Audit of Falco, the open-source cloud-native runtime security

Falco's maintainers, with support from Cloud Native Computing Foundation, engaged with Quarkslab to perform an audit of Falco, an open-source cloud-native runtime security tool. The goal of the audit was to assist the Falco maintainers to increase their security posture using static and dynamic analysis (fuzzing in particular) and was organized by Open Source Technology Improvement Fund, Inc.

Introduction

Falco makes it easy to consume kernel events and enrich those events with information from Kubernetes and the rest of the cloud-native stack. It monitors system calls to secure a system, by:

  • parsing the Linux system calls from the kernel at runtime;
  • asserting the stream against a powerful rules engine;
  • alerting when a rule is violated.

The project ships with a default set of rules ready to be consumed by end-users to secure their Kubernetes clusters. However, users can write their own rules using a syntax created by the project for specific needs.

The full report of the assessment can be found in the Falco GitHub repository. All important findings were patched following the audit.

This report describes the steps and research conducted by Quarkslab’s engineers on static analysis and fuzzing. More specifically, our engineers identified in Syzkaller an interesting option for blackbox fuzzing of Falco's solution, making it possible to challenge both the driver and userland application at a high rate of events, and being able to trigger complex syscall chains. Falco showed no weakness in dealing with a large amount of unusual events, despite long fuzzing sessions. A way to improve this fuzzing solution would be to add userland process coverage to the syzkaller-based harness, to better guide the fuzzer.

Scope

The scope of this audit was mainly the userspace part of Falco, distributed in the falcosecurity/falco and falcosecurity/libs repositories on GitHub. We investigated also the kernel module, although it was not the focus of the audit. The dependencies and the plugins of Falco were left out of scope. The eBPF drivers of Falco also were not reviewed.

Findings

The table below summarizes the findings of the audit. A total of 19 vulnerabilities were found, of which 1 had medium severity and 9 had low severity.

ID Description Category Severity
MEDIUM 1 Potential buffer overflow due to not null terminated output of readlink in libscap/scap_proc_file_root Buffer overflow Medium
LOW 1 Memory leak on error structure in libscap/engine/bpf/scap_bpf.c:513 Memory Leak Low
LOW 2 Resource leak on pfile in libscap/engine/kmod/scap_kmod.c:67 Resource Leak Low
LOW 3 Memory leak on handle structure in libscap/scap.c:146 Memory Leak Low
LOW 4 Memory leak on pAdapterInfo structure in libscap/windows_hal.c:342 Memory Leak Low
LOW 5 Multiple unchecked return value from malloc, calloc and realloc Null dereference Low
LOW 6 Multiple unchecked return value from localtime, sinsp_threadinfo::get_fd_table and scap_write_proclist_begin that can return Nullptr Null dereference Low
LOW 7 Double free in libscap/scap.c function scap_open Double free Low
LOW 8 Garbage return value from stack in libsinsp/sinsp.cpp Garbage return value Low
LOW 9 Four null terminations of buffers written out of range by one in libscap/scan_fds.c Buffer overflow Low
INFO 1 Multiple bad handling of realloc return value in libsinsp/filterchecks.cpp Memory Leak Info
INFO 2 Missing va_end() after va_copy() in test file sinsp_with_test_input.h Incorrect handling of variadic macros Info
INFO 3 Returned heap allocated buffer resolved after being deallocated Return pointer on freed memory Info
INFO 4 Multiple potential Null pointer dereferences in macro HASH_ADD_INT64 Null dereference Info
INFO 5 Resource leak in libsinsp example libsinsp/examples/test.cpp Resource leak Info
INFO 6 Dangerous construct in a vforked process in libscap/engine/gvisor/runsc.cpp Incorrect use of vfork Info
INFO 7 Buffer overflow with not null terminated output of readlink in debug code in libsinsp/parsers.cpp Buffer overflow Info
INFO 8 Return value in various usage of readlink not checked which could lead to write to a different file Unchecked return value Info
INFO 9 Multiple crashes in the parsing of scap files and event buffer with malformed files Null dereference Info

Conclusion

Fuzzing the core of Falco proved to be non-trivial because of the complexity of the events parser inputs. We approached this problem with different strategies. First trying to fuzz specifically some parsers with libprotobuf-mutator and highly structured fuzzing. Then doing black box fuzzing of Falco and its driver via syzkaller. And finally trying mutational fuzzing using the scap file format. Although all of these approaches have limitations, we think the syzkaller and libprotobuf-mutator techniques could be useful to discover real bugs.

To conclude, Quarkslab provided several leads and strategies on how to implement static and dynamic security analysis of the Falco project in the limited amount of time dedicated to the project. The audit also unveiled some issues in the codebase, thanks to the automated tools and the manual investigations, but nothing critical or exploitable in the end. Overall, it was a pleasure to work with the Falco maintainers, who were very helpful and willing to make the project more secure.

Comments