《cnscna23 tracee pipeline.pdf》由会员分享,可在线阅读,更多相关《cnscna23 tracee pipeline.pdf(28页珍藏版)》请在三个皮匠报告上搜索。
1、 2023 Aqua Security So2ware Ltd.,All Rights Reserved Itay ShakuryJose Donize3Verfiable GitHub Ac0ons using eBPFitayskjosedonize-3Tracee-Run+me Security and Forensics using eBPFContainer startedProcess ExecutedNetwork calledReverse ShellEvasive execu9onOver 500 event typesaquasecurity/traceeitayskCon
2、tainer stopped4“just a couple of years ago”itaysk6First solu+on Tracee in the pipelinehAps:/ New executable Evasion techniques Crypto minersSignatures Spawned shellitayskCustom signatures8Second solu+on-profilehAps:/ Timestamp User ID Binary path Process IDitaysk10Third solu+on-bothReverse shellCode
3、 injec9onCrypto minerSignaturesProfileExecu9onsFiles modifiedNetwork ac9vity Deny Allowitaysk11DEMOtracee-aconjosedonize-12Integra+ongit clonego testgo buildreleasetracee starttracee stopworkflow.yamljosedonize-13Integra+ongit clonego testgo buildreleasetracee starttracee stop CORE/BTFjosedonize-wor
4、kflow.yaml14Wait for initIntegra+ongit clonego testgo buildreleasetracee starttracee stop CORE/BTFjosedonize-workflow.yaml15Integra+ongit clonego testtracee starttracee stop CORE/BTFjosedonize-Wait for init-trace event=execve uid=$(id-u runner)-trace event=execve tree=$(psgrep Runner)workflow.yamldo
5、cker16Integra+ongit clonego testdockertracee starttracee stop CORE/BTFcurllintdockerjosedonize-Wait for initworkflow.yaml17Integra+ongit clonego testtracee starttracee stop CORE/BTFcurllintdockerjosedonize-Wait for initwritessignatureshostdockerworkflow.yaml18Integra+ongit clonego testtracee starttr
6、acee stop CORE/BTFcurllintdockerjosedonize-Wait for initwritessignatureshost Scopesdockerworkflow.yaml19Scopesjosedonize-Scope 1-trace 1:event=fileless_execu3on,hidden_file_created,.HOST20Scopesjosedonize-trace 1:event=fileless_execu3on,hidden_file_created,.-trace 2:event=file_modifica3on-trace 2:fi
7、le_modifica3on.args.pathname=$github.workspace/*HOSTHOST,writes to Github workspaceScope 1Scope 221ScopesRunnerjosedonize-trace 1:event=fileless_execu3on,hidden_file_created,.-trace 2:event=file_modifica3on-trace 2:file_modifica3on.args.pathname=$github.workspace/*-trace 3:tree=$runner_pid-trace 3:e
8、vent=sched_process_exec,net_packet_dnsHOSTHOST,writes to Github workspaceScope 1Scope 2Scope 322ScopesDockerRunnerjosedonize-trace 1:event=fileless_execu3on,hidden_file_created,.-trace 2:event=file_modifica3on-trace 2:file_modifica3on.args.pathname=$github.workspace/*-trace 3:tree=$runner_pid-trace
9、3:event=sched_process_exec,net_packet_dns-trace 4:tree=$docker_pid-trace 4:event=sched_process_exec,net_packet_dnsHOSTHOST,writes to Github workspaceScope 1Scope 2Scope 3Scope 423/home/runner/work/_temp/GITHUB_RUNNER_TRACKING_IDSYSTEMD_EXEC_PIDINVOCATION_IDJOURNAL_STREAMExecu+onsBinary PathBinary Ha
10、shProcess UIDProcess EnvironmentBinary c9meexecve ProfileTriggers Signaturesitaysksched_process_execdynamic loadcode injecAoncronld_preloaddefault ldhidden execrcdprocess_vm_writevkernel module/proc/memfileless exec ignore rulesProcess Arguments24!GitHub WorkspaceFiles modifiedFile Pathwrite Profile
11、Triggers SignaturesitayskOpen writeASLR inspec,onProc kcoreCore dumpSystem request keyDocker socketProc memsudoerssched_debug ignore rulesAAributes*25pipelines.acNNetwork ac+vityDomain namenetwork events ProfileTriggers SignaturesitayskDNS resolu9onBare IP*Crypo minerReverse shellSSH*ignore rules26A
12、Jesta+onhAps:/ is the verifiable information about software artifacts describing where,when and howsomething was produced.”SLSAhAps:/tekton.dev/docs/chains/josedonize-28 Run$me is not build$me Profiles are vola$le Signatures=deny,profile=allow How to write portable eBPF programs Trace tools might ha
13、ve blindspots Avoid noise with contextual tracing System call tracing is problema$c Process arguments are important,but adds flakiness Environment variables might leak secrets Some$mes trace inten$on instead of the ac$vity Using profile as aHesta$on?Lessons learned29Resourcesaquasecurity/traceeaquasecurity/tracee-acBonitayskjosedonize-AquaTracee 2023 Aqua Security So2ware Ltd.,All Rights Reserved Itay ShakuryJose Donize3Verfiable GitHub Ac0ons using eBPFitayskjosedonize-