《Securing the Superpowers - Who loaded that eBPF program_.pptx》由会员分享,可在线阅读,更多相关《Securing the Superpowers - Who loaded that eBPF program_.pptx(38页珍藏版)》请在三个皮匠报告上搜索。
1、John Fastabend,Natalia Reka IvankoSecuring the Superpowers-Who loaded that eBPF program?SpeakersNatalia Reka IvankoSecurity Product LeadIsovalentJohn FastabendTetragon Lead&Cilium Maintainer,EngineerIsovalentWould just adeBPF is on the riseMotivation-High Performance-Load BalancingNetworkingObservab
2、ility-Application tracing-Performance troubleshooting-Performance monitoringSecurity-Detect suspicious behaviour-Least privileged policies-Preventative SecuritySecurity Use CasesData ExfiltrationFile Integrity MonitoringSecurity Use CasesCapability AbuseNamespace AccesseBPF became cross platformWind
3、ows Runtime recentlyMost Linux distributionsCloud providersSince eBPF became so powerful,Security Teams need to answer questions like:Who is watching eBPF?To remain secure its really important to keep track and audit:-what BPF programs were loaded-what BPF maps were createdMotivationWhat does audit
4、mean?-Who loaded it?-Which Kubernetes workload,which process,which binary,from which ancestors?-When was it loaded?-Should this program be expected?-Have we seen this program or the process before?-Should the process touch bpf()at all?Auditing BPF programsAuditing BPF programs with TetragonSecurity
5、Observability&Runtime EnforcementTetragon-Auditing eBPF programsWhat is a BPF ProgramA Running BPF Program:Set of BPF instructions CO-RE Set of Maps Set of Syscalls BPF program Type BPF Attach locationThe BPF Filesystem(Lifetime management)/sys/fs/bpf/BPFPrograminsnmapssyscallstypeattached/sys/fs/bp
6、f/tetragon/linkTetragon-Auditing eBPF programs modified from Gregg,BPF Internals,LISA21 BPF bytecodePer-event dataStatistics,stacksShared BPF mapsBPF compilerBPF verifierBPF JITBPF ringbufperf bufferKernelUser,program dataBPF applicationtcsock_addr/skstruct_opsCore networkingCongestion controlreusep
7、ortHardeningsockmapL7 observability&Policy,IPCXDP(&AF_XDP)sk_lookupMiscfreplaceiteratorsBPF runtimeflow dissectorBTFBPFloaderBPF CO-REBPF programTetragon-Auditing eBPF programs modified from Gregg,BPF Internals,LISA21 BPF bytecodePer-event dataStatistics,stacksShared BPF mapsBPF compilerBPF verifier
8、BPF JITBPF ringbufperf bufferKernelUser,program dataBPF applicationtcsock_addr/skstruct_opsCore networkingCongestion controlreuseportHardeningsockmapL7 observability&Policy,IPCXDP(&AF_XDP)sk_lookupMiscfreplaceiteratorsBPF runtimeflow dissectorBTFBPFloaderBPF CO-REBPF programTetragon-Auditing eBPF pr
9、ogramsCase AAlice(0 xfoo)MapAMapBAlice.o_sys_bpf(load)bpf_load bpf-ns/alice/usr/bin/alice sha256 BPF_PROG_TYPE_KPROBE alice_func instruction count 2 bpf_map_alloc bpf-ns/alice/usr/bin/alice sha256 BPF_MAP_TYPE_HASH MapA key size 4 value size 20 max entries 41 You and Your Security Profiles;Generatin
10、g Security Policies with the Help of eBPF-John Fastabend&Natalia Reka Ivanko,Isovalent Tetragon-Auditing eBPF programsCase AnalysisAlice(0 xfoo)Bob(0 xbar)MapAMapBAlice.oMapXMapYBob.oEve(0 x0bad)Eve.o_sys_bpf(load)Tetragon-Auditing eBPF programsCase AnalysisAlice(0 xfoo)Bob(0 xbar)MapAMapBAlice.oMap
11、XMapYBob.oEve(0 x0bad)Eve.o_sys_bpf(load)bpf_load bpf-ns/eve/usr/bin/eve sha256 BPF_PROG_TYPE_KPROBE alice_func instruction count 2 bpf_load bpf-ns/alice/usr/bin/eve sha256 BPF_PROG_TYPE_KPROBE alice_func instruction count 2 Tetragon-Auditing eBPF programsCase AnalysisAlice(0 xfoo)Bob(0 xbar)MapAMap
12、BAlice.oMapXMapYBob.oEve(0 x0bad)Eve.o_sys_bpf(load)bpf_load bpf-ns/eve/usr/bin/eve sha256 BPF_PROG_TYPE_KPROBE alice_func instruction count 2 bpf_load bpf-ns/alice/usr/bin/eve sha256 BPF_PROG_TYPE_KPROBE alice_func instruction count 2 bpf-ns/alice:CAP_BPFbpf-ns/eve:CAP_BPFTetragon-Auditing eBPF pro
13、gramsCase AnalysisAlice(0 xfoo)MapAMapBAlice.oEve(0 x0bad)Eve.o_sys_bpf(load)bpf_load bpf-ns/eve/usr/bin/eve sha256 BPF_PROG_TYPE_KPROBE alice_func instruction count 2 bpf_load bpf-ns/alice/usr/bin/eve sha256 BPF_PROG_TYPE_KPROBE alice_func instruction count 2 kind:TracingPolicymetadata:name:bpfspec
14、:kprobes:-call:bpf_check syscall:false selectors:-matchBinarys:-operator:NotEqual values:-“/usr/bin/Alice”1 matchActions:-action:Sigkill 1 You and Your Security Profiles;Generating Security Policies with the Help of eBPF-John Fastabend&Natalia Reka Ivanko,Isovalent Tetragon-Auditing eBPF programsCas
15、e AnalysisAlice(0 xfoo)MapAMapBAlice.oEve(0 x0bad)Eve.o_sys_bpf(load)bpf_load bpf-ns/eve/usr/bin/eve sha256 BPF_PROG_TYPE_KPROBE alice_func instruction count 2 bpf_load bpf-ns/alice/usr/bin/eve sha256 BPF_PROG_TYPE_KPROBE alice_func instruction count 2 kind:TracingPolicymetadata:name:bpfspec:kprobes
16、:-call:bpf_check syscall:false selectors:-matchSha256:-operator:NotEqual values:-“0 xf00”1 matchActions:-action:Sigkill 1 You and Your Security Profiles;Generating Security Policies with the Help of eBPF-John Fastabend&Natalia Reka Ivanko,Isovalent Tetragon-Auditing eBPF programsAlice(0 xfoo)Bob(0 x
17、bar)MapAMapBAlice.oMapXMapYBob.oEve(0 x0bad)Eve.o_sys_bpf(load)Linux mount and file systemsFile Integrity Monitoring through Tetragon or otherwise.Tetragon-Auditing eBPF programsAlice(0 xfoo)Bob(0 xbar)MapAMapBAlice.oMapXMapYBob.oEve(0 x0bad)Eve.o_sys_bpf(load)Bob has permissions to Load BPF program
18、s-call:bpf_check syscall:false selectors:-matchBinarys:-operator:NotEqual values:-“/usr/bin/Alice”1Tetragon-Auditing eBPF programsAlice(0 xfoo)Bob(0 xbar)MapAMapBAlice.oMapXMapYBob.oEve(0 x0bad)Eve.o_sys_bpf(load)Bob has permissions to Load BPF programs Bob only reads/writes/creates maps Bob has FIM
19、 and BPF access to Bob launches with validated SHA256 Bob is corrupted at runtime and loads unvalidated instructionsTetragon-Auditing eBPF programsAlice(0 xfoo)Bob(0 xbar)MapAMapBAlice.oMapXMapYBob.oEve(0 x0bad)Eve.o_sys_bpf(load)Bob has permissions to Load BPF programs Bob only reads/writes/creates
20、 maps Bob has FIM and BPF access to Bob launches with validated SHA256 Bob is corrupted at runtime and loads unvalidated instructionsWIP:hash of the instructions loaded(can be complicated)and/or log of instructionsTetragon-Auditing eBPF programsSummaryAlice(0 xfoo)Bob(0 xbar)MapAMapBAlice.oMapXMapYB
21、ob.oEve(0 x0bad)Eve.o Alice loads program Eve loads 0 xbad program Eve/Bob read/write/create invalid maps Bob loads unknown instructionsDemo-Auditing eBPF programs with TetragonTetragon-Auditing eBPF programs1.Introduce test environment 2.Apply a Security Policy!-to observe BPF program loads,map cre
22、ation3.Audit BPF programs-Collect Security Observability dataa.Simple“bpf-droid”podb.Real World Use Case-CiliumIntroduce Test Environment Workflow:1.Apply Policy(bpf_check,security_perf_event_alloc security_bpf_map_alloc)2.Observe eventsa.Simple podb.Real World scenario-CiliumSecurity Policy-Audit B
23、PF progs,mapsFunctions:bpf_check:when the Verifier checks the program before loading itsecurity_perf_event_alloc:creating a map to transfer events between userspace and kernel security_bpf_map_alloc:creating a bpf map Simple pod-seattle-bpf-droidseattle-bpf-droid1.Load seattle_bpf_prog BPF program(k
24、probe)2.Sleep 30s3.Create tetragon_bpf hash map 4.Sleep 30sSimple pod-seattle-bpf-droidReal World Use Case-CiliumCilium:1.Probe which features,maps are available at the kernel version2.Check&remove IPtable rules3.Init.sh:figure out which programs to load,which device to load them on4.Compiling those
25、 programsReal World Use Case-CiliumCilium:5.Load BPF programs for each podWrapping up 1.eBPF is on the risea.Networking,Observability,Securityb.Cross platform 2.Important to keep track&audit:a.Who is watching eBPF?(programs,maps creation)3.Auditing BPF programs with Tetragon4.Demoa.“Seattle-bpf-droi
26、d”test use caseb.Cilium startupHow to contribute? the tool:report bugs,create feature request,tell your user experienceImprove the documentation(open issues)Add your use cases“./crds/examples”,“./contrib”Tell us about how it doesnt work for some use casesFeedback on UI,CRDs,etcFix a bug,Implement a
27、featureLots of work across all layers of the stackLots of work across all layers of the stackDocumentation,K8s,Golang,Systems Programming,BPF,Linux Kernel,PackagingThank you!Q&Acilium/tetragonciliumprojectcilium.iojrfastabjrfastabsharlnssharlnsPlease scan the QR code to leave feedback on Please scan the QR code to leave feedback on this sessionthis session