《ebpf-needle-haystack.pdf》由会员分享,可在线阅读,更多相关《ebpf-needle-haystack.pdf(28页珍藏版)》请在三个皮匠报告上搜索。
1、Finding the Needles in a Haystack:identifying suspicious behaviors with eBPFJeremy CowanDeveloper Advocate,Amazon EKSWasiq MuhammadSecurity Engineer,Amazon GuardDutyThe challenges Capturing and monitoring runtime events for threat detectionwithout impacting the stability or performance of the OS Han
2、dling a high volume of events while providing actionable insightsAccurate detectionsLow false positivesDifferent approachesMethodProsConsExtend Linux KernelFlexibility Has to be broadlyapplicable to be accepted by the community Very slowWrite a Kernel moduleFlexibility Users apprehensive about insta
3、lling Kernel modules Can affect the stability and security of the systemDeploy a sidecar container(k8s)Separation of concerns Increases overhead Can be circumventedIntroducing Extended Berkeley Packet Filter(eBPF)Extremely versatileAllows you to capture system call events occurring within the kernel
4、 Run sandboxed programs in an operating system kernel Loaded and unloaded into the kernel dynamically Originally used to filter network traffic Evolved to deny user space applications from making certain syscalls(SECCOMP)How it works The operating system loads the bytecode,verifies it,JIT(just-in-ti
5、me)compiles it,and runs it Userspace program loads eBPF program and reads the output Requires CAP_BPF linux capability because it needs additional privileges on the system Additional metadata,e.g.process ID,program,etc can be included in the output Program executes within an eBPF VM that runs within
6、 the kernelLinux kernel diagramSyscallsUserspaceKernelAppAppAppFilesMemoryNetworkingProcessesHow GD is using eBPFProcessopen()User-spaceagentSyscall handlereBPF probeKernelUserspaceeBPF Capture of Open SyscallAll arguments are passedto the probeOpen(file_path,flags,mode)Getting started with eBPF eBP
7、F programs written in C Bumblebee automatically generates boiler plate code so you can concentrate on writing the kernel code Facilitates packaging and distribution of eBPF programs Learning eBPF by Liz Rice eBPF Summit 2022 sessionseBPF Advantages&DisadvantagesAdvantagesDisadvantages Offers memory
8、safety which isimportant when writing in C Great performance CORE and BTF provide systemportability Tooling is immature Debugging is hardCommon eBPF use cases Networking Security ObservabilityeBPF Amazon AWS LambdaUsing it to create pools of Geneve network tunnelsReduced VPC function cold start from
9、 150ms to 150s VPCCurrently using it to observe TCP flow level performancePlanning to use maps to tune TCP parameters automatically&transparently through eBPF SockOpsDistributed packet processing pipelines(key extractions and actions)Generating C templates(eBPF programs)to implement SGs and NACLs AW
10、S VPC CNIInvestigating it for Kubernetes network policiesWhy eBPF for GuardDuty Can be implemented quickly Considered safer and more trustworthy than kernel modules Relatively easy to install and update Provides rich information which can be used to detect anomalies Process detailsContainerPod Provi
11、de protection at runtimeSystem Call Tracing with eBPF The main objective is to collect:System call argumentsActor process detailsUser SpaceProcessKernelSystem Call HandlerInput Arguments(e.g.,pathname)Function Arguments(e.g.,file structure)Return Valueopen()Userspace AgenteBPF ProbeeBPF ProbeeBPF Pr
12、obeSyscall Enter HookSyscall Exit HookKprobeSecurity_file_openTask StructSystem Call Tracing Avoiding Race Conditions syscall_exit and syscall_exithooks are vulnerable to race conditions More details Phantom Attack Evading System Call Monitoring(Defcon)User SpaceProcessKernelSystem Call HandlerInput
13、 ArgumentsFunction Argumentsopen()eBPF ProbeeBPF ProbeSyscall Enter HookKprobeSecurity_file_openKernel Reads ArgspathnameFile StructRich Container and Process Context Customers demand container level details in detectionseBPF Agent Based DetectionCryptoCurrency:Runtime/BitcoinTool.BPodContainerProce
14、ssEC2 InstanceFlowlogs Based DetectionCryptoCurrency:EC2/BitcoinTool.BEC2 InstanceCollected MetadataKernel and UserspaceKernelUser SpaceProcess DetailsPIDExecutable PathUser IDCgroup/Container IDParent Process DetailsContainer DetailsImageImage DigestPod DetailsIDName,NamespaceMonitored EventsProces
15、s CreationFilesystem OperationsNetwork ConnectionsDNS Request/ResponseInterProcess InteractionsSome MoreContainer CreationBackendOn-Host Versus Backend ProcessingWe process events at the backendHigher flexibility AgentIngest EventsApply Threat IntelStateless RulesMachine LearningStateful RulesExampl
16、e ScenarioCommand Injection Exploitation22Kubernetes Worker NodeKubernetes PodInjects Shell CommandsDownloads a Crypto Minerwget https:/./cnrigExecutes the Crypto Minercnrig12Crypto Miner Connects to the Mining Pool3Example Scenario Detections New Binary Executed New file inside a containerDownloads
17、 a Crypto Minerwget https:/./cnrigExecutes the Crypto Minercnrig12New file executed inside a container Filesystem OperationsProcess CreationExample Scenario Detections Crypto Miner ExecutedExecutes the Crypto Minercnrig2Known crypto miner binary executedProcess CreationConnection to a known mining p
18、ool IP addressCrypto Miner Connects to the Mining Pool3Network ConnectionActionable DetectionsPod and Container DetailsKubernetes Pod DetailsContainer DetailsActionable DetectionsProcess DetailsProcess DetailsProcess LineageActionable DetectionsRuntime ContextNew Binary PathModifying Process Details
19、 eBPF can be used to capture events from the kernel Events can be enriched to provide additional context Suitable for threat detection applicationsLightweight&portableDoesnt require changes to the Linux kernel When combined with the power of the cloud,along with AI/ML,eBPF can be used to find the proverbial needle in a haystackSummaryThank YouJeremy CowanDeveloper Advocate,Amazon EKSLinkedIn:jicowanWasiq MuhammadSecurity Engineer,Amazon GuardDutyLinkedIn:muhammad-wasiq-29b37b16