Finding Security Events with eBPF - Security Minicamp in Yamanashi 2020-

Transcript

1. ৿ా
   ߒฏ
   
   (.0
   1FQBCP
   *OD
   
   ηΩϡϦςΟɾϛχΩϟϯϓ
   JO
   ࢁས F#1'
   ͰηΩϡϦςΟΠϕϯτΛ
   ௥͍͔͚Α͏

2. 
   (.0
   ϖύϘ
   γχΞΤϯδχΞ
   ηΩϡϦςΟରࡦࣨ ৿ా
   ߒฏ
   
   !NSUD IUUQTCMPHTTSGJO 
   ηΩϡϦςΟɾΩϟϯϓ
   ߨࢣ
   
   ηΩϡϦςΟɾΩϟϯϓ
   εςΞϦϯάίϛοςΟ
   
   *1"ະ౿ΫϦΤΠλʔ

3. ࠓ೔ͷΰʔϧ  CDD
   ͷπʔϧΛ࢖ͬͯΈΔ
    CQGUSBDF
   ͰεΫϦϓτΛॻ͍ͯΈΔ
    CDD
   Λ࢖ͬͯεΫϦϓτΛॻ͍ͯΈΔ
    CDD
   ͰΞϓϦέʔγϣϯͷΠϯγσϯτΛݕ஌͢Δ

4. ߨٛͰ࢖͏ίʔυ teacher01@teacher01:~$ ls -al ~/bpf-tutorial/ total 28 drwxr-xr-x 7 root

   root 4096 Sep 19 08:20 . drwxr-xr-x 21 teacher01 teacher01 4096 Sep 19 11:22 .. drwxr-xr-x 2 teacher01 teacher01 4096 Sep 18 07:22 bpftrace drwxr-xr-x 2 teacher01 teacher01 4096 Sep 14 14:02 execsnoop drwxr-xr-x 2 teacher01 teacher01 4096 Sep 18 08:07 opensnoop drwxr-xr-x 2 teacher01 teacher01 4096 Sep 14 12:27 seccomp-bpf drwxr-xr-x 2 teacher01 teacher01 4096 Sep 19 07:32 trace-app

5. F#1'

6. %&.0 root@bpf:/ # execsnoop-bpfcc PCOMM PID PPID RET ARGS ps

   1807 1478 0 /usr/bin/ps aux cat 1808 1478 0 /usr/bin/cat /etc/passwd ls 1809 1478 0 /usr/bin/ls --color=auto -al top 1810 1478 0 /usr/bin/top root@bpf:/ # tcpconnect-bpfcc Tracing connect ... Hit Ctrl-C to end PID COMM IP SADDR DADDR DPORT 1812 curl 4 192.168.64.5 93.184.216.34 443 1815 curl 4 192.168.64.5 52.205.86.27 80 1817 curl 4 192.168.64.5 35.227.220.44 80 1819 curl 4 192.168.64.5 35.227.220.44 443

7. IUUQTFCQGJP

8. F#1'
   ͱ͸ w#SFOEBO
   (SFHH
   ᐌ͘eBPF
   EPFT
   UP
   -JOVY
   XIBU
   +BWB4DSJQU
   EPFT
   UP
   )5.-
   w+BWB4DSJQU
   ͸ϒϥ΢βͷ҆શͳԾ૝Ϛγϯ্Ͱ೚ҙͷΠϕϯτʹରͯ͠ ϓϩάϥϜΛ࣮ߦͰ͖Δ
   wF#1'
   ͸
   -JOVY
   Χʔωϧͷ҆શͳԾ૝Ϛγϯ্Ͱ೚ҙͷΠϕϯτʹରͯ͠ ϓϩάϥϜΛ࣮ߦͰ͖Δ
   w೚ҙͷΧʔωϧؔ਺΍ϢʔβʔϥϯυϓϩάϥϜͷؔ਺͕ݺͼग़͞Εͨ Γɺ໭Γ஋͕ฦΔλΠϛϯάͰ೚ҙͷॲཧ͕Ͱ͖Δ

9. F#1'
   )JTUPSZ

10. #1'ͱ͸ w#FSLFMFZ
    1BDLFU
    'JMUFS
    w΋ͱ΋ͱ͸ύέοτΩϟϓνϟͷύϑΥʔϚϯεΛ޲্ͤ͞ΔͨΊʹ ։ൃ͞Εͨ΋ͷ
    wࠓͰ͸ύέοτϑΟϧλϦϯάҎ֎ʹ΋ύϑΥʔϚϯε෼ੳͳͲ༷ʑ ͳྖҬͰར༻͞Ε͍ͯΔ

11. #1'ͷྺ࢙ w#4%
    ͰύέοτϑΟϧλϦϯάػߏͱ࣮ͯ͠૷ޙɺ-JOVY
    ʹ΋Ҡ২
    wTFDDPNQ
    ʹ΋
    #1'
    ͕ར༻͞ΕΔΑ͏ʹͳΔ
    w൚༻తͳΧʔωϧ಺Ծ૝Ϛγϯͱͯ͠ར༻͢ΔͨΊʹ֦ு FYUFOEFE ͞Εͨ
    w֦ு͞Εͨ
    #1'
    Λ
    F#1' FYUFOEFE
    #1' ͱݺͼɺैདྷͷ
    #1'
    ͸
    D#1'
    

    DMBTTJD
    #1' ͱݺͿ͜ͱ͕͋Δ

12. D#1' $ sudo tcpdump -d icmp (000) ldh [12] (001)

    jeq #0x800 jt 2 jf 5 (002) ldb [23] (003) jeq #0x1 jt 4 jf 5 (004) ret #262144 (005) ret #0

13. TFDDPNQ w-JOVY
    ͰϓϩηεͷγεςϜίʔϧΛ੍ݶ͢Δٕज़
    w͍ΘΏΔ-JOVYίϯςφͰ΋ར༻͞Ε͍ͯΔ
    wNPEF
    ͱ
    NPEF
    ͕͋ΓɺNPEF
    Ͱ͸ΑΓॊೈʹ੍ޚͰ͖ΔΑ͏ ʹͳͬͨ

14. TFDDPNQ
    #1' ubuntu@sandbox:~/bpf-tutorial/seccomp-bpf$ make build clang -o filter-mkdir main.c ubuntu@sandbox:~/bpf-tutorial/seccomp-bpf$ ./filter-mkdir

    'mkdir /tmp/dir' mkdir: cannot create directory ‘/tmp/dir’: Operation not permitted ubuntu@sandbox:~/bpf-tutorial/seccomp-bpf$ strace -f ./filter-mkdir 'mkdir /tmp/dir' execve("./filter-mkdir", ["./filter-mkdir", "mkdir /tmp/dir"], 0x7ffca47f8350 /* 21 vars */) = 0 ... [pid 2593] mkdir("/tmp/dir", 0777) = -1 EPERM (Operation not permitted)

15. D#1'
    ͔Β
    F#1'
    ΁ w֦ுͷ಺༰ͱͯ͠͸
    w໋ྩηοτͷҰ৽
    w࢖༻ՄೳͳϨδελ਺ͷ૿Ճ
    wF#1'
    .BQ
    ͱݺ͹ΕΔσʔλߏ଄͕ར༻Մೳʹ

16. F#1'
    ͸Ͳ͜Ͱ࢖ΘΕ͍ͯΔ͔ w$JMJVN
    
    F#1'CBTFE
    /FUXPSLJOH
    4FDVSJUZ
    BOE
    0CTFSWBCJMJUZ
    w'BMDP
    
    $MPVE
    /BUJWF
    3VOUJNF
    4FDVSJUZ
    w,BUSBO
    
    "
    IJHI
    QFSGPSNBODF
    MBZFS
    
    MPBE
    CBMBODFS
    w)VCCMF
    
    /FUXPSL
    4FSWJDF
    
    4FDVSJUZ
    0CTFSWBCJMJUZ
    GPS
    ,VCFSOFUFT
    VTJOH
    F#1'
    w (PPHMF

    
    'BDF#PPL
    /FUqJY
    $MPVEqBSF
    ͳͲͰར༻͞Ε͍ͯΔ

17. F#1'
    'FBUVSFT 4FDVSJUZ /FUXPSLJOH 0CTFSWBCJMJUZ

18. F#1'
    "SDIJUFDUVSF

19. F#1'
    "SDIJUFDUVSF IUUQTFCQGJP

20. F#1'
    ͷϑοΫͷྲྀΕ wF#1'
    ϓϩάϥϜ͸Πϕϯτ ۦಈܗͰಈ͘
    wఆٛ͞Ε͍ͯΔϑοΫϙΠ ϯτ΍ؔ਺΁ͷ
    FOUSZFYJU
    ͳͲ
    wϑοΫ͕ఆٛ͞Ε͍ͯͳ͍ ৔߹͸
    LQSPCF
    VQSPCF
    Λ ࢖͏

21. F#1'
    ϓϩάϥϜ͸ԿͰॻ͔͘ w#1'
    ϓϩάϥϜࣗମ͸ΧʔωϧͷϨδελϕʔεͷ
    7.
    ্Ͱಈ͘
    
    w7.
    Ͱಈ͔ͨ͢Ίʹ͸
    CZUFDPEF
    ͕ඞཁ
    wͨͩ͠
    CZUFDPEF
    Λ௚઀ॻ͘ͷ͸೉͍͠
    w
    ͳͷͰ
    $
    ͷํݴͰॻ͍ͨΓɺ͋Δ͍͸
    CQGUSBDF
    ͳͲͷந৅Խ͞Ε ͨ
    %4-
    ݴޠͳͲͰهड़ͯ͠
    --7.
    ͳͲͰίϯύΠϧ͢Δ

22. ॲཧͷྲྀΕ

23. 7FSJpDBUJPO w#1'ϓϩάϥϜ͸ΧʔωϧϥϯυͰಈ͘ͷͰΫϥογϡ͠ͳ͍Α͏ʹ ݕূػʹΑΔݕূ͕࣮ߦ͞ΕΔ
    wඞͣϧʔϓ͕ऴྃ͢Δ͜ͱ
    wڊେͳϓϩάϥϜ͸ϩʔυͰ͖ͳ͍
    wݕূػ͕ݕূͰ͖Δ࣮ߦ಺༰ͷൣғͰͷΈ
    WBMJE
    ͱͳΔ

24. F#1'
    .BQT wF#1'
    ϓϩάϥϜͰॲཧͨ͠σʔλΛอଘͰ͖Δ
    wͦͷσʔλ͸ϢʔβʔεϖʔεͷϓϩάϥϜ͔ΒऔಘͰ͖Δ

25. F#1'
    %FWFMPQNFOU

26. #1'
    %FWFMPQNFOU
    5PPMDIBJOT w#1'
    ϓϩάϥϜͷ։ൃΛ؆୯ʹͯ͘͠ΕΔπʔϧΩοτͨͪ
    wJPWJTPSCDD
    wJPWJTPSCQGUSBDF
    w(P
    
    $
    
    $
    ͷϥΠϒϥϦ

27. CDD
    UPPMT
    Ͱ
    F#1'
    ʹೖ໳͠Α͏ wJPWJTPSCDD
    w#1'
    ϓϩάϥϜΛ؆୯ʹॻͨ͘Ίͷϔϧύʔؔ਺΍ϥΠϒϥϦΛఏ ڙ͍ͯ͠Δ
    wCDDUPPMT
    ͱݺ͹ΕΔγεςϜύϑΥʔϚϯεͷͨΊͷπʔϧ܈͕ ͋Δ
    w(P
    3VTU
    3VCZ
    ͳͲͷ֤छݴޠͷ
    #JOEJOH
    ͕͋Δ

28. ·ͣ͸৮ͬͯΈΑ͏ wFYFDTOPPQ
    wUDQDPOOFDU
    wCJPMBUFODZ
    wCBTISFBEMJOF
    wPPNLJMM

29. FYFDTOPPQ root@bpf:/# execsnoop-bpfcc PCOMM PID PPID RET ARGS ps 1865

    1478 0 /usr/bin/ps aux cat 1866 1478 0 /usr/bin/cat /etc/passwd htop 1867 1478 0 /usr/bin/htop ping 1868 1478 0 /usr/bin/ping security-camp.or.jp

30. UDQDPOOFDU root@bpf:/# tcpconnect-bpfcc Tracing connect ... Hit Ctrl-C to end

    PID COMM IP SADDR DADDR DPORT 1812 curl 4 192.168.64.5 93.184.216.34 443 1815 curl 4 192.168.64.5 52.205.86.27 80 1817 curl 4 192.168.64.5 35.227.220.44 80 1819 curl 4 192.168.64.5 35.227.220.44 443

31. CJPMBUFODZ root@bpf:/# biolatency-bpfcc Tracing block device I/O... Hit Ctrl-C to

    end. ^C usecs : count distribution 0 -> 1 : 0 | | 2 -> 3 : 0 | | 4 -> 7 : 0 | | 8 -> 15 : 7 | | 16 -> 31 : 3 | | 32 -> 63 : 0 | | 64 -> 127 : 237 |******* | 128 -> 255 : 1251 |****************************************| 256 -> 511 : 166 |***** | 512 -> 1023 : 103 |*** |

32. CBSFBEMJOF root@bpf:/# bashreadline-bpfcc TIME PID COMMAND 22:09:03 1478 ls 22:09:07

    1478 cat /etc/passwd 22:09:10 1478 htop 22:09:12 1478 ps aux

33. PPNLJMM root@bpf:/# oomkill-bpfcc Tracing OOM kills... Ctrl-C to stop. 22:09:56

    Triggered by PID 777 ("snapd"), OOM kill of PID 2279 ("perl"), 1007686 pages, loadavg: 0.09 0.04 0.01 5/159 2280 root@bpf:/# sysctl -w vm.overcommit_memory=1 root@bpf:/# perl -e 'while (1) { $a .= "A" * 124; }'

34. CQGUSBDF wJPWJTPSCQGUSBDF
    wF#1'
    ϓϩάϥϜΛ؆୯ʹॻͨ͘Ίͷ
    %4-
    wݴޠͱͯ͠͸
    BXL
    ΍
    $
    ʹࣅ͍ͯΔ
    wCDD
    ಉ༷ʹπʔϧͱͯ͠΋༻ҙ͞Ε͍ͯΔ

35. &YBNQMF root@bpf:/# bpftrace -e \ 'tracepoint:raw_syscalls:sys_enter { @[comm] = count();

    }' Attaching 1 probe... @[irqbalance]: 12 @[systemd-network]: 22 @[systemd]: 28 @[bpftrace]: 72 @[cat]: 108 @[bash]: 191 @[sshd]: 747

36. &WFOU
    4PVSDFT wγεςϜίʔϧ΍ؔ਺ݺͼग़͠ΛτϨʔε͢ΔͨΊʹɺͦͷΠϕϯτ Λऔಘ͢Δํ๏͕͍͔ͭ͋͘Δ
    wΑ͘࢖͏ͷ͸
    LQSPCF
    VQSPCF
    USBDFQPJOUT
    64%5
    ͷͭ
    

37. ,QSPCFT w೚ҙͷΧʔωϧؔ਺ͷτϨʔεΛಈతʹߦ͏
    wର৅ͷؔ਺ͷΞυϨεʹϒϨʔΫϙΠϯτΛઃஔ͢Δ
    wϒϨʔΫϙΠϯτʹ౸ୡ͢Δͱ
    #1'
    ϓϩάϥϜʹඈͿ
    wΧʔωϧͷ໋ྩΛಈతʹมߋ͢Δͷ͸ةݥʹࢥ͑Δ͕ɺ҆શʹ࣮ߦ͞ ΕΔΑ͏ʹઃܭ͞Ε͍ͯΔ
    wͨͩ͠ɺେྔͷؔ਺ΛτϨʔε͢ΔͱͦΕ͚ͩύϑΥʔϚϯε͸མ ͪΔ

38. ,QSPCFT
    ͷΠϝʔδ

39. ,QSPCF
    ͰτϨʔεͯ͠ΈΑ͏ // جຊͷߏจ # bpftrace -e 'kprobe:<func> { Expression }'

    # bpftrace -l 'kprobe:*' // attach Ͱ͖Δؔ਺ҰཡΛग़ྗ // vfs_open ͕ݺ͹ΕͨΒϝοηʔδΛදࣔ # bpftrace -e \ 'kprobe:vfs_open { printf("called vfs_open\n"); }'

40. ,QSPCF
    ͰτϨʔεͯ͠ΈΑ͏ // ίϚϯυ໊Λදࣔ # bpftrace -e \ 'kprobe:vfs_open { printf("%s\n",

    comm); }' // cat ͚ͩΛදࣔ # bpftrace -e \ 'kprobe:vfs_open /comm == "cat"/ { printf("%s\n", comm); }'

41. ,QSPCF
    ͰτϨʔεͯ͠ΈΑ͏ // Ҿ਺ͷදࣔ # bpftrace -e \ 'kprobe:do_sys_open { printf("opening:

    %s\n", str(arg1)); }' #include <linux/path.h> #include <linux/dcache.h> kprobe:vfs_open { printf("%s %s\n", comm, str(((struct path *)arg0)->dentry->d_name.name)); }

42. 6QSPCFT wͬ͘͟Γ͍͏ͱ
    LQSPCFT
    ͷϢʔβʔεϖʔεϓϩάϥϜ൛ root@bpf:/# objdump -T /bin/bash | grep readline 0000000000124e60

    g DO .bss 0000000000000008 Base rl_readline_state 00000000000b7cd0 g DF .text 0000000000000252 Base readline_internal_char 00000000000b71a0 g DF .text 000000000000015f Base readline_internal_setup 0000000000087120 g DF .text 000000000000004c Base posix_readline_initialize 00000000000b8530 g DF .text 000000000000009a Base readline # bpftrace -e 'uprobe:/bin/bash:readline { printf("called\n"); }'

43. 6QSPCFT root@bpf:/# objdump -T /bin/bash | grep readline 0000000000124e60 g

    DO .bss 0000000000000008 Base rl_readline_state 00000000000b7cd0 g DF .text 0000000000000252 Base readline_internal_char 00000000000b71a0 g DF .text 000000000000015f Base readline_internal_setup 0000000000087120 g DF .text 000000000000004c Base posix_readline_initialize 00000000000b8530 g DF .text 000000000000009a Base readline # bpftrace -e 'uprobe:/bin/bash:0xb8530 { printf("called\n"); }'

44. 6QSPCFT root@bpf:/# nm uprobes-test| grep main 0000000000001149 T main root@bpf:/#

    bpftrace -e \ 'uprobe:./uprobes-test:main { printf("in main\n"); }' Attaching 1 probe...

45. 5SBDFQPJOUT w,FSOFM
    ʹࣄલʹఆٛ͞Ε͍ͯΔϑοΫϙΠϯτ
    wLQSPCF
    ͱൺֱ͢ΔͱτϨʔεͰ͖Δؔ਺ͳͲ͸গͳ͍͕ɺ4UBCMF
    "1*
    ͕͋ΔͷͰ҆ఆੑ͕͋Δ
    wLQSPCF
    ͸όʔδϣϯ͕มΘΔͱτϨʔε͕ػೳ͠ͳ͘ͳΔՄೳੑ ͕͋Δ
    w5SBDFQPJOUT
    ͸௨ৗ
    OPQ
    ໋ྩͳͷͰύϑΥʔϚϯεʹ΄ͱΜͲӨڹ ͕ͳ͍ͱ΋ݴ͑Δ

46. 5SBDFQPJOUT
    ͷΠϝʔδ

47. 5SBDFQPJOUT # bpftrace -e \ 'tracepoint:syscalls:sys_enter_execve { printf("%s %s\n", comm,

    str(args->filename)); }' # cat /sys/kernel/tracing/available_events | grep execve syscalls:sys_exit_execveat syscalls:sys_enter_execveat syscalls:sys_exit_execve syscalls:sys_enter_execve

48. 5SBDFQPJOUT # bpftrace -e \ 'tracepoint:syscalls:sys_enter_execve { printf("%s %s\n", comm,

    str(args->filename)); }' # bpftrace -e \ 'tracepoint:syscalls:sys_enter_execve { printf("%s %s\n", comm, str(args->filename)); }' # cat /sys/kernel/tracing/events/syscalls/sys_enter_execve/format ... field:int __syscall_nr; offset:8; size:4; signed:1; field:const char * filename; offset:16; size:8; signed:0; field:const char *const * argv; offset:24; size:8; signed:0; field:const char *const * envp; offset:32; size:8; signed:0; print fmt: "filename: 0x%08lx, argv: 0x%08lx, envp: 0x%08lx", \ ((unsigned long)(REC->filename)), ((unsigned long)(REC->argv)), ((unsigned long)(REC->envp))

49. 64%5 w6TFSMFWFM
    4UBUJDBMMZ
    %FpOFE
    5SBDJOH
    ͷུ
    w໊લͷ௨ΓɺϢʔβʔϓϩάϥϜʹࣗ෼ͰτϨʔεϙΠϯτΛઃஔͰ ͖Δ
    wͪ͜Β΋
    5SBDFQPJOUT
    ͱಉ༷ʹԿ΋͍ͯ͠ͳ͍ͱ͖͸
    OPQ
    ໋ྩͳͷ ͰύϑΥʔϚϯε΁ͷӨڹ͸ܰඍͱݴ͑Δ

50. 64%5 # bpftrace -e \ 'usdt:./usdt:test_probe { printf("got: %d\n", arg0);

    }' Attaching 1 probe... got: 3 got: 4 got: 5 got: 6 ...

51. GVODUJPO
    FOUSZ
    
    FYJU wLQSPCF
    VQSPCF
    USBDFQPJOUT
    ͸ͦΕͧΕؔ਺΁ೖͬͨ௚ޙͱؔ਺͕ ໭Γ஋Λฦͨ͠௚ޙΛϑοΫͰ͖Δ
    wྫ͑͹
    LQSPCF
    ͩͱ
    LSFUQSPCF
    ͱݺͿ
    wͦΕͧΕͰϑοΫ͢Δ͜ͱͰϨΠςϯγͷଌఆ͕Մೳ
    wHFUIPTUMBUFODZ
    wηΩϡϦςΟతͳ؍఺Ͱݴ͏ͱɺίϚϯυ͕੒ޭ͔ͨ͠ͳͲ

52. ϨΠςϯγͷଌఆ # gethostlatency-bpfcc TIME PID COMM LATms HOST 18:01:33 8892

    curl 29.99 example.com 18:01:43 8894 isc-worker0000 0.02 127.0.0.1 18:01:43 8894 isc-worker0000 0.01 ::1 18:01:55 8898 curl 43.45 security-camp.or.jp 18:02:00 8900 curl 97.16 blog.ssrf.in

53. CDD
    $IBMMFOHF

54. ϑΝΠϧͷΦʔϓϯΛτϨʔε͠Α͏ wCDD
    ͰϑΝΠϧͷΦʔϓϯΛτϨʔεͯ͠ΈΑ͏
    wTUSBDF
    ͰτϨʔε͢Δؔ਺Λ֬ೝ
    wࠓճ͸͞ΒʹΧʔωϧͷίʔυΛΈͯɺΑΓਂ͍ͱ͜ΖΛτϨʔε
    wCDD
    Ͱ࣮૷ // ͜͏͍͏ίϚϯυΛݕ஌͍ͨ͠ $ cat /etc/passwd

55. TUSBDF
    Ͱ֬ೝ $ strace -o output.txt cat /etc/passwd $ cat output.txt

    ... openat(AT_FDCWD, "/etc/passwd", O_RDONLY) = 3 ...

56. PQFOBU SYSCALL_DEFINE4(openat, int, dfd, const char __user *, filename, int,

    flags, umode_t, mode) { if (force_o_largefile()) flags |= O_LARGEFILE; return do_sys_open(dfd, filename, flags, mode); } IUUQTFMJYJSCPPUMJODPNMJOVYWTPVSDFGTPQFOD-

57. CDD
    Λॻ͍ͯΈΑ͏ wLQSPCF
    Ͱ
    PQFOBU
    ͷ͞ΒʹԞ
    EP@TZT@PQFO
    ΛτϨʔε͠Α͏
    wIUUQTHJUIVCDPNJPWJTPSCDDCMPCNBTUFSEPDT SFGFSFODF@HVJEFNE
    wIUUQTHJTUHJUIVCDPNNSUD BEECCDEGDCB

58. CDD
    ͷجຊ wCDD
    ͷجຊ bpf_code = """ int do_sys_open(struct pt_regs *ctx, ...)

    { ... } """ # BPF ϓϩάϥϜΛΠχγϟϥΠζ b = BPF(text=bpf_code) # kprobe ʹ attach ͢Δ. # event ʹτϨʔε͢Δؔ਺Λɺfn_name ʹϑοΫ࣌ʹ࣮ߦ͢Δؔ਺Λࢦఆ b.attach_kprobe(event="do_sys_open", fn_name="do_entry_trace")

59. -FWFM
     wCQG@USBDF@QSJOUL
    Ͱग़ྗ bpf_code = """ int do_sys_open(struct pt_regs *ctx)

    { bpf_trace_printk("message\n"); } """ b = BPF(text=bpf_code) b.attach_kprobe(event="do_sys_open", fn_name="do_entry_trace")

60. -FWFM
     wग़ྗͨ͠಺༰͸
    USBDF@pFMET
    Ͱऔಘ b = BPF(text=bpf_code) b.attach_kprobe(event="do_sys_open", fn_name="do_entry_trace") while 1:

    (task, tid, _, _, ts, msg) = b.trace_fields() printb(b"%f, %s, %d, %s" % (ts, task, tid, msg))

61. PQFOTOPPQ bpf_code = """ int do_entry_trace(struct pt_regs *ctx) { bpf_trace_printk("REPLACEME\\n");

    return 0; } """ b = BPF(text=bpf_code) b.attach_kprobe(event="do_sys_open", fn_name="do_entry_trace") while 1: (task, tid, _, _, ts, msg) = b.trace_fields() printb(b"%f, %s, %d, %s" % (ts, task, tid, msg))

62. PQFOTOPPQ wCQG@HFU@DVSSFOU@DPNN
    Ͱϓϩηε໊Λऔಘ
    wCQG@QSPCF@SFBE
    Ͱ҆શʹจࣈྻΛίϐʔ
    wFWFOUTQFSG@TVCNJU
    Ͱ
    1FSG
    3JOH
    #V⒎FS
    ʹσʔλΛอଘ
    wQFSG@CV⒎FS@QPMM
    ͰσʔλΛϙʔϦϯά

63. PQFOTOPPQ wϑΝΠϧ໊Λग़ྗ͢ΔΑ͏ʹΧελϚΠζ͍ͯͩ͘͠͞ ϙΠϯτ wEP@FOUSZ@USBDF
    ͷҾ਺ʹ஫໨
    wจࣈྻΛ҆શʹίϐʔ͢Δؔ਺͸ͳΜ͚ͩͬ
    wQPMMJOH
    ॲཧͰͷจࣈྻදࣔ΋๨Εͣʹ

64. F#1'
    $IBMMFOHF
    

65. /*4541 w /*45
    41
    
    Ͱ͸࣍ͷΠϕϯτΛϞχλϦϯά͢ΔΑ͏ʹॻ͍ͯ͋Δ
    w *OWBMJE
    PS
    VOFYQFDUFE
    QSPDFTT
    FYFDVUJPO
    w *OWBMJE
    PS
    VOFYQFDUFE
    TZTUFN
    DBMMT
    w $IBOHFT
    UP
    QSPUFDUFE
    DPOpHVSBUJPO
    pMF
    BOE
    CJOBSJFT
    w

    8SJUFT
    UP
    VOFYQFDUFE
    MPDBUJPOT
    BOE
    pMF
    UZQFT
    w $SFBUJPO
    PG
    VOFYQFDUFE
    OFUXPSL
    MJTUFOFST
    w 5SB⒏D
    TFOU
    UP
    VOFYQFDUFE
    OFUXPSL
    EFTUJOBUJPOT
    w .BMXBSF
    TUPSBHF
    PS
    FYFDVUJPO

66. F#1'
    Ͱҟৗݕ஌͠Α͏ wΞϓϦέʔγϣϯ͔Β૝ఆ֎ͷΠϕϯτ͕ى͖ͳ͍͔νΣοΫ͠Α͏
    wશ෦Λ࣮૷͸େมͳͷͰɺϑΝΠϧͷॻ͖ࠐΈ PQFO ͱίϚϯυͷ ࣮ߦ FYFDWF Λݕ஌ͯ͠ΈΑ͏ # python3

    trace-app.py ... Detect unexpected file open : /etc/passwd Detect unexpected command execution : id

67. ର৅ͷΞϓϦέʔγϣϯ ubuntu@bpf:~/bpf-tutorial/trace-app$ ./app -h Usage: ./app [-ehn] -e echo message

    -h help -n display hostname ubuntu@bpf:~/bpf-tutorial/trace-app$ ./app -e hello hello ubuntu@bpf:~/bpf-tutorial/trace-app$ ./app -n bpf

68. ࣮૷खॱ w·ͣ͸
    PQFOBU
    ͱ
    FYFDWF
    ΛτϨʔεͯ͠
    "MMPXFE
    -JTU
    Λ࡞Ζ͏
    wTUSBDF
    Ͱ΋
    CQGUSBDF
    Ͱ΋
    0,
    wϗϫΠτϦετʹؚ·Εͳ͍ϑΝΠϧ໊Λ։͍ͨΓίϚϯυͷ࣮ߦ͕ ͋Ε͹ɺϝοηʔδͱͯ͠ग़ྗ͠Α͏
    wطʹେ࿮͸ॻ͍͍ͯΔͷͰ݀ຒΊ͠Α͏
    w50%0
    ͱॻ͔Ε͍ͯΔͱ͜ΖΛຒΊ͍ͯͩ͘͞

69. ςετͷํ๏ ubuntu@bpf:~/bpf-tutorial/trace-app$ ./app -i uid=1000(ubuntu) gid=1000(ubuntu) groups=1000(ubuntu) ubuntu@bpf:~/bpf-tutorial/trace-app$ ./app -p

    root:x:0:0:root:/root:/bin/bash root@bpf:~/bpf-tutorial/trace-app# python3 trace-app.py ... Detect unexpected file open : /etc/passwd Detect unexpected command execution : id

70. /FYU
    $IBMMFOHF wFYFDWF
    ͚ͩͰͳ͘
    FYFD
    ܥʹରԠ͠Α͏
    wઃఆϑΝΠϧ :".-΍+40/
    50.- ͳͲ͔ΒΞϓϦέʔγϣϯ໊ɺ "MMPXFE
    -JTU
    Λऔಘͯ͠ɺ༷ʑͳΞϓϦέʔγϣϯʹରԠͰ͖ΔΑ͏ ʹ͠Α͏

71. όΠύεํ๏ w୯७ʹจࣈྻϚονͰ͸Ͳ͏ͯ͠΋͕݀Ͱ͖ͯ͠·͍͕ͪ
    wྫͱͯ͠
    'BMDP
    ͷࣄྫΛ঺հ

72. QSPDTFMGSPPU wQSPDTFMGSPPUFUDQBTTXE
    Λ։͘͜ͱͰόΠύε - list: sensitive_file_names items: [/etc/shadow] - macro: sensitive_files

    condition: > fd.name startswith /etc and fd.name in (sensitive_file_names) - rule: Read sensitive file untrusted condition: > sensitive_files and open_read and proc_name_exists

73.  wTI
    D
    HJU
    ͷνΣοΫΛόΠύε - macro: spawned_process condition: evt.type = execve -

    rule: Spawn git process from php desc: Spawn git process from php condition: proc.pname=php and spawned_process and proc.cmdline startswith "sh -c git" $ php -r 'system("git --version")'; $ php -r 'system("$(echo \"git --version\")");'

74. 
    ίϝϯτΞ΢τ wҰ෦ͷίϚϯυ໊Λআ֎͍ͯ͠Δ৔߹ʹίϝϯτʹؚΊΔ - macro: batch_job condition: (proc.cmdline contains "run-job.sh") -

    rule: Spawn processes from php desc: Spawn processes from php condition: proc.pname=php and spawned_process and not batch_job $ php -r 'system("whoami")'; $ php -r 'system("whoami; # run-jon.sh");'

75. ·ͱΊ

76. ·ͱΊ wF#1'
    ͸ඇৗʹڧྗͰ؆୯ʹτϨʔε͕Ͱ͖ΔͷͰ
    0CTFSWBCJMJUZ
    Λ ࢧ͑Δେ͖ͳଘࡏʹͳΔ
    w͜Ε͔Βͷ։ൃɺӡ༻Ͱ΋
    F#1'
    ͷར༻͸૿͑ΔͩΖ͏
    wηΩϡϦςΟ෼໺Ͱ͸ྺ࢙͕ઙ͍͕ɺGBMDP
    ΍
    USBDFF
    ͳͲར༻͕૿ ͍͑ͯΔ IUUQTHJUIVCDPNBRVBTFDVSJUZUSBDFF IUUQTHJUIVCDPNGBMDPTFDVSJUZGBMDP

77. ΋ͬͱ
    F#1'
    Λֶͼ͍ͨͻͱ΁