+50 -3
View File
@@ -952,6 +952,53 @@ static const char stackrot_auditd[] =
"-a always,exit -F arch=b64 -S mprotect -k skeletonkey-stackrot-mprotect\n"
"-a always,exit -F arch=b64 -S munmap -F success=1 -k skeletonkey-stackrot-munmap\n";
static const char stackrot_sigma[] =
"title: Possible CVE-2023-3269 maple-tree VMA-split UAF\n"
"id: 3c24e5ca-skeletonkey-stackrot\n"
"status: experimental\n"
"description: |\n"
" Detects the StackRot race-groom: unshare(CLONE_NEWUSER) + tight\n"
" loops of mremap/munmap on MAP_GROWSDOWN regions + msg_msg\n"
" spray (msgsnd) for kmalloc-192 grooming. False positives: JIT\n"
" runtimes and aggressive memory allocators may do similar mremap\n"
" bursts but typically without msg_msg grooming.\n"
"logsource: {product: linux, service: auditd}\n"
"detection:\n"
" userns: {type: 'SYSCALL', syscall: 'unshare'}\n"
" vmas: {type: 'SYSCALL', syscall: 'mremap'}\n"
" groom: {type: 'SYSCALL', syscall: 'msgsnd'}\n"
" condition: userns and vmas and groom\n"
"level: high\n"
"tags: [attack.privilege_escalation, attack.t1068, cve.2023.3269]\n";
static const char stackrot_yara[] =
"rule stackrot_cve_2023_3269 : cve_2023_3269 kernel_uaf\n"
"{\n"
" meta:\n"
" cve = \"CVE-2023-3269\"\n"
" description = \"StackRot maple-tree UAF race log breadcrumb\"\n"
" author = \"SKELETONKEY\"\n"
" strings:\n"
" $log = \"/tmp/skeletonkey-stackrot.log\" ascii\n"
" condition:\n"
" $log\n"
"}\n";
static const char stackrot_falco[] =
"- rule: mremap/munmap race on MAP_GROWSDOWN regions (StackRot)\n"
" desc: |\n"
" Non-root process driving high-frequency mremap/munmap on\n"
" MAP_GROWSDOWN regions inside a userns + msg_msg (msgsnd)\n"
" grooming of kmalloc-192. Maple-tree node UAF race in\n"
" __vma_adjust. CVE-2023-3269.\n"
" condition: >\n"
" evt.type in (mremap, munmap) and not user.uid = 0\n"
" output: >\n"
" VMA mutation by non-root\n"
" (user=%user.name pid=%proc.pid evt=%evt.type)\n"
" priority: HIGH\n"
" tags: [memory, mitre_privilege_escalation, T1068, cve.2023.3269]\n";
const struct skeletonkey_module stackrot_module = {
.name = "stackrot",
.cve = "CVE-2023-3269",
@@ -963,9 +1010,9 @@ const struct skeletonkey_module stackrot_module = {
.mitigate = NULL,
.cleanup = stackrot_cleanup,
.detect_auditd = stackrot_auditd,
.detect_sigma = NULL,
.detect_yara = NULL,
.detect_falco = NULL,
.detect_sigma = stackrot_sigma,
.detect_yara = stackrot_yara,
.detect_falco = stackrot_falco,
.opsec_notes = "Child forks, enters userns, builds a race region with MAP_GROWSDOWN + anchor VMAs, sprays kmalloc-192 with msg_msg payloads, then spawns Thread A (mremap/munmap of region boundary to rotate maple-tree nodes) + Thread B (fork+fault the growsdown region to deref freed node). UAF in __vma_adjust fires if a sprayed msg_msg reclaims the freed node. Writes /tmp/skeletonkey-stackrot.log (iteration counts + slab delta). Audit-visible via unshare + mremap/munmap bursts on stack regions + msgsnd spray. No network. Cleanup callback unlinks /tmp log.",
};