Finding Security Events with eBPF - Security Minicamp in Yamanashi 2020-

৿ాߒฏ(.01FQBCP *OD ηΩϡϦςΟɾϛχΩϟϯϓJOࢁས F#1'ͰηΩϡϦςΟΠϕϯτΛ ௥͍͔͚Α͏

(.0ϖύϘ γχΞΤϯδχΞηΩϡϦςΟରࡦࣨ ৿ాߒฏ!NSUD IUUQTCMPHTTSGJO ηΩϡϦςΟɾΩϟϯϓߨࢣ ηΩϡϦςΟɾΩϟϯϓεςΞϦϯάίϛοςΟ *1"ະ౿ΫϦΤΠλʔ

ࠓ೔ͷΰʔϧ CDDͷπʔϧΛ࢖ͬͯΈΔ CQGUSBDFͰεΫϦϓτΛॻ͍ͯΈΔ CDDΛ࢖ͬͯεΫϦϓτΛॻ͍ͯΈΔ CDDͰΞϓϦέʔγϣϯͷΠϯγσϯτΛݕ஌͢Δ

ߨٛͰ࢖͏ίʔυ teacher01@teacher01:~$ ls -al ~/bpf-tutorial/ total 28 drwxr-xr-x 7 root
root 4096 Sep 19 08:20 . drwxr-xr-x 21 teacher01 teacher01 4096 Sep 19 11:22 .. drwxr-xr-x 2 teacher01 teacher01 4096 Sep 18 07:22 bpftrace drwxr-xr-x 2 teacher01 teacher01 4096 Sep 14 14:02 execsnoop drwxr-xr-x 2 teacher01 teacher01 4096 Sep 18 08:07 opensnoop drwxr-xr-x 2 teacher01 teacher01 4096 Sep 14 12:27 seccomp-bpf drwxr-xr-x 2 teacher01 teacher01 4096 Sep 19 07:32 trace-app

%&.0 root@bpf:/ # execsnoop-bpfcc PCOMM PID PPID RET ARGS ps
1807 1478 0 /usr/bin/ps aux cat 1808 1478 0 /usr/bin/cat /etc/passwd ls 1809 1478 0 /usr/bin/ls --color=auto -al top 1810 1478 0 /usr/bin/top root@bpf:/ # tcpconnect-bpfcc Tracing connect ... Hit Ctrl-C to end PID COMM IP SADDR DADDR DPORT 1812 curl 4 192.168.64.5 93.184.216.34 443 1815 curl 4 192.168.64.5 52.205.86.27 80 1817 curl 4 192.168.64.5 35.227.220.44 80 1819 curl 4 192.168.64.5 35.227.220.44 443

IUUQTFCQGJP

F#1'ͱ͸ w#SFOEBO(SFHHᐌ͘eBPFEPFTUP-JOVYXIBU+BWB4DSJQUEPFTUP )5.- w+BWB4DSJQU͸ϒϥ΢βͷ҆શͳԾ૝Ϛγϯ্Ͱ೚ҙͷΠϕϯτʹରͯ͠ ϓϩάϥϜΛ࣮ߦͰ͖Δ wF#1'͸-JOVYΧʔωϧͷ҆શͳԾ૝Ϛγϯ্Ͱ೚ҙͷΠϕϯτʹରͯ͠ ϓϩάϥϜΛ࣮ߦͰ͖Δ w೚ҙͷΧʔωϧؔ਺΍ϢʔβʔϥϯυϓϩάϥϜͷؔ਺͕ݺͼग़͞Εͨ Γɺ໭Γ஋͕ฦΔλΠϛϯάͰ೚ҙͷॲཧ͕Ͱ͖Δ

F#1')JTUPSZ

#1'ͱ͸ w#FSLFMFZ1BDLFU'JMUFS w΋ͱ΋ͱ͸ύέοτΩϟϓνϟͷύϑΥʔϚϯεΛ޲্ͤ͞ΔͨΊʹ ։ൃ͞Εͨ΋ͷ wࠓͰ͸ύέοτϑΟϧλϦϯάҎ֎ʹ΋ύϑΥʔϚϯε෼ੳͳͲ༷ʑ ͳྖҬͰར༻͞Ε͍ͯΔ

#1'ͷྺ࢙ w#4%ͰύέοτϑΟϧλϦϯάػߏͱ࣮ͯ͠૷ޙɺ-JOVYʹ΋Ҡ২ wTFDDPNQʹ΋#1'͕ར༻͞ΕΔΑ͏ʹͳΔ w൚༻తͳΧʔωϧ಺Ծ૝Ϛγϯͱͯ͠ར༻͢ΔͨΊʹ֦ு FYUFOEFE ͞Εͨ w֦ு͞Εͨ#1'ΛF#1' FYUFOEFE#1' ͱݺͼɺैདྷͷ#1'͸ D#1'
DMBTTJD#1' ͱݺͿ͜ͱ͕͋Δ

D#1' $ sudo tcpdump -d icmp (000) ldh [12] (001)
jeq #0x800 jt 2 jf 5 (002) ldb [23] (003) jeq #0x1 jt 4 jf 5 (004) ret #262144 (005) ret #0

TFDDPNQ w-JOVYͰϓϩηεͷγεςϜίʔϧΛ੍ݶ͢Δٕज़ w͍ΘΏΔ-JOVYίϯςφͰ΋ར༻͞Ε͍ͯΔ wNPEFͱNPEF͕͋ΓɺNPEFͰ͸ΑΓॊೈʹ੍ޚͰ͖ΔΑ͏ ʹͳͬͨ

TFDDPNQ#1' ubuntu@sandbox:~/bpf-tutorial/seccomp-bpf$ make build clang -o filter-mkdir main.c ubuntu@sandbox:~/bpf-tutorial/seccomp-bpf$ ./filter-mkdir
'mkdir /tmp/dir' mkdir: cannot create directory ‘/tmp/dir’: Operation not permitted ubuntu@sandbox:~/bpf-tutorial/seccomp-bpf$ strace -f ./filter-mkdir 'mkdir /tmp/dir' execve("./filter-mkdir", ["./filter-mkdir", "mkdir /tmp/dir"], 0x7ffca47f8350 /* 21 vars */) = 0 ... [pid 2593] mkdir("/tmp/dir", 0777) = -1 EPERM (Operation not permitted)

D#1'͔ΒF#1'΁ w֦ுͷ಺༰ͱͯ͠͸ w໋ྩηοτͷҰ৽ w࢖༻ՄೳͳϨδελ਺ͷ૿Ճ wF#1'.BQͱݺ͹ΕΔσʔλߏ଄͕ར༻Մೳʹ

F#1'͸Ͳ͜Ͱ࢖ΘΕ͍ͯΔ͔ w$JMJVNF#1'CBTFE/FUXPSLJOH 4FDVSJUZ BOE0CTFSWBCJMJUZ w'BMDP$MPVE/BUJWF3VOUJNF4FDVSJUZ w,BUSBO"IJHIQFSGPSNBODFMBZFSMPBECBMBODFS w)VCCMF/FUXPSL 4FSWJDF4FDVSJUZ0CTFSWBCJMJUZGPS,VCFSOFUFTVTJOHF#1' w (PPHMF
'BDF#PPL /FUqJY $MPVEqBSFͳͲͰར༻͞Ε͍ͯΔ

F#1''FBUVSFT 4FDVSJUZ /FUXPSLJOH 0CTFSWBCJMJUZ

F#1'"SDIJUFDUVSF

F#1'"SDIJUFDUVSF IUUQTFCQGJP

F#1'ͷϑοΫͷྲྀΕ wF#1'ϓϩάϥϜ͸Πϕϯτ ۦಈܗͰಈ͘ wఆٛ͞Ε͍ͯΔϑοΫϙΠ ϯτ΍ؔ਺΁ͷFOUSZFYJU ͳͲ wϑοΫ͕ఆٛ͞Ε͍ͯͳ͍ ৔߹͸LQSPCF VQSPCFΛ ࢖͏

F#1'ϓϩάϥϜ͸ԿͰॻ͔͘ w#1'ϓϩάϥϜࣗମ͸ΧʔωϧͷϨδελϕʔεͷ7.্Ͱಈ͘ w7.Ͱಈ͔ͨ͢Ίʹ͸CZUFDPEF͕ඞཁ wͨͩ͠CZUFDPEFΛ௚઀ॻ͘ͷ͸೉͍͠ wͳͷͰ$ͷํݴͰॻ͍ͨΓɺ͋Δ͍͸CQGUSBDFͳͲͷந৅Խ͞Ε ͨ%4-ݴޠͳͲͰهड़ͯ͠--7.ͳͲͰίϯύΠϧ͢Δ

ॲཧͷྲྀΕ

7FSJpDBUJPO w#1'ϓϩάϥϜ͸ΧʔωϧϥϯυͰಈ͘ͷͰΫϥογϡ͠ͳ͍Α͏ʹ ݕূػʹΑΔݕূ͕࣮ߦ͞ΕΔ wඞͣϧʔϓ͕ऴྃ͢Δ͜ͱ wڊେͳϓϩάϥϜ͸ϩʔυͰ͖ͳ͍ wݕূػ͕ݕূͰ͖Δ࣮ߦ಺༰ͷൣғͰͷΈWBMJEͱͳΔ

F#1'.BQT wF#1'ϓϩάϥϜͰॲཧͨ͠σʔλΛอଘͰ͖Δ wͦͷσʔλ͸ϢʔβʔεϖʔεͷϓϩάϥϜ͔ΒऔಘͰ͖Δ

F#1'%FWFMPQNFOU

#1'%FWFMPQNFOU5PPMDIBJOT w#1'ϓϩάϥϜͷ։ൃΛ؆୯ʹͯ͘͠ΕΔπʔϧΩοτͨͪ wJPWJTPSCDD wJPWJTPSCQGUSBDF w(P$$ ͷϥΠϒϥϦ

CDDUPPMTͰF#1'ʹೖ໳͠Α͏ wJPWJTPSCDD w#1'ϓϩάϥϜΛ؆୯ʹॻͨ͘Ίͷϔϧύʔؔ਺΍ϥΠϒϥϦΛఏ ڙ͍ͯ͠Δ wCDDUPPMTͱݺ͹ΕΔγεςϜύϑΥʔϚϯεͷͨΊͷπʔϧ܈͕ ͋Δ w(P 3VTU 3VCZͳͲͷ֤छݴޠͷ#JOEJOH͕͋Δ

·ͣ͸৮ͬͯΈΑ͏ wFYFDTOPPQ wUDQDPOOFDU wCJPMBUFODZ wCBTISFBEMJOF wPPNLJMM

FYFDTOPPQ root@bpf:/# execsnoop-bpfcc PCOMM PID PPID RET ARGS ps 1865
1478 0 /usr/bin/ps aux cat 1866 1478 0 /usr/bin/cat /etc/passwd htop 1867 1478 0 /usr/bin/htop ping 1868 1478 0 /usr/bin/ping security-camp.or.jp

UDQDPOOFDU root@bpf:/# tcpconnect-bpfcc Tracing connect ... Hit Ctrl-C to end
PID COMM IP SADDR DADDR DPORT 1812 curl 4 192.168.64.5 93.184.216.34 443 1815 curl 4 192.168.64.5 52.205.86.27 80 1817 curl 4 192.168.64.5 35.227.220.44 80 1819 curl 4 192.168.64.5 35.227.220.44 443

CJPMBUFODZ root@bpf:/# biolatency-bpfcc Tracing block device I/O... Hit Ctrl-C to
end. ^C usecs : count distribution 0 -> 1 : 0 | | 2 -> 3 : 0 | | 4 -> 7 : 0 | | 8 -> 15 : 7 | | 16 -> 31 : 3 | | 32 -> 63 : 0 | | 64 -> 127 : 237 |******* | 128 -> 255 : 1251 |****************************************| 256 -> 511 : 166 |***** | 512 -> 1023 : 103 |*** |

CBSFBEMJOF root@bpf:/# bashreadline-bpfcc TIME PID COMMAND 22:09:03 1478 ls 22:09:07
1478 cat /etc/passwd 22:09:10 1478 htop 22:09:12 1478 ps aux

PPNLJMM root@bpf:/# oomkill-bpfcc Tracing OOM kills... Ctrl-C to stop. 22:09:56
Triggered by PID 777 ("snapd"), OOM kill of PID 2279 ("perl"), 1007686 pages, loadavg: 0.09 0.04 0.01 5/159 2280 root@bpf:/# sysctl -w vm.overcommit_memory=1 root@bpf:/# perl -e 'while (1) { $a .= "A" * 124; }'

CQGUSBDF wJPWJTPSCQGUSBDF wF#1'ϓϩάϥϜΛ؆୯ʹॻͨ͘Ίͷ%4- wݴޠͱͯ͠͸BXL΍$ʹࣅ͍ͯΔ wCDDಉ༷ʹπʔϧͱͯ͠΋༻ҙ͞Ε͍ͯΔ

&YBNQMF root@bpf:/# bpftrace -e \ 'tracepoint:raw_syscalls:sys_enter { @[comm] = count();
}' Attaching 1 probe... @[irqbalance]: 12 @[systemd-network]: 22 @[systemd]: 28 @[bpftrace]: 72 @[cat]: 108 @[bash]: 191 @[sshd]: 747

&WFOU4PVSDFT wγεςϜίʔϧ΍ؔ਺ݺͼग़͠ΛτϨʔε͢ΔͨΊʹɺͦͷΠϕϯτ Λऔಘ͢Δํ๏͕͍͔ͭ͋͘Δ wΑ͘࢖͏ͷ͸LQSPCF VQSPCF USBDFQPJOUT 64%5ͷͭ

,QSPCFT w೚ҙͷΧʔωϧؔ਺ͷτϨʔεΛಈతʹߦ͏ wର৅ͷؔ਺ͷΞυϨεʹϒϨʔΫϙΠϯτΛઃஔ͢Δ wϒϨʔΫϙΠϯτʹ౸ୡ͢Δͱ#1'ϓϩάϥϜʹඈͿ wΧʔωϧͷ໋ྩΛಈతʹมߋ͢Δͷ͸ةݥʹࢥ͑Δ͕ɺ҆શʹ࣮ߦ͞ ΕΔΑ͏ʹઃܭ͞Ε͍ͯΔ wͨͩ͠ɺେྔͷؔ਺ΛτϨʔε͢ΔͱͦΕ͚ͩύϑΥʔϚϯε͸མ ͪΔ

,QSPCFTͷΠϝʔδ

,QSPCFͰτϨʔεͯ͠ΈΑ͏ // جຊͷߏจ # bpftrace -e 'kprobe:<func> { Expression }'
# bpftrace -l 'kprobe:*' // attach Ͱ͖Δؔ਺ҰཡΛग़ྗ // vfs_open ͕ݺ͹ΕͨΒϝοηʔδΛදࣔ # bpftrace -e \ 'kprobe:vfs_open { printf("called vfs_open\n"); }'

,QSPCFͰτϨʔεͯ͠ΈΑ͏ // ίϚϯυ໊Λදࣔ # bpftrace -e \ 'kprobe:vfs_open { printf("%s\n",
comm); }' // cat ͚ͩΛදࣔ # bpftrace -e \ 'kprobe:vfs_open /comm == "cat"/ { printf("%s\n", comm); }'

,QSPCFͰτϨʔεͯ͠ΈΑ͏ // Ҿ਺ͷදࣔ # bpftrace -e \ 'kprobe:do_sys_open { printf("opening:
%s\n", str(arg1)); }' #include <linux/path.h> #include <linux/dcache.h> kprobe:vfs_open { printf("%s %s\n", comm, str(((struct path *)arg0)->dentry->d_name.name)); }

6QSPCFT wͬ͘͟Γ͍͏ͱLQSPCFTͷϢʔβʔεϖʔεϓϩάϥϜ൛ root@bpf:/# objdump -T /bin/bash | grep readline 0000000000124e60
g DO .bss 0000000000000008 Base rl_readline_state 00000000000b7cd0 g DF .text 0000000000000252 Base readline_internal_char 00000000000b71a0 g DF .text 000000000000015f Base readline_internal_setup 0000000000087120 g DF .text 000000000000004c Base posix_readline_initialize 00000000000b8530 g DF .text 000000000000009a Base readline # bpftrace -e 'uprobe:/bin/bash:readline { printf("called\n"); }'

6QSPCFT root@bpf:/# objdump -T /bin/bash | grep readline 0000000000124e60 g
DO .bss 0000000000000008 Base rl_readline_state 00000000000b7cd0 g DF .text 0000000000000252 Base readline_internal_char 00000000000b71a0 g DF .text 000000000000015f Base readline_internal_setup 0000000000087120 g DF .text 000000000000004c Base posix_readline_initialize 00000000000b8530 g DF .text 000000000000009a Base readline # bpftrace -e 'uprobe:/bin/bash:0xb8530 { printf("called\n"); }'

6QSPCFT root@bpf:/# nm uprobes-test| grep main 0000000000001149 T main root@bpf:/#
bpftrace -e \ 'uprobe:./uprobes-test:main { printf("in main\n"); }' Attaching 1 probe...

5SBDFQPJOUT w,FSOFMʹࣄલʹఆٛ͞Ε͍ͯΔϑοΫϙΠϯτ wLQSPCFͱൺֱ͢ΔͱτϨʔεͰ͖Δؔ਺ͳͲ͸গͳ͍͕ɺ4UBCMF "1*͕͋ΔͷͰ҆ఆੑ͕͋Δ wLQSPCF͸όʔδϣϯ͕มΘΔͱτϨʔε͕ػೳ͠ͳ͘ͳΔՄೳੑ ͕͋Δ w5SBDFQPJOUT͸௨ৗOPQ໋ྩͳͷͰύϑΥʔϚϯεʹ΄ͱΜͲӨڹ ͕ͳ͍ͱ΋ݴ͑Δ

5SBDFQPJOUTͷΠϝʔδ

5SBDFQPJOUT # bpftrace -e \ 'tracepoint:syscalls:sys_enter_execve { printf("%s %s\n", comm,
str(args->filename)); }' # cat /sys/kernel/tracing/available_events | grep execve syscalls:sys_exit_execveat syscalls:sys_enter_execveat syscalls:sys_exit_execve syscalls:sys_enter_execve

5SBDFQPJOUT # bpftrace -e \ 'tracepoint:syscalls:sys_enter_execve { printf("%s %s\n", comm,
str(args->filename)); }' # bpftrace -e \ 'tracepoint:syscalls:sys_enter_execve { printf("%s %s\n", comm, str(args->filename)); }' # cat /sys/kernel/tracing/events/syscalls/sys_enter_execve/format ... field:int __syscall_nr; offset:8; size:4; signed:1; field:const char * filename; offset:16; size:8; signed:0; field:const char *const * argv; offset:24; size:8; signed:0; field:const char *const * envp; offset:32; size:8; signed:0; print fmt: "filename: 0x%08lx, argv: 0x%08lx, envp: 0x%08lx", \ ((unsigned long)(REC->filename)), ((unsigned long)(REC->argv)), ((unsigned long)(REC->envp))

64%5 w6TFSMFWFM4UBUJDBMMZ%FpOFE5SBDJOHͷུ w໊લͷ௨ΓɺϢʔβʔϓϩάϥϜʹࣗ෼ͰτϨʔεϙΠϯτΛઃஔͰ ͖Δ wͪ͜Β΋5SBDFQPJOUTͱಉ༷ʹԿ΋͍ͯ͠ͳ͍ͱ͖͸OPQ໋ྩͳͷ ͰύϑΥʔϚϯε΁ͷӨڹ͸ܰඍͱݴ͑Δ

64%5 # bpftrace -e \ 'usdt:./usdt:test_probe { printf("got: %d\n", arg0);
}' Attaching 1 probe... got: 3 got: 4 got: 5 got: 6 ...

GVODUJPOFOUSZFYJU wLQSPCF VQSPCF USBDFQPJOUT͸ͦΕͧΕؔ਺΁ೖͬͨ௚ޙͱؔ਺͕ ໭Γ஋Λฦͨ͠௚ޙΛϑοΫͰ͖Δ wྫ͑͹LQSPCFͩͱLSFUQSPCFͱݺͿ wͦΕͧΕͰϑοΫ͢Δ͜ͱͰϨΠςϯγͷଌఆ͕Մೳ wHFUIPTUMBUFODZ wηΩϡϦςΟతͳ؍఺Ͱݴ͏ͱɺίϚϯυ͕੒ޭ͔ͨ͠ͳͲ

ϨΠςϯγͷଌఆ # gethostlatency-bpfcc TIME PID COMM LATms HOST 18:01:33 8892
curl 29.99 example.com 18:01:43 8894 isc-worker0000 0.02 127.0.0.1 18:01:43 8894 isc-worker0000 0.01 ::1 18:01:55 8898 curl 43.45 security-camp.or.jp 18:02:00 8900 curl 97.16 blog.ssrf.in

CDD$IBMMFOHF

ϑΝΠϧͷΦʔϓϯΛτϨʔε͠Α͏ wCDDͰϑΝΠϧͷΦʔϓϯΛτϨʔεͯ͠ΈΑ͏ wTUSBDFͰτϨʔε͢Δؔ਺Λ֬ೝ wࠓճ͸͞ΒʹΧʔωϧͷίʔυΛΈͯɺΑΓਂ͍ͱ͜ΖΛτϨʔε wCDDͰ࣮૷ // ͜͏͍͏ίϚϯυΛݕ஌͍ͨ͠ $ cat /etc/passwd

TUSBDFͰ֬ೝ $ strace -o output.txt cat /etc/passwd $ cat output.txt
... openat(AT_FDCWD, "/etc/passwd", O_RDONLY) = 3 ...

PQFOBU SYSCALL_DEFINE4(openat, int, dfd, const char __user *, filename, int,
flags, umode_t, mode) { if (force_o_largefile()) flags |= O_LARGEFILE; return do_sys_open(dfd, filename, flags, mode); } IUUQTFMJYJSCPPUMJODPNMJOVYWTPVSDFGTPQFOD-

CDDΛॻ͍ͯΈΑ͏ wLQSPCFͰPQFOBUͷ͞ΒʹԞEP@TZT@PQFOΛτϨʔε͠Α͏ wIUUQTHJUIVCDPNJPWJTPSCDDCMPCNBTUFSEPDT SFGFSFODF@HVJEFNE wIUUQTHJTUHJUIVCDPNNSUD BEECCDEGDCB

CDDͷجຊ wCDDͷجຊ bpf_code = """ int do_sys_open(struct pt_regs *ctx, ...)
{ ... } """ # BPF ϓϩάϥϜΛΠχγϟϥΠζ b = BPF(text=bpf_code) # kprobe ʹ attach ͢Δ. # event ʹτϨʔε͢Δؔ਺Λɺfn_name ʹϑοΫ࣌ʹ࣮ߦ͢Δؔ਺Λࢦఆ b.attach_kprobe(event="do_sys_open", fn_name="do_entry_trace")

-FWFM wCQG@USBDF@QSJOUL Ͱग़ྗ bpf_code = """ int do_sys_open(struct pt_regs *ctx)
{ bpf_trace_printk("message\n"); } """ b = BPF(text=bpf_code) b.attach_kprobe(event="do_sys_open", fn_name="do_entry_trace")

-FWFM wग़ྗͨ͠಺༰͸USBDF@pFMET Ͱऔಘ b = BPF(text=bpf_code) b.attach_kprobe(event="do_sys_open", fn_name="do_entry_trace") while 1:
(task, tid, _, _, ts, msg) = b.trace_fields() printb(b"%f, %s, %d, %s" % (ts, task, tid, msg))

PQFOTOPPQ bpf_code = """ int do_entry_trace(struct pt_regs *ctx) { bpf_trace_printk("REPLACEME\\n");
return 0; } """ b = BPF(text=bpf_code) b.attach_kprobe(event="do_sys_open", fn_name="do_entry_trace") while 1: (task, tid, _, _, ts, msg) = b.trace_fields() printb(b"%f, %s, %d, %s" % (ts, task, tid, msg))

PQFOTOPPQ wCQG@HFU@DVSSFOU@DPNN Ͱϓϩηε໊Λऔಘ wCQG@QSPCF@SFBE Ͱ҆શʹจࣈྻΛίϐʔ wFWFOUTQFSG@TVCNJU Ͱ1FSG3JOH#V⒎FSʹσʔλΛอଘ wQFSG@CV⒎FS@QPMM ͰσʔλΛϙʔϦϯά

PQFOTOPPQ wϑΝΠϧ໊Λग़ྗ͢ΔΑ͏ʹΧελϚΠζ͍ͯͩ͘͠͞ ϙΠϯτ wEP@FOUSZ@USBDFͷҾ਺ʹ஫໨ wจࣈྻΛ҆શʹίϐʔ͢Δؔ਺͸ͳΜ͚ͩͬ wQPMMJOHॲཧͰͷจࣈྻදࣔ΋๨Εͣʹ

F#1'$IBMMFOHF

/*4541 w /*4541Ͱ͸࣍ͷΠϕϯτΛϞχλϦϯά͢ΔΑ͏ʹॻ͍ͯ͋Δ w *OWBMJEPSVOFYQFDUFEQSPDFTTFYFDVUJPO w *OWBMJEPSVOFYQFDUFETZTUFNDBMMT w $IBOHFTUPQSPUFDUFEDPOpHVSBUJPOpMFBOECJOBSJFT w
8SJUFTUPVOFYQFDUFEMPDBUJPOTBOEpMFUZQFT w $SFBUJPOPGVOFYQFDUFEOFUXPSLMJTUFOFST w 5SB⒏DTFOUUPVOFYQFDUFEOFUXPSLEFTUJOBUJPOT w .BMXBSFTUPSBHFPSFYFDVUJPO

F#1'Ͱҟৗݕ஌͠Α͏ wΞϓϦέʔγϣϯ͔Β૝ఆ֎ͷΠϕϯτ͕ى͖ͳ͍͔νΣοΫ͠Α͏ wશ෦Λ࣮૷͸େมͳͷͰɺϑΝΠϧͷॻ͖ࠐΈ PQFO ͱίϚϯυͷ ࣮ߦ FYFDWF Λݕ஌ͯ͠ΈΑ͏ # python3
trace-app.py ... Detect unexpected file open : /etc/passwd Detect unexpected command execution : id

ର৅ͷΞϓϦέʔγϣϯ ubuntu@bpf:~/bpf-tutorial/trace-app$ ./app -h Usage: ./app [-ehn] -e echo message
-h help -n display hostname ubuntu@bpf:~/bpf-tutorial/trace-app$ ./app -e hello hello ubuntu@bpf:~/bpf-tutorial/trace-app$ ./app -n bpf

࣮૷खॱ w·ͣ͸PQFOBUͱFYFDWFΛτϨʔεͯ͠"MMPXFE-JTUΛ࡞Ζ͏ wTUSBDFͰ΋CQGUSBDFͰ΋0, wϗϫΠτϦετʹؚ·Εͳ͍ϑΝΠϧ໊Λ։͍ͨΓίϚϯυͷ࣮ߦ͕ ͋Ε͹ɺϝοηʔδͱͯ͠ग़ྗ͠Α͏ wطʹେ࿮͸ॻ͍͍ͯΔͷͰ݀ຒΊ͠Α͏ w50%0ͱॻ͔Ε͍ͯΔͱ͜ΖΛຒΊ͍ͯͩ͘͞

ςετͷํ๏ ubuntu@bpf:~/bpf-tutorial/trace-app$ ./app -i uid=1000(ubuntu) gid=1000(ubuntu) groups=1000(ubuntu) ubuntu@bpf:~/bpf-tutorial/trace-app$ ./app -p
root:x:0:0:root:/root:/bin/bash root@bpf:~/bpf-tutorial/trace-app# python3 trace-app.py ... Detect unexpected file open : /etc/passwd Detect unexpected command execution : id

/FYU$IBMMFOHF wFYFDWF͚ͩͰͳ͘FYFD ܥʹରԠ͠Α͏ wઃఆϑΝΠϧ :".-΍+40/ 50.- ͳͲ͔ΒΞϓϦέʔγϣϯ໊ɺ "MMPXFE-JTUΛऔಘͯ͠ɺ༷ʑͳΞϓϦέʔγϣϯʹରԠͰ͖ΔΑ͏ ʹ͠Α͏

όΠύεํ๏ w୯७ʹจࣈྻϚονͰ͸Ͳ͏ͯ͠΋͕݀Ͱ͖ͯ͠·͍͕ͪ wྫͱͯ͠'BMDPͷࣄྫΛ঺հ

QSPDTFMGSPPU wQSPDTFMGSPPUFUDQBTTXEΛ։͘͜ͱͰόΠύε - list: sensitive_file_names items: [/etc/shadow] - macro: sensitive_files
condition: > fd.name startswith /etc and fd.name in (sensitive_file_names) - rule: Read sensitive file untrusted condition: > sensitive_files and open_read and proc_name_exists

wTIDHJUͷνΣοΫΛόΠύε - macro: spawned_process condition: evt.type = execve -
rule: Spawn git process from php desc: Spawn git process from php condition: proc.pname=php and spawned_process and proc.cmdline startswith "sh -c git" $ php -r 'system("git --version")'; $ php -r 'system("$(echo \"git --version\")");'

ίϝϯτΞ΢τ wҰ෦ͷίϚϯυ໊Λআ֎͍ͯ͠Δ৔߹ʹίϝϯτʹؚΊΔ - macro: batch_job condition: (proc.cmdline contains "run-job.sh") -
rule: Spawn processes from php desc: Spawn processes from php condition: proc.pname=php and spawned_process and not batch_job $ php -r 'system("whoami")'; $ php -r 'system("whoami; # run-jon.sh");'

·ͱΊ

·ͱΊ wF#1'͸ඇৗʹڧྗͰ؆୯ʹτϨʔε͕Ͱ͖ΔͷͰ0CTFSWBCJMJUZΛ ࢧ͑Δେ͖ͳଘࡏʹͳΔ w͜Ε͔Βͷ։ൃɺӡ༻Ͱ΋F#1'ͷར༻͸૿͑ΔͩΖ͏ wηΩϡϦςΟ෼໺Ͱ͸ྺ࢙͕ઙ͍͕ɺGBMDP΍USBDFFͳͲར༻͕૿ ͍͑ͯΔ IUUQTHJUIVCDPNBRVBTFDVSJUZUSBDFF IUUQTHJUIVCDPNGBMDPTFDVSJUZGBMDP

΋ͬͱF#1'Λֶͼ͍ͨͻͱ΁

Finding Security Events with eBPF - Security Minicamp in Yamanashi 2020-

Finding Security Events with eBPF - Security Minicamp in Yamanashi 2020-

More Decks by mrtc0

Other Decks in Technology

Featured

Transcript