Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Falco, runtime security analysis through syscalls

Leonardo Di Donato
June 20, 2020
Technology
0
230

Falco, runtime security analysis through syscalls

How to secure things by tracing signals from the Kernel up?

Falco provides runtime security using an eBPF probe or a kernel module as the driver, plus a ring buffer, to trace syscalls caused by userspace processes.

This is the deck for my talk given at BSides Athens 2020.

Google drive version: https://bit.ly/falco-talk-bsidesath-2020
ASCIINEMA: https://bit.ly/falco-isopenexec-container-cast

Leonardo Di Donato

June 20, 2020
Tweet

More Decks by Leonardo Di Donato

See All by Leonardo Di Donato
Coverage for eBPF programs
leodido
2
300
Scheduling eBPF on K8S doesn't have to be difficult
leodido
0
220
FalcOMG That's Awesome
leodido
0
200
Bypass Falco
leodido
0
150
Falco: runtime security analysis through syscalls
leodido
2
500
Going Beyond CI/CD with Prow
leodido
0
190
Designing a gRPC Interface for Kernel Tracing with eBPF
leodido
0
470
Cloud Native eBPF Instrumentation
leodido
7
760
Go eBPF superpowers
leodido
0
340

Other Decks in Technology

See All in Technology
Fivetranでデータ移動を自動化する
hankehly
0
120
XRミーティング 20230920
1ftseabass
PRO
0
110
組織・プロセス・技術 - フロントエンドの生産性向上への複眼的アプローチ / 20230921
bengo4com
3
940
LINE 平台與開發生態系介紹
line_developers_tw
PRO
0
260
WASMを実行する自作Microkernel, mavisの紹介
riru
0
130
セキュアエレメントによるWireGuardのセキュリティ強化
kmwebnet
0
130
フィンテック養成勉強会#33
finengine
0
140
Generative UX in LLM Application
huffon
1
410
如何在 Elasticsearch 實現敏捷的資料建模與管理 @ DevOpsDays Taipei 2023
unclejoe
0
160
サーバーレスで仮想待合室を作ろう! / Serverless Virtual Waiting Room
_kensh
3
1.1k
Priorityを制するものはローディングを制す
edwardkenfox
4
300
セルフホストランナーとインターネットとの間の転送量を削減している話
defaultcf
0
110

Featured

See All Featured
Testing 201, or: Great Expectations
jmmastey
26
6k
Six Lessons from altMBA
skipperchong
17
2.6k
Designing Dashboards & Data Visualisations in Web Apps
destraynor
225
50k
Web development in the modern age
philhawksworth
200
9.8k
Navigating Team Friction
lara
177
12k
Pencils Down: Stop Designing & Start Developing
hursman
115
10k
No one is an island. Learnings from fostering a developers community.
thoeni
14
1.8k
Distributed Sagas: A Protocol for Coordinating Microservices
caitiem20
318
20k
Ruby is Unlike a Banana
tanoku
93
9.9k
For a Future-Friendly Web
brad_frost
168
8.2k
The Straight Up "How To Draw Better" Workshop
denniskardys
226
130k
RailsConf & Balkan Ruby 2019: The Past, Present, and Future of Rails at GitHub
eileencodes
123
30k

Transcript

  1. Falco
    runtime security analysis through syscalls
    BSides Athens 2020

    View Slide

  2. A timeline always works fine
    Falco created to
    parse libsinsp
    events!
    May 2016
    Accepted as a
    CNCF
    incubation level
    hosted project
    Jan 2020
    Sysdig Inc.
    donated Falco
    to the CNCF
    Oct 2018
    2
    May 2019
    Falco
    Community
    Calls start!

    View Slide

  3. whoami
    Leonardo Di Donato
    Open Source Software Engineer
    Falco Maintainer
    @leodido
    3
    extra points to who spots the meaning of this Italian hand-gesture!

    View Slide

  4. Contents
    4
    The problem
    Take a look at where everything starts and
    everything ends.
    The Falco approach
    Last line of defense: runtime security.
    Detect them!
    Playtime
    1
    2
    3
    @leodido

    View Slide

  5. Security
    5
    Use policies to change the behavior
    of a process by preventing syscalls
    from succeeding (also killing the
    process sometimes).
    DETECTION
    Use policies to monitor the behavior
    of a process and notify when its
    behavior steps outside the policy.
    PREVENTION
    @leodido

    View Slide

  6. Security
    6
    sandboxing, access control
    ● seccomp
    ● seccomp-bpf
    ● SELinux
    ● AppArmor
    AUDITING
    behavioral monitoring, intrusion &
    anomaly detection, forensics
    ● auditd
    ● Falco
    ● ...
    ● a lot still to be done in this space!
    ENFORCEMENT
    PREVENTION IS NOT ENOUGH.
    COMPLEMENTARY, NOT MUTUALLY EXCLUSIVE APPROACHES
    @leodido

    View Slide

  7. I have locks on my doors but if I don’t
    use them, or if someone breaks a
    window I’m also glad I have an
    intruder alarm to alert me.
    Runtime
    Security

    View Slide

  8. “The system call is the
    fundamental interface between
    an application and the Linux
    kernel.”
    8
    — man syscalls 2
    @leodido

    View Slide

  9. Why syscalls?
    9
    KERNEL
    Here’s happening all the interesting stuff
    OS
    KUBERNETES
    APPLICATIONS
    When you run a program you
    are making system calls.
    System calls are how a program
    enters the kernel to perform
    some task.
    ● processes
    ● network
    ● file IO
    ● much more...

    View Slide

  10. Unique challenges
    ● E_TOOMANY_SYSCALLS
    ● Millions per second
    ● Hard to manage in userspace
    ● Another syscall to know the time
    of an event
    10

    View Slide

  11. Still not enough...
    11
    CONTEXT
    Timing
    Arguments
    CONTAINERS
    Did the event originated
    in a container?
    What’s the container
    name and ID?
    What’s the container
    image?
    ORCHESTRATOR
    In which cluster it is
    running?
    On which node?
    What’s the container
    runtime interface in
    use?
    @leodido

    View Slide

  12. KERNEL MODULE
    Pros: very efficient,
    implement almost anything
    Cons: kernel panics, not
    always suitable
    EBPF PROBE
    Pros: program the kernel
    without risking to break it
    Cons: newer kernels
    PDIG
    Pros: (almost) unprivileged
    Cons: really hackish, ~20%
    slower
    Other methods?
    Future inputs/drivers?
    12
    How to get
    syscalls to
    userspace?

    View Slide

  13. Syscalls from Falco Kernel Module
    13
    kernel space
    user space
    libsinsp
    libscap
    kernel
    module
    ring buffer
    /dev/falco0 … /dev/falcoN
    @leodido

    View Slide

  14. Syscalls from Falco eBPF probe
    14
    kernel space
    user space
    libsinsp
    libscap
    eBPF VM
    eBPF maps
    eBPF probe
    @leodido

    View Slide

  15. Falco is a while(true).
    @leodido

    View Slide

  16. Falco rules are YAML.
    See it in action!
    @leodido

    View Slide

  17. Detect Kubernetes CVE-2020-8555
    An attacker with permissions to create a pod with certain built-in volume types
    (GlusterFS, Quobyte, StorageFS, ScaleIO) or permissions to create a StorageClass can
    cause kube-controller-manager to make GET or POST requests from the master’s host
    network.
    kube-controller-manager < 1.15.11 / 1.16.0 - 1.16.8 / 1.17.0 - 1.17.4 / 1.18.0
    How to detect? Write two Falco rules using Kubernetes audit logs as input to:
    1. detect if the StorageClass object is created with one of the volume types
    2. detect if pods are created using one of the volume types
    @leodido

    View Slide

  18. Detect Kubernetes CVE-2020-8555
    @leodido

    View Slide

  19. Detect Kubernetes CVE-2020-8555
    @leodido

    View Slide

  20. Resources
    ● eBPF and Falco - Leonardo Di Donato
    ● Linux Observability With BPF: Advanced Programming for
    Performance Analysis and Networking - Fontana, Calavera
    ● The ring buffer definition
    ● Kernel module fillers:
    ○ f_sys_execve_e
    ○ f_sys_open_x
    ● eBPF probe fillers:
    ○ f_sys_execve_e
    ○ f_sys_open_x
    ● Falco default rule set
    ● Kubernetes CVE 2020-8555

    20
    @leodido

    View Slide

  21. Does anyone have any question?
    21
    Thanks!
    ❏ twitter.com/leodido
    ❏ github.com/leodido
    ❏ github.com/falcosecurity/falco
    ❏ slack.k8s.io, #falco channel

    View Slide