Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Finding Security Events with eBPF - Security Minicamp in Yamanashi 2020-

mrtc0
September 29, 2020

Finding Security Events with eBPF - Security Minicamp in Yamanashi 2020-

mrtc0

September 29, 2020
Tweet

More Decks by mrtc0

Other Decks in Technology

Transcript

  1. ৿ాߒฏ(.01FQBCP *OD
    ηΩϡϦςΟɾϛχΩϟϯϓJOࢁས
    F#1'ͰηΩϡϦςΟΠϕϯτΛ
    ௥͍͔͚Α͏

    View Slide

  2. (.0ϖύϘ
    γχΞΤϯδχΞηΩϡϦςΟରࡦࣨ
    ৿ాߒฏ!NSUD
    IUUQTCMPHTTSGJO
    ηΩϡϦςΟɾΩϟϯϓߨࢣ
    ηΩϡϦςΟɾΩϟϯϓεςΞϦϯάίϛοςΟ
    *1"ະ౿ΫϦΤΠλʔ

    View Slide

  3. ࠓ೔ͷΰʔϧ
    CDDͷπʔϧΛ࢖ͬͯΈΔ
    CQGUSBDFͰεΫϦϓτΛॻ͍ͯΈΔ
    CDDΛ࢖ͬͯεΫϦϓτΛॻ͍ͯΈΔ
    CDDͰΞϓϦέʔγϣϯͷΠϯγσϯτΛݕ஌͢Δ

    View Slide

  4. ߨٛͰ࢖͏ίʔυ
    teacher01@teacher01:~$ ls -al ~/bpf-tutorial/
    total 28
    drwxr-xr-x 7 root root 4096 Sep 19 08:20 .
    drwxr-xr-x 21 teacher01 teacher01 4096 Sep 19 11:22 ..
    drwxr-xr-x 2 teacher01 teacher01 4096 Sep 18 07:22 bpftrace
    drwxr-xr-x 2 teacher01 teacher01 4096 Sep 14 14:02 execsnoop
    drwxr-xr-x 2 teacher01 teacher01 4096 Sep 18 08:07 opensnoop
    drwxr-xr-x 2 teacher01 teacher01 4096 Sep 14 12:27 seccomp-bpf
    drwxr-xr-x 2 teacher01 teacher01 4096 Sep 19 07:32 trace-app

    View Slide

  5. F#1'

    View Slide

  6. %&.0
    root@bpf:/ # execsnoop-bpfcc
    PCOMM PID PPID RET ARGS
    ps 1807 1478 0 /usr/bin/ps aux
    cat 1808 1478 0 /usr/bin/cat /etc/passwd
    ls 1809 1478 0 /usr/bin/ls --color=auto -al
    top 1810 1478 0 /usr/bin/top
    root@bpf:/ # tcpconnect-bpfcc
    Tracing connect ... Hit Ctrl-C to end
    PID COMM IP SADDR DADDR DPORT
    1812 curl 4 192.168.64.5 93.184.216.34 443
    1815 curl 4 192.168.64.5 52.205.86.27 80
    1817 curl 4 192.168.64.5 35.227.220.44 80
    1819 curl 4 192.168.64.5 35.227.220.44 443

    View Slide

  7. IUUQTFCQGJP

    View Slide

  8. F#1'ͱ͸
    w#SFOEBO(SFHHᐌ͘eBPFEPFTUP-JOVYXIBU+BWB4DSJQUEPFTUP
    )5.-
    w+BWB4DSJQU͸ϒϥ΢βͷ҆શͳԾ૝Ϛγϯ্Ͱ೚ҙͷΠϕϯτʹରͯ͠
    ϓϩάϥϜΛ࣮ߦͰ͖Δ
    wF#1'͸-JOVYΧʔωϧͷ҆શͳԾ૝Ϛγϯ্Ͱ೚ҙͷΠϕϯτʹରͯ͠
    ϓϩάϥϜΛ࣮ߦͰ͖Δ
    w೚ҙͷΧʔωϧؔ਺΍ϢʔβʔϥϯυϓϩάϥϜͷؔ਺͕ݺͼग़͞Εͨ
    Γɺ໭Γ஋͕ฦΔλΠϛϯάͰ೚ҙͷॲཧ͕Ͱ͖Δ

    View Slide

  9. F#1')JTUPSZ

    View Slide

  10. #1'ͱ͸
    w#FSLFMFZ1BDLFU'JMUFS
    w΋ͱ΋ͱ͸ύέοτΩϟϓνϟͷύϑΥʔϚϯεΛ޲্ͤ͞ΔͨΊʹ
    ։ൃ͞Εͨ΋ͷ
    wࠓͰ͸ύέοτϑΟϧλϦϯάҎ֎ʹ΋ύϑΥʔϚϯε෼ੳͳͲ༷ʑ
    ͳྖҬͰར༻͞Ε͍ͯΔ

    View Slide

  11. #1'ͷྺ࢙
    w#4%ͰύέοτϑΟϧλϦϯάػߏͱ࣮ͯ͠૷ޙɺ-JOVYʹ΋Ҡ২
    wTFDDPNQʹ΋#1'͕ར༻͞ΕΔΑ͏ʹͳΔ
    w൚༻తͳΧʔωϧ಺Ծ૝Ϛγϯͱͯ͠ར༻͢ΔͨΊʹ֦ு FYUFOEFE

    ͞Εͨ
    w֦ு͞Εͨ#1'ΛF#1' FYUFOEFE#1'
    ͱݺͼɺैདྷͷ#1'͸
    D#1' DMBTTJD#1'
    ͱݺͿ͜ͱ͕͋Δ

    View Slide

  12. D#1'
    $ sudo tcpdump -d icmp
    (000) ldh [12]
    (001) jeq #0x800 jt 2 jf 5
    (002) ldb [23]
    (003) jeq #0x1 jt 4 jf 5
    (004) ret #262144
    (005) ret #0

    View Slide

  13. TFDDPNQ
    w-JOVYͰϓϩηεͷγεςϜίʔϧΛ੍ݶ͢Δٕज़
    w͍ΘΏΔ-JOVYίϯςφͰ΋ར༻͞Ε͍ͯΔ
    wNPEFͱNPEF͕͋ΓɺNPEFͰ͸ΑΓॊೈʹ੍ޚͰ͖ΔΑ͏
    ʹͳͬͨ

    View Slide

  14. TFDDPNQ#1'
    ubuntu@sandbox:~/bpf-tutorial/seccomp-bpf$ make build
    clang -o filter-mkdir main.c
    ubuntu@sandbox:~/bpf-tutorial/seccomp-bpf$ ./filter-mkdir 'mkdir /tmp/dir'
    mkdir: cannot create directory ‘/tmp/dir’: Operation not permitted
    ubuntu@sandbox:~/bpf-tutorial/seccomp-bpf$ strace -f ./filter-mkdir 'mkdir /tmp/dir'
    execve("./filter-mkdir", ["./filter-mkdir", "mkdir /tmp/dir"], 0x7ffca47f8350 /* 21 vars */) = 0
    ...
    [pid 2593] mkdir("/tmp/dir", 0777) = -1 EPERM (Operation not permitted)

    View Slide

  15. D#1'͔ΒF#1'΁
    w֦ுͷ಺༰ͱͯ͠͸
    w໋ྩηοτͷҰ৽
    w࢖༻ՄೳͳϨδελ਺ͷ૿Ճ
    wF#1'.BQͱݺ͹ΕΔσʔλߏ଄͕ར༻Մೳʹ

    View Slide

  16. F#1'͸Ͳ͜Ͱ࢖ΘΕ͍ͯΔ͔
    w$JMJVNF#1'CBTFE/FUXPSLJOH 4FDVSJUZ BOE0CTFSWBCJMJUZ
    w'BMDP$MPVE/BUJWF3VOUJNF4FDVSJUZ
    w,BUSBO"IJHIQFSGPSNBODFMBZFSMPBECBMBODFS
    w)VCCMF/FUXPSL 4FSWJDF4FDVSJUZ0CTFSWBCJMJUZGPS,VCFSOFUFTVTJOHF#1'
    w (PPHMF 'BDF#PPL /FUqJY $MPVEqBSFͳͲͰར༻͞Ε͍ͯΔ

    View Slide

  17. F#1''FBUVSFT
    4FDVSJUZ /FUXPSLJOH 0CTFSWBCJMJUZ

    View Slide

  18. F#1'"SDIJUFDUVSF

    View Slide

  19. F#1'"SDIJUFDUVSF
    IUUQTFCQGJP

    View Slide

  20. F#1'ͷϑοΫͷྲྀΕ
    wF#1'ϓϩάϥϜ͸Πϕϯτ
    ۦಈܗͰಈ͘
    wఆٛ͞Ε͍ͯΔϑοΫϙΠ
    ϯτ΍ؔ਺΁ͷFOUSZFYJU
    ͳͲ
    wϑοΫ͕ఆٛ͞Ε͍ͯͳ͍
    ৔߹͸LQSPCF VQSPCFΛ
    ࢖͏

    View Slide

  21. F#1'ϓϩάϥϜ͸ԿͰॻ͔͘
    w#1'ϓϩάϥϜࣗମ͸ΧʔωϧͷϨδελϕʔεͷ7.্Ͱಈ͘
    w7.Ͱಈ͔ͨ͢Ίʹ͸CZUFDPEF͕ඞཁ
    wͨͩ͠CZUFDPEFΛ௚઀ॻ͘ͷ͸೉͍͠
    wͳͷͰ$ͷํݴͰॻ͍ͨΓɺ͋Δ͍͸CQGUSBDFͳͲͷந৅Խ͞Ε
    ͨ%4-ݴޠͳͲͰهड़ͯ͠--7.ͳͲͰίϯύΠϧ͢Δ

    View Slide

  22. ॲཧͷྲྀΕ

    View Slide

  23. 7FSJpDBUJPO
    w#1'ϓϩάϥϜ͸ΧʔωϧϥϯυͰಈ͘ͷͰΫϥογϡ͠ͳ͍Α͏ʹ
    ݕূػʹΑΔݕূ͕࣮ߦ͞ΕΔ
    wඞͣϧʔϓ͕ऴྃ͢Δ͜ͱ
    wڊେͳϓϩάϥϜ͸ϩʔυͰ͖ͳ͍
    wݕূػ͕ݕূͰ͖Δ࣮ߦ಺༰ͷൣғͰͷΈWBMJEͱͳΔ

    View Slide

  24. F#1'.BQT
    wF#1'ϓϩάϥϜͰॲཧͨ͠σʔλΛอଘͰ͖Δ
    wͦͷσʔλ͸ϢʔβʔεϖʔεͷϓϩάϥϜ͔ΒऔಘͰ͖Δ

    View Slide

  25. F#1'%FWFMPQNFOU

    View Slide

  26. #1'%FWFMPQNFOU5PPMDIBJOT
    w#1'ϓϩάϥϜͷ։ൃΛ؆୯ʹͯ͘͠ΕΔπʔϧΩοτͨͪ
    wJPWJTPSCDD
    wJPWJTPSCQGUSBDF
    w(P$$ͷϥΠϒϥϦ

    View Slide

  27. CDDUPPMTͰF#1'ʹೖ໳͠Α͏
    wJPWJTPSCDD
    w#1'ϓϩάϥϜΛ؆୯ʹॻͨ͘Ίͷϔϧύʔؔ਺΍ϥΠϒϥϦΛఏ
    ڙ͍ͯ͠Δ
    wCDDUPPMTͱݺ͹ΕΔγεςϜύϑΥʔϚϯεͷͨΊͷπʔϧ܈͕
    ͋Δ
    w(P 3VTU 3VCZͳͲͷ֤छݴޠͷ#JOEJOH͕͋Δ

    View Slide

  28. ·ͣ͸৮ͬͯΈΑ͏
    wFYFDTOPPQ
    wUDQDPOOFDU
    wCJPMBUFODZ
    wCBTISFBEMJOF
    wPPNLJMM

    View Slide

  29. FYFDTOPPQ
    root@bpf:/# execsnoop-bpfcc
    PCOMM PID PPID RET ARGS
    ps 1865 1478 0 /usr/bin/ps aux
    cat 1866 1478 0 /usr/bin/cat /etc/passwd
    htop 1867 1478 0 /usr/bin/htop
    ping 1868 1478 0 /usr/bin/ping security-camp.or.jp

    View Slide

  30. UDQDPOOFDU
    root@bpf:/# tcpconnect-bpfcc
    Tracing connect ... Hit Ctrl-C to end
    PID COMM IP SADDR DADDR DPORT
    1812 curl 4 192.168.64.5 93.184.216.34 443
    1815 curl 4 192.168.64.5 52.205.86.27 80
    1817 curl 4 192.168.64.5 35.227.220.44 80
    1819 curl 4 192.168.64.5 35.227.220.44 443

    View Slide

  31. CJPMBUFODZ
    root@bpf:/# biolatency-bpfcc
    Tracing block device I/O... Hit Ctrl-C to end.
    ^C
    usecs : count distribution
    0 -> 1 : 0 | |
    2 -> 3 : 0 | |
    4 -> 7 : 0 | |
    8 -> 15 : 7 | |
    16 -> 31 : 3 | |
    32 -> 63 : 0 | |
    64 -> 127 : 237 |******* |
    128 -> 255 : 1251 |****************************************|
    256 -> 511 : 166 |***** |
    512 -> 1023 : 103 |*** |

    View Slide

  32. CBSFBEMJOF
    root@bpf:/# bashreadline-bpfcc
    TIME PID COMMAND
    22:09:03 1478 ls
    22:09:07 1478 cat /etc/passwd
    22:09:10 1478 htop
    22:09:12 1478 ps aux

    View Slide

  33. PPNLJMM
    root@bpf:/# oomkill-bpfcc
    Tracing OOM kills... Ctrl-C to stop.
    22:09:56 Triggered by PID 777 ("snapd"), OOM kill of PID 2279 ("perl"),
    1007686 pages, loadavg: 0.09 0.04 0.01 5/159 2280
    root@bpf:/# sysctl -w vm.overcommit_memory=1
    root@bpf:/# perl -e 'while (1) { $a .= "A" * 124; }'

    View Slide

  34. CQGUSBDF
    wJPWJTPSCQGUSBDF
    wF#1'ϓϩάϥϜΛ؆୯ʹॻͨ͘Ίͷ%4-
    wݴޠͱͯ͠͸BXL΍$ʹࣅ͍ͯΔ
    wCDDಉ༷ʹπʔϧͱͯ͠΋༻ҙ͞Ε͍ͯΔ

    View Slide

  35. &YBNQMF
    root@bpf:/# bpftrace -e \
    'tracepoint:raw_syscalls:sys_enter { @[comm] = count(); }'
    Attaching 1 probe...
    @[irqbalance]: 12
    @[systemd-network]: 22
    @[systemd]: 28
    @[bpftrace]: 72
    @[cat]: 108
    @[bash]: 191
    @[sshd]: 747

    View Slide

  36. &WFOU4PVSDFT
    wγεςϜίʔϧ΍ؔ਺ݺͼग़͠ΛτϨʔε͢ΔͨΊʹɺͦͷΠϕϯτ
    Λऔಘ͢Δํ๏͕͍͔ͭ͋͘Δ
    wΑ͘࢖͏ͷ͸LQSPCF VQSPCF USBDFQPJOUT 64%5ͷͭ

    View Slide

  37. ,QSPCFT
    w೚ҙͷΧʔωϧؔ਺ͷτϨʔεΛಈతʹߦ͏
    wର৅ͷؔ਺ͷΞυϨεʹϒϨʔΫϙΠϯτΛઃஔ͢Δ
    wϒϨʔΫϙΠϯτʹ౸ୡ͢Δͱ#1'ϓϩάϥϜʹඈͿ
    wΧʔωϧͷ໋ྩΛಈతʹมߋ͢Δͷ͸ةݥʹࢥ͑Δ͕ɺ҆શʹ࣮ߦ͞
    ΕΔΑ͏ʹઃܭ͞Ε͍ͯΔ
    wͨͩ͠ɺେྔͷؔ਺ΛτϨʔε͢ΔͱͦΕ͚ͩύϑΥʔϚϯε͸མ
    ͪΔ

    View Slide

  38. ,QSPCFTͷΠϝʔδ

    View Slide

  39. ,QSPCFͰτϨʔεͯ͠ΈΑ͏
    // جຊͷߏจ
    # bpftrace -e 'kprobe: { Expression }'
    # bpftrace -l 'kprobe:*' // attach Ͱ͖Δؔ਺ҰཡΛग़ྗ
    // vfs_open ͕ݺ͹ΕͨΒϝοηʔδΛදࣔ
    # bpftrace -e \
    'kprobe:vfs_open { printf("called vfs_open\n"); }'

    View Slide

  40. ,QSPCFͰτϨʔεͯ͠ΈΑ͏
    // ίϚϯυ໊Λදࣔ
    # bpftrace -e \
    'kprobe:vfs_open { printf("%s\n", comm); }'
    // cat ͚ͩΛදࣔ
    # bpftrace -e \
    'kprobe:vfs_open /comm == "cat"/ { printf("%s\n", comm); }'

    View Slide

  41. ,QSPCFͰτϨʔεͯ͠ΈΑ͏
    // Ҿ਺ͷදࣔ
    # bpftrace -e \
    'kprobe:do_sys_open { printf("opening: %s\n", str(arg1)); }'
    #include
    #include
    kprobe:vfs_open
    {
    printf("%s %s\n", comm,
    str(((struct path *)arg0)->dentry->d_name.name));
    }

    View Slide

  42. 6QSPCFT
    wͬ͘͟Γ͍͏ͱLQSPCFTͷϢʔβʔεϖʔεϓϩάϥϜ൛
    root@bpf:/# objdump -T /bin/bash | grep readline
    0000000000124e60 g DO .bss 0000000000000008 Base rl_readline_state
    00000000000b7cd0 g DF .text 0000000000000252 Base readline_internal_char
    00000000000b71a0 g DF .text 000000000000015f Base readline_internal_setup
    0000000000087120 g DF .text 000000000000004c Base posix_readline_initialize
    00000000000b8530 g DF .text 000000000000009a Base readline
    # bpftrace -e 'uprobe:/bin/bash:readline { printf("called\n"); }'

    View Slide

  43. 6QSPCFT
    root@bpf:/# objdump -T /bin/bash | grep readline
    0000000000124e60 g DO .bss 0000000000000008 Base rl_readline_state
    00000000000b7cd0 g DF .text 0000000000000252 Base readline_internal_char
    00000000000b71a0 g DF .text 000000000000015f Base readline_internal_setup
    0000000000087120 g DF .text 000000000000004c Base posix_readline_initialize
    00000000000b8530 g DF .text 000000000000009a Base readline
    # bpftrace -e 'uprobe:/bin/bash:0xb8530 { printf("called\n"); }'

    View Slide

  44. 6QSPCFT
    root@bpf:/# nm uprobes-test| grep main
    0000000000001149 T main
    root@bpf:/# bpftrace -e \
    'uprobe:./uprobes-test:main { printf("in main\n"); }'
    Attaching 1 probe...

    View Slide

  45. 5SBDFQPJOUT
    w,FSOFMʹࣄલʹఆٛ͞Ε͍ͯΔϑοΫϙΠϯτ
    wLQSPCFͱൺֱ͢ΔͱτϨʔεͰ͖Δؔ਺ͳͲ͸গͳ͍͕ɺ4UBCMF
    "1*͕͋ΔͷͰ҆ఆੑ͕͋Δ
    wLQSPCF͸όʔδϣϯ͕มΘΔͱτϨʔε͕ػೳ͠ͳ͘ͳΔՄೳੑ
    ͕͋Δ
    w5SBDFQPJOUT͸௨ৗOPQ໋ྩͳͷͰύϑΥʔϚϯεʹ΄ͱΜͲӨڹ
    ͕ͳ͍ͱ΋ݴ͑Δ

    View Slide

  46. 5SBDFQPJOUTͷΠϝʔδ

    View Slide

  47. 5SBDFQPJOUT
    # bpftrace -e \
    'tracepoint:syscalls:sys_enter_execve {
    printf("%s %s\n", comm, str(args->filename));
    }'
    # cat /sys/kernel/tracing/available_events | grep execve
    syscalls:sys_exit_execveat
    syscalls:sys_enter_execveat
    syscalls:sys_exit_execve
    syscalls:sys_enter_execve

    View Slide

  48. 5SBDFQPJOUT
    # bpftrace -e \
    'tracepoint:syscalls:sys_enter_execve {
    printf("%s %s\n", comm, str(args->filename));
    }'
    # bpftrace -e \
    'tracepoint:syscalls:sys_enter_execve {
    printf("%s %s\n", comm, str(args->filename));
    }'
    # cat /sys/kernel/tracing/events/syscalls/sys_enter_execve/format
    ...
    field:int __syscall_nr; offset:8; size:4; signed:1;
    field:const char * filename; offset:16; size:8; signed:0;
    field:const char *const * argv; offset:24; size:8; signed:0;
    field:const char *const * envp; offset:32; size:8; signed:0;
    print fmt: "filename: 0x%08lx, argv: 0x%08lx, envp: 0x%08lx", \
    ((unsigned long)(REC->filename)), ((unsigned long)(REC->argv)), ((unsigned long)(REC->envp))

    View Slide

  49. 64%5
    w6TFSMFWFM4UBUJDBMMZ%FpOFE5SBDJOHͷུ
    w໊લͷ௨ΓɺϢʔβʔϓϩάϥϜʹࣗ෼ͰτϨʔεϙΠϯτΛઃஔͰ
    ͖Δ
    wͪ͜Β΋5SBDFQPJOUTͱಉ༷ʹԿ΋͍ͯ͠ͳ͍ͱ͖͸OPQ໋ྩͳͷ
    ͰύϑΥʔϚϯε΁ͷӨڹ͸ܰඍͱݴ͑Δ

    View Slide

  50. 64%5
    # bpftrace -e \
    'usdt:./usdt:test_probe { printf("got: %d\n", arg0); }'
    Attaching 1 probe...
    got: 3
    got: 4
    got: 5
    got: 6
    ...

    View Slide

  51. GVODUJPOFOUSZFYJU
    wLQSPCF VQSPCF USBDFQPJOUT͸ͦΕͧΕؔ਺΁ೖͬͨ௚ޙͱؔ਺͕
    ໭Γ஋Λฦͨ͠௚ޙΛϑοΫͰ͖Δ
    wྫ͑͹LQSPCFͩͱLSFUQSPCFͱݺͿ
    wͦΕͧΕͰϑοΫ͢Δ͜ͱͰϨΠςϯγͷଌఆ͕Մೳ
    wHFUIPTUMBUFODZ
    wηΩϡϦςΟతͳ؍఺Ͱݴ͏ͱɺίϚϯυ͕੒ޭ͔ͨ͠ͳͲ

    View Slide

  52. ϨΠςϯγͷଌఆ
    # gethostlatency-bpfcc
    TIME PID COMM LATms HOST
    18:01:33 8892 curl 29.99 example.com
    18:01:43 8894 isc-worker0000 0.02 127.0.0.1
    18:01:43 8894 isc-worker0000 0.01 ::1
    18:01:55 8898 curl 43.45 security-camp.or.jp
    18:02:00 8900 curl 97.16 blog.ssrf.in

    View Slide

  53. CDD$IBMMFOHF

    View Slide

  54. ϑΝΠϧͷΦʔϓϯΛτϨʔε͠Α͏
    wCDDͰϑΝΠϧͷΦʔϓϯΛτϨʔεͯ͠ΈΑ͏
    wTUSBDFͰτϨʔε͢Δؔ਺Λ֬ೝ
    wࠓճ͸͞ΒʹΧʔωϧͷίʔυΛΈͯɺΑΓਂ͍ͱ͜ΖΛτϨʔε
    wCDDͰ࣮૷
    // ͜͏͍͏ίϚϯυΛݕ஌͍ͨ͠
    $ cat /etc/passwd

    View Slide

  55. TUSBDFͰ֬ೝ
    $ strace -o output.txt cat /etc/passwd
    $ cat output.txt
    ...
    openat(AT_FDCWD, "/etc/passwd", O_RDONLY) = 3
    ...

    View Slide

  56. PQFOBU
    SYSCALL_DEFINE4(openat, int, dfd, const char __user *, filename, int, flags,
    umode_t, mode)
    {
    if (force_o_largefile())
    flags |= O_LARGEFILE;
    return do_sys_open(dfd, filename, flags, mode);
    }
    IUUQTFMJYJSCPPUMJODPNMJOVYWTPVSDFGTPQFOD-

    View Slide

  57. CDDΛॻ͍ͯΈΑ͏
    wLQSPCFͰPQFOBUͷ͞ΒʹԞEP@TZT@PQFOΛτϨʔε͠Α͏
    wIUUQTHJUIVCDPNJPWJTPSCDDCMPCNBTUFSEPDT
    SFGFSFODF@HVJEFNE
    wIUUQTHJTUHJUIVCDPNNSUD
    BEECCDEGDCB

    View Slide

  58. CDDͷجຊ
    wCDDͷجຊ
    bpf_code = """
    int do_sys_open(struct pt_regs *ctx, ...) { ... }
    """
    # BPF ϓϩάϥϜΛΠχγϟϥΠζ
    b = BPF(text=bpf_code)
    # kprobe ʹ attach ͢Δ.
    # event ʹτϨʔε͢Δؔ਺Λɺfn_name ʹϑοΫ࣌ʹ࣮ߦ͢Δؔ਺Λࢦఆ
    b.attach_kprobe(event="do_sys_open", fn_name="do_entry_trace")

    View Slide

  59. -FWFM
    wCQG@USBDF@QSJOUL
    Ͱग़ྗ
    bpf_code = """
    int do_sys_open(struct pt_regs *ctx) {
    bpf_trace_printk("message\n");
    }
    """
    b = BPF(text=bpf_code)
    b.attach_kprobe(event="do_sys_open", fn_name="do_entry_trace")

    View Slide

  60. -FWFM
    wग़ྗͨ͠಺༰͸USBDF@pFMET
    Ͱऔಘ
    b = BPF(text=bpf_code)
    b.attach_kprobe(event="do_sys_open", fn_name="do_entry_trace")
    while 1:
    (task, tid, _, _, ts, msg) = b.trace_fields()
    printb(b"%f, %s, %d, %s" % (ts, task, tid, msg))

    View Slide

  61. PQFOTOPPQ
    bpf_code = """
    int do_entry_trace(struct pt_regs *ctx) {
    bpf_trace_printk("REPLACEME\\n");
    return 0;
    }
    """
    b = BPF(text=bpf_code)
    b.attach_kprobe(event="do_sys_open", fn_name="do_entry_trace")
    while 1:
    (task, tid, _, _, ts, msg) = b.trace_fields()
    printb(b"%f, %s, %d, %s" % (ts, task, tid, msg))

    View Slide

  62. PQFOTOPPQ
    wCQG@HFU@DVSSFOU@DPNN
    Ͱϓϩηε໊Λऔಘ
    wCQG@QSPCF@SFBE
    Ͱ҆શʹจࣈྻΛίϐʔ
    wFWFOUTQFSG@TVCNJU
    Ͱ1FSG3JOH#V⒎FSʹσʔλΛอଘ
    wQFSG@CV⒎FS@QPMM
    ͰσʔλΛϙʔϦϯά

    View Slide

  63. PQFOTOPPQ
    wϑΝΠϧ໊Λग़ྗ͢ΔΑ͏ʹΧελϚΠζ͍ͯͩ͘͠͞
    ϙΠϯτ
    wEP@FOUSZ@USBDFͷҾ਺ʹ஫໨
    wจࣈྻΛ҆શʹίϐʔ͢Δؔ਺͸ͳΜ͚ͩͬ
    wQPMMJOHॲཧͰͷจࣈྻදࣔ΋๨Εͣʹ

    View Slide

  64. F#1'$IBMMFOHF

    View Slide

  65. /*4541
    w /*4541Ͱ͸࣍ͷΠϕϯτΛϞχλϦϯά͢ΔΑ͏ʹॻ͍ͯ͋Δ
    w *OWBMJEPSVOFYQFDUFEQSPDFTTFYFDVUJPO
    w *OWBMJEPSVOFYQFDUFETZTUFNDBMMT
    w $IBOHFTUPQSPUFDUFEDPOpHVSBUJPOpMFBOECJOBSJFT
    w 8SJUFTUPVOFYQFDUFEMPDBUJPOTBOEpMFUZQFT
    w $SFBUJPOPGVOFYQFDUFEOFUXPSLMJTUFOFST
    w 5SB⒏DTFOUUPVOFYQFDUFEOFUXPSLEFTUJOBUJPOT
    w .BMXBSFTUPSBHFPSFYFDVUJPO

    View Slide

  66. F#1'Ͱҟৗݕ஌͠Α͏
    wΞϓϦέʔγϣϯ͔Β૝ఆ֎ͷΠϕϯτ͕ى͖ͳ͍͔νΣοΫ͠Α͏
    wશ෦Λ࣮૷͸େมͳͷͰɺϑΝΠϧͷॻ͖ࠐΈ PQFO
    ͱίϚϯυͷ
    ࣮ߦ FYFDWF
    Λݕ஌ͯ͠ΈΑ͏
    # python3 trace-app.py
    ...
    Detect unexpected file open : /etc/passwd
    Detect unexpected command execution : id

    View Slide

  67. ର৅ͷΞϓϦέʔγϣϯ
    ubuntu@bpf:~/bpf-tutorial/trace-app$ ./app -h
    Usage: ./app [-ehn]
    -e echo message
    -h help
    -n display hostname
    ubuntu@bpf:~/bpf-tutorial/trace-app$ ./app -e hello
    hello
    ubuntu@bpf:~/bpf-tutorial/trace-app$ ./app -n
    bpf

    View Slide

  68. ࣮૷खॱ
    w·ͣ͸PQFOBUͱFYFDWFΛτϨʔεͯ͠"MMPXFE-JTUΛ࡞Ζ͏
    wTUSBDFͰ΋CQGUSBDFͰ΋0,
    wϗϫΠτϦετʹؚ·Εͳ͍ϑΝΠϧ໊Λ։͍ͨΓίϚϯυͷ࣮ߦ͕
    ͋Ε͹ɺϝοηʔδͱͯ͠ग़ྗ͠Α͏
    wطʹେ࿮͸ॻ͍͍ͯΔͷͰ݀ຒΊ͠Α͏
    w50%0ͱॻ͔Ε͍ͯΔͱ͜ΖΛຒΊ͍ͯͩ͘͞

    View Slide

  69. ςετͷํ๏
    ubuntu@bpf:~/bpf-tutorial/trace-app$ ./app -i
    uid=1000(ubuntu) gid=1000(ubuntu) groups=1000(ubuntu)
    ubuntu@bpf:~/bpf-tutorial/trace-app$ ./app -p
    root:x:0:0:root:/root:/bin/bash
    root@bpf:~/bpf-tutorial/trace-app# python3 trace-app.py
    ...
    Detect unexpected file open : /etc/passwd
    Detect unexpected command execution : id

    View Slide

  70. /FYU$IBMMFOHF
    wFYFDWF͚ͩͰͳ͘FYFDܥʹରԠ͠Α͏
    wઃఆϑΝΠϧ :".-΍+40/ 50.-
    ͳͲ͔ΒΞϓϦέʔγϣϯ໊ɺ
    "MMPXFE-JTUΛऔಘͯ͠ɺ༷ʑͳΞϓϦέʔγϣϯʹରԠͰ͖ΔΑ͏
    ʹ͠Α͏

    View Slide

  71. όΠύεํ๏
    w୯७ʹจࣈྻϚονͰ͸Ͳ͏ͯ͠΋͕݀Ͱ͖ͯ͠·͍͕ͪ
    wྫͱͯ͠'BMDPͷࣄྫΛ঺հ

    View Slide

  72. QSPDTFMGSPPU
    wQSPDTFMGSPPUFUDQBTTXEΛ։͘͜ͱͰόΠύε
    - list: sensitive_file_names
    items: [/etc/shadow]
    - macro: sensitive_files
    condition: >
    fd.name startswith /etc and fd.name in (sensitive_file_names)
    - rule: Read sensitive file untrusted
    condition: >
    sensitive_files and open_read and proc_name_exists

    View Slide



  73. wTIDHJUͷνΣοΫΛόΠύε
    - macro: spawned_process
    condition: evt.type = execve
    - rule: Spawn git process from php
    desc: Spawn git process from php
    condition: proc.pname=php and spawned_process and proc.cmdline startswith "sh -c git"
    $ php -r 'system("git --version")';
    $ php -r 'system("$(echo \"git --version\")");'

    View Slide

  74. ίϝϯτΞ΢τ
    wҰ෦ͷίϚϯυ໊Λআ֎͍ͯ͠Δ৔߹ʹίϝϯτʹؚΊΔ
    - macro: batch_job
    condition: (proc.cmdline contains "run-job.sh")
    - rule: Spawn processes from php
    desc: Spawn processes from php
    condition: proc.pname=php and spawned_process and not batch_job
    $ php -r 'system("whoami")';
    $ php -r 'system("whoami; # run-jon.sh");'

    View Slide

  75. ·ͱΊ

    View Slide

  76. ·ͱΊ
    wF#1'͸ඇৗʹڧྗͰ؆୯ʹτϨʔε͕Ͱ͖ΔͷͰ0CTFSWBCJMJUZΛ
    ࢧ͑Δେ͖ͳଘࡏʹͳΔ
    w͜Ε͔Βͷ։ൃɺӡ༻Ͱ΋F#1'ͷར༻͸૿͑ΔͩΖ͏
    wηΩϡϦςΟ෼໺Ͱ͸ྺ࢙͕ઙ͍͕ɺGBMDP΍USBDFFͳͲར༻͕૿
    ͍͑ͯΔ
    IUUQTHJUIVCDPNBRVBTFDVSJUZUSBDFF
    IUUQTHJUIVCDPNGBMDPTFDVSJUZGBMDP

    View Slide

  77. ΋ͬͱF#1'Λֶͼ͍ͨͻͱ΁

    View Slide