Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Falco, runtime security analysis through syscalls

Falco, runtime security analysis through syscalls

How to secure things by tracing signals from the Kernel up?

Falco provides runtime security using an eBPF probe or a kernel module as the driver, plus a ring buffer, to trace syscalls caused by userspace processes.

This is the deck for my talk given at BSides Athens 2020.

Google drive version: https://bit.ly/falco-talk-bsidesath-2020
ASCIINEMA: https://bit.ly/falco-isopenexec-container-cast

Leonardo Di Donato

June 20, 2020
Tweet

More Decks by Leonardo Di Donato

Other Decks in Technology

Transcript

  1. Falco
    runtime security analysis through syscalls
    BSides Athens 2020

    View Slide

  2. A timeline always works fine
    Falco created to
    parse libsinsp
    events!
    May 2016
    Accepted as a
    CNCF
    incubation level
    hosted project
    Jan 2020
    Sysdig Inc.
    donated Falco
    to the CNCF
    Oct 2018
    2
    May 2019
    Falco
    Community
    Calls start!

    View Slide

  3. whoami
    Leonardo Di Donato
    Open Source Software Engineer
    Falco Maintainer
    @leodido
    3
    extra points to who spots the meaning of this Italian hand-gesture!

    View Slide

  4. Contents
    4
    The problem
    Take a look at where everything starts and
    everything ends.
    The Falco approach
    Last line of defense: runtime security.
    Detect them!
    Playtime
    1
    2
    3
    @leodido

    View Slide

  5. Security
    5
    Use policies to change the behavior
    of a process by preventing syscalls
    from succeeding (also killing the
    process sometimes).
    DETECTION
    Use policies to monitor the behavior
    of a process and notify when its
    behavior steps outside the policy.
    PREVENTION
    @leodido

    View Slide

  6. Security
    6
    sandboxing, access control
    ● seccomp
    ● seccomp-bpf
    ● SELinux
    ● AppArmor
    AUDITING
    behavioral monitoring, intrusion &
    anomaly detection, forensics
    ● auditd
    ● Falco
    ● ...
    ● a lot still to be done in this space!
    ENFORCEMENT
    PREVENTION IS NOT ENOUGH.
    COMPLEMENTARY, NOT MUTUALLY EXCLUSIVE APPROACHES
    @leodido

    View Slide

  7. I have locks on my doors but if I don’t
    use them, or if someone breaks a
    window I’m also glad I have an
    intruder alarm to alert me.
    Runtime
    Security

    View Slide

  8. “The system call is the
    fundamental interface between
    an application and the Linux
    kernel.”
    8
    — man syscalls 2
    @leodido

    View Slide

  9. Why syscalls?
    9
    KERNEL
    Here’s happening all the interesting stuff
    OS
    KUBERNETES
    APPLICATIONS
    When you run a program you
    are making system calls.
    System calls are how a program
    enters the kernel to perform
    some task.
    ● processes
    ● network
    ● file IO
    ● much more...

    View Slide

  10. Unique challenges
    ● E_TOOMANY_SYSCALLS
    ● Millions per second
    ● Hard to manage in userspace
    ● Another syscall to know the time
    of an event
    10

    View Slide

  11. Still not enough...
    11
    CONTEXT
    Timing
    Arguments
    CONTAINERS
    Did the event originated
    in a container?
    What’s the container
    name and ID?
    What’s the container
    image?
    ORCHESTRATOR
    In which cluster it is
    running?
    On which node?
    What’s the container
    runtime interface in
    use?
    @leodido

    View Slide

  12. KERNEL MODULE
    Pros: very efficient,
    implement almost anything
    Cons: kernel panics, not
    always suitable
    EBPF PROBE
    Pros: program the kernel
    without risking to break it
    Cons: newer kernels
    PDIG
    Pros: (almost) unprivileged
    Cons: really hackish, ~20%
    slower
    Other methods?
    Future inputs/drivers?
    12
    How to get
    syscalls to
    userspace?

    View Slide

  13. Syscalls from Falco Kernel Module
    13
    kernel space
    user space
    libsinsp
    libscap
    kernel
    module
    ring buffer
    /dev/falco0 … /dev/falcoN
    @leodido

    View Slide

  14. Syscalls from Falco eBPF probe
    14
    kernel space
    user space
    libsinsp
    libscap
    eBPF VM
    eBPF maps
    eBPF probe
    @leodido

    View Slide

  15. Falco is a while(true).
    @leodido

    View Slide

  16. Falco rules are YAML.
    See it in action!
    @leodido

    View Slide

  17. Detect Kubernetes CVE-2020-8555
    An attacker with permissions to create a pod with certain built-in volume types
    (GlusterFS, Quobyte, StorageFS, ScaleIO) or permissions to create a StorageClass can
    cause kube-controller-manager to make GET or POST requests from the master’s host
    network.
    kube-controller-manager < 1.15.11 / 1.16.0 - 1.16.8 / 1.17.0 - 1.17.4 / 1.18.0
    How to detect? Write two Falco rules using Kubernetes audit logs as input to:
    1. detect if the StorageClass object is created with one of the volume types
    2. detect if pods are created using one of the volume types
    @leodido

    View Slide

  18. Detect Kubernetes CVE-2020-8555
    @leodido

    View Slide

  19. Detect Kubernetes CVE-2020-8555
    @leodido

    View Slide

  20. Resources
    ● eBPF and Falco - Leonardo Di Donato
    ● Linux Observability With BPF: Advanced Programming for
    Performance Analysis and Networking - Fontana, Calavera
    ● The ring buffer definition
    ● Kernel module fillers:
    ○ f_sys_execve_e
    ○ f_sys_open_x
    ● eBPF probe fillers:
    ○ f_sys_execve_e
    ○ f_sys_open_x
    ● Falco default rule set
    ● Kubernetes CVE 2020-8555

    20
    @leodido

    View Slide

  21. Does anyone have any question?
    21
    Thanks!
    ❏ twitter.com/leodido
    ❏ github.com/leodido
    ❏ github.com/falcosecurity/falco
    ❏ slack.k8s.io, #falco channel

    View Slide