Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Falco, runtime security analysis through syscalls

Falco, runtime security analysis through syscalls

How to secure things by tracing signals from the Kernel up?

Falco provides runtime security using an eBPF probe or a kernel module as the driver, plus a ring buffer, to trace syscalls caused by userspace processes.

This is the deck for my talk given at BSides Athens 2020.

Google drive version: https://bit.ly/falco-talk-bsidesath-2020
ASCIINEMA: https://bit.ly/falco-isopenexec-container-cast

Leonardo Di Donato

June 20, 2020

More Decks by Leonardo Di Donato

Other Decks in Technology


  1. A timeline always works fine Falco created to parse libsinsp

    events! May 2016 Accepted as a CNCF incubation level hosted project Jan 2020 Sysdig Inc. donated Falco to the CNCF Oct 2018 2 May 2019 Falco Community Calls start!
  2. whoami Leonardo Di Donato Open Source Software Engineer Falco Maintainer

    @leodido 3 extra points to who spots the meaning of this Italian hand-gesture!
  3. Contents 4 The problem Take a look at where everything

    starts and everything ends. The Falco approach Last line of defense: runtime security. Detect them! Playtime 1 2 3 @leodido
  4. Security 5 Use policies to change the behavior of a

    process by preventing syscalls from succeeding (also killing the process sometimes). DETECTION Use policies to monitor the behavior of a process and notify when its behavior steps outside the policy. PREVENTION @leodido
  5. Security 6 sandboxing, access control • seccomp • seccomp-bpf •

    SELinux • AppArmor AUDITING behavioral monitoring, intrusion & anomaly detection, forensics • auditd • Falco • ... • a lot still to be done in this space! ENFORCEMENT PREVENTION IS NOT ENOUGH. COMPLEMENTARY, NOT MUTUALLY EXCLUSIVE APPROACHES @leodido
  6. I have locks on my doors but if I don’t

    use them, or if someone breaks a window I’m also glad I have an intruder alarm to alert me. Runtime Security
  7. “The system call is the fundamental interface between an application

    and the Linux kernel.” 8 — man syscalls 2 @leodido
  8. Why syscalls? 9 KERNEL Here’s happening all the interesting stuff

    OS KUBERNETES APPLICATIONS When you run a program you are making system calls. System calls are how a program enters the kernel to perform some task. • processes • network • file IO • much more...
  9. Unique challenges • E_TOOMANY_SYSCALLS • Millions per second • Hard

    to manage in userspace • Another syscall to know the time of an event 10
  10. Still not enough... 11 CONTEXT Timing Arguments CONTAINERS Did the

    event originated in a container? What’s the container name and ID? What’s the container image? ORCHESTRATOR In which cluster it is running? On which node? What’s the container runtime interface in use? @leodido
  11. KERNEL MODULE Pros: very efficient, implement almost anything Cons: kernel

    panics, not always suitable EBPF PROBE Pros: program the kernel without risking to break it Cons: newer kernels PDIG Pros: (almost) unprivileged Cons: really hackish, ~20% slower Other methods? Future inputs/drivers? 12 How to get syscalls to userspace?
  12. Syscalls from Falco Kernel Module 13 kernel space user space

    libsinsp libscap kernel module ring buffer /dev/falco0 … /dev/falcoN @leodido
  13. Syscalls from Falco eBPF probe 14 kernel space user space

    libsinsp libscap eBPF VM eBPF maps eBPF probe @leodido
  14. Detect Kubernetes CVE-2020-8555 An attacker with permissions to create a

    pod with certain built-in volume types (GlusterFS, Quobyte, StorageFS, ScaleIO) or permissions to create a StorageClass can cause kube-controller-manager to make GET or POST requests from the master’s host network. kube-controller-manager < 1.15.11 / 1.16.0 - 1.16.8 / 1.17.0 - 1.17.4 / 1.18.0 How to detect? Write two Falco rules using Kubernetes audit logs as input to: 1. detect if the StorageClass object is created with one of the volume types 2. detect if pods are created using one of the volume types @leodido
  15. Resources • eBPF and Falco - Leonardo Di Donato •

    Linux Observability With BPF: Advanced Programming for Performance Analysis and Networking - Fontana, Calavera • The ring buffer definition • Kernel module fillers: ◦ f_sys_execve_e ◦ f_sys_open_x • eBPF probe fillers: ◦ f_sys_execve_e ◦ f_sys_open_x • Falco default rule set • Kubernetes CVE 2020-8555 • 20 @leodido
  16. Does anyone have any question? 21 Thanks! ❏ twitter.com/leodido ❏

    github.com/leodido ❏ github.com/falcosecurity/falco ❏ slack.k8s.io, #falco channel