Finding Security Events with eBPF - Security Minicamp in Yamanashi 2020-

৿ాߒฏ(.01FQBCP *OD
ηΩϡϦςΟɾϛχΩϟϯϓJOࢁས
F#1'ͰηΩϡϦςΟΠϕϯτΛ
௥͍͔͚Α͏

View Slide

(.0ϖύϘ
γχΞΤϯδχΞηΩϡϦςΟରࡦࣨ
৿ాߒฏ!NSUD
IUUQTCMPHTTSGJO
ηΩϡϦςΟɾΩϟϯϓߨࢣ
ηΩϡϦςΟɾΩϟϯϓεςΞϦϯάίϛοςΟ
*1"ະ౿ΫϦΤΠλʔ

View Slide

ࠓ೔ͷΰʔϧ
CDDͷπʔϧΛ࢖ͬͯΈΔ
CQGUSBDFͰεΫϦϓτΛॻ͍ͯΈΔ
CDDΛ࢖ͬͯεΫϦϓτΛॻ͍ͯΈΔ
CDDͰΞϓϦέʔγϣϯͷΠϯγσϯτΛݕ஌͢Δ

View Slide

ߨٛͰ࢖͏ίʔυ
teacher01@teacher01:~$ ls -al ~/bpf-tutorial/
total 28
drwxr-xr-x 7 root root 4096 Sep 19 08:20 .
drwxr-xr-x 21 teacher01 teacher01 4096 Sep 19 11:22 ..
drwxr-xr-x 2 teacher01 teacher01 4096 Sep 18 07:22 bpftrace
drwxr-xr-x 2 teacher01 teacher01 4096 Sep 14 14:02 execsnoop
drwxr-xr-x 2 teacher01 teacher01 4096 Sep 18 08:07 opensnoop
drwxr-xr-x 2 teacher01 teacher01 4096 Sep 14 12:27 seccomp-bpf
drwxr-xr-x 2 teacher01 teacher01 4096 Sep 19 07:32 trace-app

View Slide

F#1'

View Slide

%&.0
root@bpf:/ # execsnoop-bpfcc
PCOMM PID PPID RET ARGS
ps 1807 1478 0 /usr/bin/ps aux
cat 1808 1478 0 /usr/bin/cat /etc/passwd
ls 1809 1478 0 /usr/bin/ls --color=auto -al
top 1810 1478 0 /usr/bin/top
root@bpf:/ # tcpconnect-bpfcc
Tracing connect ... Hit Ctrl-C to end
PID COMM IP SADDR DADDR DPORT
1812 curl 4 192.168.64.5 93.184.216.34 443
1815 curl 4 192.168.64.5 52.205.86.27 80
1817 curl 4 192.168.64.5 35.227.220.44 80
1819 curl 4 192.168.64.5 35.227.220.44 443

View Slide

IUUQTFCQGJP

View Slide

F#1'ͱ͸
w#SFOEBO(SFHHᐌ͘eBPFEPFTUP-JOVYXIBU+BWB4DSJQUEPFTUP
)5.-
w+BWB4DSJQU͸ϒϥ΢βͷ҆શͳԾ૝Ϛγϯ্Ͱ೚ҙͷΠϕϯτʹରͯ͠
ϓϩάϥϜΛ࣮ߦͰ͖Δ
wF#1'͸-JOVYΧʔωϧͷ҆શͳԾ૝Ϛγϯ্Ͱ೚ҙͷΠϕϯτʹରͯ͠
ϓϩάϥϜΛ࣮ߦͰ͖Δ
w೚ҙͷΧʔωϧؔ਺΍ϢʔβʔϥϯυϓϩάϥϜͷؔ਺͕ݺͼग़͞Εͨ
Γɺ໭Γ஋͕ฦΔλΠϛϯάͰ೚ҙͷॲཧ͕Ͱ͖Δ

View Slide

F#1')JTUPSZ

View Slide

#1'ͱ͸
w#FSLFMFZ1BDLFU'JMUFS
w΋ͱ΋ͱ͸ύέοτΩϟϓνϟͷύϑΥʔϚϯεΛ޲্ͤ͞ΔͨΊʹ
։ൃ͞Εͨ΋ͷ
wࠓͰ͸ύέοτϑΟϧλϦϯάҎ֎ʹ΋ύϑΥʔϚϯε෼ੳͳͲ༷ʑ
ͳྖҬͰར༻͞Ε͍ͯΔ

View Slide

#1'ͷྺ࢙
w#4%ͰύέοτϑΟϧλϦϯάػߏͱ࣮ͯ͠૷ޙɺ-JOVYʹ΋Ҡ২
wTFDDPNQʹ΋#1'͕ར༻͞ΕΔΑ͏ʹͳΔ
w൚༻తͳΧʔωϧ಺Ծ૝Ϛγϯͱͯ͠ར༻͢ΔͨΊʹ֦ு FYUFOEFE

͞Εͨ
w֦ு͞Εͨ#1'ΛF#1' FYUFOEFE#1'
ͱݺͼɺैདྷͷ#1'͸
D#1' DMBTTJD#1'
ͱݺͿ͜ͱ͕͋Δ

View Slide

D#1'
$ sudo tcpdump -d icmp
(000) ldh [12]
(001) jeq #0x800 jt 2 jf 5
(002) ldb [23]
(003) jeq #0x1 jt 4 jf 5
(004) ret #262144
(005) ret #0

View Slide

TFDDPNQ
w-JOVYͰϓϩηεͷγεςϜίʔϧΛ੍ݶ͢Δٕज़
w͍ΘΏΔ-JOVYίϯςφͰ΋ར༻͞Ε͍ͯΔ
wNPEFͱNPEF͕͋ΓɺNPEFͰ͸ΑΓॊೈʹ੍ޚͰ͖ΔΑ͏
ʹͳͬͨ

View Slide

TFDDPNQ#1'
ubuntu@sandbox:~/bpf-tutorial/seccomp-bpf$ make build
clang -o filter-mkdir main.c
ubuntu@sandbox:~/bpf-tutorial/seccomp-bpf$ ./filter-mkdir 'mkdir /tmp/dir'
mkdir: cannot create directory ‘/tmp/dir’: Operation not permitted
ubuntu@sandbox:~/bpf-tutorial/seccomp-bpf$ strace -f ./filter-mkdir 'mkdir /tmp/dir'
execve("./filter-mkdir", ["./filter-mkdir", "mkdir /tmp/dir"], 0x7ffca47f8350 /* 21 vars */) = 0
...
[pid 2593] mkdir("/tmp/dir", 0777) = -1 EPERM (Operation not permitted)

View Slide

D#1'͔ΒF#1'΁
w֦ுͷ಺༰ͱͯ͠͸
w໋ྩηοτͷҰ৽
w࢖༻ՄೳͳϨδελ਺ͷ૿Ճ
wF#1'.BQͱݺ͹ΕΔσʔλߏ଄͕ར༻Մೳʹ

View Slide

F#1'͸Ͳ͜Ͱ࢖ΘΕ͍ͯΔ͔
w$JMJVNF#1'CBTFE/FUXPSLJOH 4FDVSJUZ BOE0CTFSWBCJMJUZ
w'BMDP$MPVE/BUJWF3VOUJNF4FDVSJUZ
w,BUSBO"IJHIQFSGPSNBODFMBZFSMPBECBMBODFS
w)VCCMF/FUXPSL 4FSWJDF4FDVSJUZ0CTFSWBCJMJUZGPS,VCFSOFUFTVTJOHF#1'
w (PPHMF 'BDF#PPL /FUqJY $MPVEqBSFͳͲͰར༻͞Ε͍ͯΔ

View Slide

F#1''FBUVSFT
4FDVSJUZ /FUXPSLJOH 0CTFSWBCJMJUZ

View Slide

F#1'"SDIJUFDUVSF

View Slide

F#1'"SDIJUFDUVSF
IUUQTFCQGJP

View Slide

F#1'ͷϑοΫͷྲྀΕ
wF#1'ϓϩάϥϜ͸Πϕϯτ
ۦಈܗͰಈ͘
wఆٛ͞Ε͍ͯΔϑοΫϙΠ
ϯτ΍ؔ਺΁ͷFOUSZFYJU
ͳͲ
wϑοΫ͕ఆٛ͞Ε͍ͯͳ͍
৔߹͸LQSPCF VQSPCFΛ
࢖͏

View Slide

F#1'ϓϩάϥϜ͸ԿͰॻ͔͘
w#1'ϓϩάϥϜࣗମ͸ΧʔωϧͷϨδελϕʔεͷ7.্Ͱಈ͘
w7.Ͱಈ͔ͨ͢Ίʹ͸CZUFDPEF͕ඞཁ
wͨͩ͠CZUFDPEFΛ௚઀ॻ͘ͷ͸೉͍͠
wͳͷͰ$ͷํݴͰॻ͍ͨΓɺ͋Δ͍͸CQGUSBDFͳͲͷந৅Խ͞Ε
ͨ%4-ݴޠͳͲͰهड़ͯ͠--7.ͳͲͰίϯύΠϧ͢Δ

View Slide

ॲཧͷྲྀΕ

View Slide

7FSJpDBUJPO
w#1'ϓϩάϥϜ͸ΧʔωϧϥϯυͰಈ͘ͷͰΫϥογϡ͠ͳ͍Α͏ʹ
ݕূػʹΑΔݕূ͕࣮ߦ͞ΕΔ
wඞͣϧʔϓ͕ऴྃ͢Δ͜ͱ
wڊେͳϓϩάϥϜ͸ϩʔυͰ͖ͳ͍
wݕূػ͕ݕূͰ͖Δ࣮ߦ಺༰ͷൣғͰͷΈWBMJEͱͳΔ

View Slide

F#1'.BQT
wF#1'ϓϩάϥϜͰॲཧͨ͠σʔλΛอଘͰ͖Δ
wͦͷσʔλ͸ϢʔβʔεϖʔεͷϓϩάϥϜ͔ΒऔಘͰ͖Δ

View Slide

F#1'%FWFMPQNFOU

View Slide

#1'%FWFMPQNFOU5PPMDIBJOT
w#1'ϓϩάϥϜͷ։ൃΛ؆୯ʹͯ͘͠ΕΔπʔϧΩοτͨͪ
wJPWJTPSCDD
wJPWJTPSCQGUSBDF
w(P$$ͷϥΠϒϥϦ

View Slide

CDDUPPMTͰF#1'ʹೖ໳͠Α͏
wJPWJTPSCDD
w#1'ϓϩάϥϜΛ؆୯ʹॻͨ͘Ίͷϔϧύʔؔ਺΍ϥΠϒϥϦΛఏ
ڙ͍ͯ͠Δ
wCDDUPPMTͱݺ͹ΕΔγεςϜύϑΥʔϚϯεͷͨΊͷπʔϧ܈͕
͋Δ
w(P 3VTU 3VCZͳͲͷ֤छݴޠͷ#JOEJOH͕͋Δ

View Slide

·ͣ͸৮ͬͯΈΑ͏
wFYFDTOPPQ
wUDQDPOOFDU
wCJPMBUFODZ
wCBTISFBEMJOF
wPPNLJMM

View Slide

FYFDTOPPQ
root@bpf:/# execsnoop-bpfcc
PCOMM PID PPID RET ARGS
ps 1865 1478 0 /usr/bin/ps aux
cat 1866 1478 0 /usr/bin/cat /etc/passwd
htop 1867 1478 0 /usr/bin/htop
ping 1868 1478 0 /usr/bin/ping security-camp.or.jp

View Slide

UDQDPOOFDU
root@bpf:/# tcpconnect-bpfcc
Tracing connect ... Hit Ctrl-C to end
PID COMM IP SADDR DADDR DPORT
1812 curl 4 192.168.64.5 93.184.216.34 443
1815 curl 4 192.168.64.5 52.205.86.27 80
1817 curl 4 192.168.64.5 35.227.220.44 80
1819 curl 4 192.168.64.5 35.227.220.44 443

View Slide

CJPMBUFODZ
root@bpf:/# biolatency-bpfcc
Tracing block device I/O... Hit Ctrl-C to end.
^C
usecs : count distribution
0 -> 1 : 0 | |
2 -> 3 : 0 | |
4 -> 7 : 0 | |
8 -> 15 : 7 | |
16 -> 31 : 3 | |
32 -> 63 : 0 | |
64 -> 127 : 237 |******* |
128 -> 255 : 1251 |****************************************|
256 -> 511 : 166 |***** |
512 -> 1023 : 103 |*** |

View Slide

CBSFBEMJOF
root@bpf:/# bashreadline-bpfcc
TIME PID COMMAND
22:09:03 1478 ls
22:09:07 1478 cat /etc/passwd
22:09:10 1478 htop
22:09:12 1478 ps aux

View Slide

PPNLJMM
root@bpf:/# oomkill-bpfcc
Tracing OOM kills... Ctrl-C to stop.
22:09:56 Triggered by PID 777 ("snapd"), OOM kill of PID 2279 ("perl"),
1007686 pages, loadavg: 0.09 0.04 0.01 5/159 2280
root@bpf:/# sysctl -w vm.overcommit_memory=1
root@bpf:/# perl -e 'while (1) { $a .= "A" * 124; }'

View Slide

CQGUSBDF
wJPWJTPSCQGUSBDF
wF#1'ϓϩάϥϜΛ؆୯ʹॻͨ͘Ίͷ%4-
wݴޠͱͯ͠͸BXL΍$ʹࣅ͍ͯΔ
wCDDಉ༷ʹπʔϧͱͯ͠΋༻ҙ͞Ε͍ͯΔ

View Slide

&YBNQMF
root@bpf:/# bpftrace -e \
'tracepoint:raw_syscalls:sys_enter { @[comm] = count(); }'
Attaching 1 probe...
@[irqbalance]: 12
@[systemd-network]: 22
@[systemd]: 28
@[bpftrace]: 72
@[cat]: 108
@[bash]: 191
@[sshd]: 747

View Slide

&WFOU4PVSDFT
wγεςϜίʔϧ΍ؔ਺ݺͼग़͠ΛτϨʔε͢ΔͨΊʹɺͦͷΠϕϯτ
Λऔಘ͢Δํ๏͕͍͔ͭ͋͘Δ
wΑ͘࢖͏ͷ͸LQSPCF VQSPCF USBDFQPJOUT 64%5ͷͭ

View Slide

,QSPCFT
w೚ҙͷΧʔωϧؔ਺ͷτϨʔεΛಈతʹߦ͏
wର৅ͷؔ਺ͷΞυϨεʹϒϨʔΫϙΠϯτΛઃஔ͢Δ
wϒϨʔΫϙΠϯτʹ౸ୡ͢Δͱ#1'ϓϩάϥϜʹඈͿ
wΧʔωϧͷ໋ྩΛಈతʹมߋ͢Δͷ͸ةݥʹࢥ͑Δ͕ɺ҆શʹ࣮ߦ͞
ΕΔΑ͏ʹઃܭ͞Ε͍ͯΔ
wͨͩ͠ɺେྔͷؔ਺ΛτϨʔε͢ΔͱͦΕ͚ͩύϑΥʔϚϯε͸མ
ͪΔ

View Slide

,QSPCFTͷΠϝʔδ

View Slide

,QSPCFͰτϨʔεͯ͠ΈΑ͏
// جຊͷߏจ
# bpftrace -e 'kprobe: { Expression }'
# bpftrace -l 'kprobe:*' // attach Ͱ͖Δؔ਺ҰཡΛग़ྗ
// vfs_open ͕ݺ͹ΕͨΒϝοηʔδΛදࣔ
# bpftrace -e \
'kprobe:vfs_open { printf("called vfs_open\n"); }'

View Slide

// ίϚϯυ໊Λදࣔ
# bpftrace -e \
'kprobe:vfs_open { printf("%s\n", comm); }'
// cat ͚ͩΛදࣔ
# bpftrace -e \
'kprobe:vfs_open /comm == "cat"/ { printf("%s\n", comm); }'

View Slide

// Ҿ਺ͷදࣔ
# bpftrace -e \
'kprobe:do_sys_open { printf("opening: %s\n", str(arg1)); }'
#include
#include
kprobe:vfs_open
{
printf("%s %s\n", comm,
str(((struct path *)arg0)->dentry->d_name.name));
}

View Slide

6QSPCFT
wͬ͘͟Γ͍͏ͱLQSPCFTͷϢʔβʔεϖʔεϓϩάϥϜ൛
root@bpf:/# objdump -T /bin/bash | grep readline
0000000000124e60 g DO .bss 0000000000000008 Base rl_readline_state
00000000000b7cd0 g DF .text 0000000000000252 Base readline_internal_char
00000000000b71a0 g DF .text 000000000000015f Base readline_internal_setup
0000000000087120 g DF .text 000000000000004c Base posix_readline_initialize
00000000000b8530 g DF .text 000000000000009a Base readline
# bpftrace -e 'uprobe:/bin/bash:readline { printf("called\n"); }'

View Slide

6QSPCFT
root@bpf:/# objdump -T /bin/bash | grep readline
0000000000124e60 g DO .bss 0000000000000008 Base rl_readline_state
00000000000b7cd0 g DF .text 0000000000000252 Base readline_internal_char
00000000000b71a0 g DF .text 000000000000015f Base readline_internal_setup
0000000000087120 g DF .text 000000000000004c Base posix_readline_initialize
00000000000b8530 g DF .text 000000000000009a Base readline
# bpftrace -e 'uprobe:/bin/bash:0xb8530 { printf("called\n"); }'

View Slide

6QSPCFT
root@bpf:/# nm uprobes-test| grep main
0000000000001149 T main
root@bpf:/# bpftrace -e \
'uprobe:./uprobes-test:main { printf("in main\n"); }'

View Slide

5SBDFQPJOUT
w,FSOFMʹࣄલʹఆٛ͞Ε͍ͯΔϑοΫϙΠϯτ
wLQSPCFͱൺֱ͢ΔͱτϨʔεͰ͖Δؔ਺ͳͲ͸গͳ͍͕ɺ4UBCMF
"1*͕͋ΔͷͰ҆ఆੑ͕͋Δ
wLQSPCF͸όʔδϣϯ͕มΘΔͱτϨʔε͕ػೳ͠ͳ͘ͳΔՄೳੑ
͕͋Δ
w5SBDFQPJOUT͸௨ৗOPQ໋ྩͳͷͰύϑΥʔϚϯεʹ΄ͱΜͲӨڹ
͕ͳ͍ͱ΋ݴ͑Δ

View Slide

5SBDFQPJOUTͷΠϝʔδ

View Slide

5SBDFQPJOUT
# bpftrace -e \
'tracepoint:syscalls:sys_enter_execve {
printf("%s %s\n", comm, str(args->filename));
}'
# cat /sys/kernel/tracing/available_events | grep execve
syscalls:sys_exit_execveat
syscalls:sys_enter_execveat
syscalls:sys_exit_execve
syscalls:sys_enter_execve

View Slide

5SBDFQPJOUT
# bpftrace -e \
}'
# bpftrace -e \
}'
# cat /sys/kernel/tracing/events/syscalls/sys_enter_execve/format
...
field:int __syscall_nr; offset:8; size:4; signed:1;
field:const char * filename; offset:16; size:8; signed:0;
field:const char *const * argv; offset:24; size:8; signed:0;
field:const char *const * envp; offset:32; size:8; signed:0;
print fmt: "filename: 0x%08lx, argv: 0x%08lx, envp: 0x%08lx", \
((unsigned long)(REC->filename)), ((unsigned long)(REC->argv)), ((unsigned long)(REC->envp))

View Slide

64%5
w6TFSMFWFM4UBUJDBMMZ%FpOFE5SBDJOHͷུ
w໊લͷ௨ΓɺϢʔβʔϓϩάϥϜʹࣗ෼ͰτϨʔεϙΠϯτΛઃஔͰ
͖Δ
wͪ͜Β΋5SBDFQPJOUTͱಉ༷ʹԿ΋͍ͯ͠ͳ͍ͱ͖͸OPQ໋ྩͳͷ
ͰύϑΥʔϚϯε΁ͷӨڹ͸ܰඍͱݴ͑Δ

View Slide

64%5
# bpftrace -e \
'usdt:./usdt:test_probe { printf("got: %d\n", arg0); }'
got: 3
got: 4
got: 5
got: 6
...

View Slide

GVODUJPOFOUSZFYJU
wLQSPCF VQSPCF USBDFQPJOUT͸ͦΕͧΕؔ਺΁ೖͬͨ௚ޙͱؔ਺͕
໭Γ஋Λฦͨ͠௚ޙΛϑοΫͰ͖Δ
wྫ͑͹LQSPCFͩͱLSFUQSPCFͱݺͿ
wͦΕͧΕͰϑοΫ͢Δ͜ͱͰϨΠςϯγͷଌఆ͕Մೳ
wHFUIPTUMBUFODZ
wηΩϡϦςΟతͳ؍఺Ͱݴ͏ͱɺίϚϯυ͕੒ޭ͔ͨ͠ͳͲ

View Slide

ϨΠςϯγͷଌఆ
# gethostlatency-bpfcc
TIME PID COMM LATms HOST
18:01:33 8892 curl 29.99 example.com
18:01:43 8894 isc-worker0000 0.02 127.0.0.1
18:01:43 8894 isc-worker0000 0.01 ::1
18:01:55 8898 curl 43.45 security-camp.or.jp
18:02:00 8900 curl 97.16 blog.ssrf.in

View Slide

CDD$IBMMFOHF

View Slide

ϑΝΠϧͷΦʔϓϯΛτϨʔε͠Α͏
wCDDͰϑΝΠϧͷΦʔϓϯΛτϨʔεͯ͠ΈΑ͏
wTUSBDFͰτϨʔε͢Δؔ਺Λ֬ೝ
wࠓճ͸͞ΒʹΧʔωϧͷίʔυΛΈͯɺΑΓਂ͍ͱ͜ΖΛτϨʔε
wCDDͰ࣮૷
// ͜͏͍͏ίϚϯυΛݕ஌͍ͨ͠
$ cat /etc/passwd

View Slide

TUSBDFͰ֬ೝ
$ strace -o output.txt cat /etc/passwd
$ cat output.txt
...
openat(AT_FDCWD, "/etc/passwd", O_RDONLY) = 3
...

View Slide

PQFOBU
SYSCALL_DEFINE4(openat, int, dfd, const char __user *, filename, int, flags,
umode_t, mode)
{
if (force_o_largefile())
flags |= O_LARGEFILE;
return do_sys_open(dfd, filename, flags, mode);
}
IUUQTFMJYJSCPPUMJODPNMJOVYWTPVSDFGTPQFOD-

View Slide

CDDΛॻ͍ͯΈΑ͏
wLQSPCFͰPQFOBUͷ͞ΒʹԞEP@TZT@PQFOΛτϨʔε͠Α͏
wIUUQTHJUIVCDPNJPWJTPSCDDCMPCNBTUFSEPDT
SFGFSFODF@HVJEFNE
wIUUQTHJTUHJUIVCDPNNSUD
BEECCDEGDCB

View Slide

CDDͷجຊ
wCDDͷجຊ
bpf_code = """
int do_sys_open(struct pt_regs *ctx, ...) { ... }
"""
# BPF ϓϩάϥϜΛΠχγϟϥΠζ
b = BPF(text=bpf_code)
# kprobe ʹ attach ͢Δ.
# event ʹτϨʔε͢Δؔ਺Λɺfn_name ʹϑοΫ࣌ʹ࣮ߦ͢Δؔ਺Λࢦఆ
b.attach_kprobe(event="do_sys_open", fn_name="do_entry_trace")

View Slide

-FWFM
wCQG@USBDF@QSJOUL
Ͱग़ྗ
bpf_code = """
int do_sys_open(struct pt_regs *ctx) {
bpf_trace_printk("message\n");
}
"""

View Slide

-FWFM
wग़ྗͨ͠಺༰͸USBDF@pFMET
Ͱऔಘ
while 1:
(task, tid, _, _, ts, msg) = b.trace_fields()
printb(b"%f, %s, %d, %s" % (ts, task, tid, msg))

View Slide

PQFOTOPPQ
bpf_code = """
int do_entry_trace(struct pt_regs *ctx) {
bpf_trace_printk("REPLACEME\\n");
return 0;
}
"""
while 1:
(task, tid, _, _, ts, msg) = b.trace_fields()
printb(b"%f, %s, %d, %s" % (ts, task, tid, msg))

View Slide

PQFOTOPPQ
wCQG@HFU@DVSSFOU@DPNN
Ͱϓϩηε໊Λऔಘ
wCQG@QSPCF@SFBE
Ͱ҆શʹจࣈྻΛίϐʔ
wFWFOUTQFSG@TVCNJU
Ͱ1FSG3JOH#V⒎FSʹσʔλΛอଘ
wQFSG@CV⒎FS@QPMM
ͰσʔλΛϙʔϦϯά

View Slide

PQFOTOPPQ
wϑΝΠϧ໊Λग़ྗ͢ΔΑ͏ʹΧελϚΠζ͍ͯͩ͘͠͞
ϙΠϯτ
wEP@FOUSZ@USBDFͷҾ਺ʹ஫໨
wจࣈྻΛ҆શʹίϐʔ͢Δؔ਺͸ͳΜ͚ͩͬ
wQPMMJOHॲཧͰͷจࣈྻදࣔ΋๨Εͣʹ

View Slide

F#1'$IBMMFOHF

View Slide

/*4541
w /*4541Ͱ͸࣍ͷΠϕϯτΛϞχλϦϯά͢ΔΑ͏ʹॻ͍ͯ͋Δ
w *OWBMJEPSVOFYQFDUFEQSPDFTTFYFDVUJPO
w *OWBMJEPSVOFYQFDUFETZTUFNDBMMT
w $IBOHFTUPQSPUFDUFEDPOpHVSBUJPOpMFBOECJOBSJFT
w 8SJUFTUPVOFYQFDUFEMPDBUJPOTBOEpMFUZQFT
w $SFBUJPOPGVOFYQFDUFEOFUXPSLMJTUFOFST
w 5SB⒏DTFOUUPVOFYQFDUFEOFUXPSLEFTUJOBUJPOT
w .BMXBSFTUPSBHFPSFYFDVUJPO

View Slide

F#1'Ͱҟৗݕ஌͠Α͏
wΞϓϦέʔγϣϯ͔Β૝ఆ֎ͷΠϕϯτ͕ى͖ͳ͍͔νΣοΫ͠Α͏
wશ෦Λ࣮૷͸େมͳͷͰɺϑΝΠϧͷॻ͖ࠐΈ PQFO
ͱίϚϯυͷ
࣮ߦ FYFDWF
Λݕ஌ͯ͠ΈΑ͏
# python3 trace-app.py
...
Detect unexpected file open : /etc/passwd
Detect unexpected command execution : id

View Slide

ର৅ͷΞϓϦέʔγϣϯ
ubuntu@bpf:~/bpf-tutorial/trace-app$ ./app -h
Usage: ./app [-ehn]
-e echo message
-h help
-n display hostname
ubuntu@bpf:~/bpf-tutorial/trace-app$ ./app -e hello
hello
ubuntu@bpf:~/bpf-tutorial/trace-app$ ./app -n
bpf

View Slide

࣮૷खॱ
w·ͣ͸PQFOBUͱFYFDWFΛτϨʔεͯ͠"MMPXFE-JTUΛ࡞Ζ͏
wTUSBDFͰ΋CQGUSBDFͰ΋0,
wϗϫΠτϦετʹؚ·Εͳ͍ϑΝΠϧ໊Λ։͍ͨΓίϚϯυͷ࣮ߦ͕
͋Ε͹ɺϝοηʔδͱͯ͠ग़ྗ͠Α͏
wطʹେ࿮͸ॻ͍͍ͯΔͷͰ݀ຒΊ͠Α͏
w50%0ͱॻ͔Ε͍ͯΔͱ͜ΖΛຒΊ͍ͯͩ͘͞

View Slide

ςετͷํ๏
ubuntu@bpf:~/bpf-tutorial/trace-app$ ./app -i
uid=1000(ubuntu) gid=1000(ubuntu) groups=1000(ubuntu)
ubuntu@bpf:~/bpf-tutorial/trace-app$ ./app -p
root:x:0:0:root:/root:/bin/bash
root@bpf:~/bpf-tutorial/trace-app# python3 trace-app.py
...
Detect unexpected file open : /etc/passwd
Detect unexpected command execution : id

View Slide

/FYU$IBMMFOHF
wFYFDWF͚ͩͰͳ͘FYFDܥʹରԠ͠Α͏
wઃఆϑΝΠϧ :".-΍+40/ 50.-
ͳͲ͔ΒΞϓϦέʔγϣϯ໊ɺ
"MMPXFE-JTUΛऔಘͯ͠ɺ༷ʑͳΞϓϦέʔγϣϯʹରԠͰ͖ΔΑ͏
ʹ͠Α͏

View Slide

όΠύεํ๏
w୯७ʹจࣈྻϚονͰ͸Ͳ͏ͯ͠΋͕݀Ͱ͖ͯ͠·͍͕ͪ
wྫͱͯ͠'BMDPͷࣄྫΛ঺հ

View Slide

QSPDTFMGSPPU
wQSPDTFMGSPPUFUDQBTTXEΛ։͘͜ͱͰόΠύε
- list: sensitive_file_names
items: [/etc/shadow]
- macro: sensitive_files
condition: >
fd.name startswith /etc and fd.name in (sensitive_file_names)
- rule: Read sensitive file untrusted
condition: >
sensitive_files and open_read and proc_name_exists

View Slide

wTIDHJUͷνΣοΫΛόΠύε
- macro: spawned_process
condition: evt.type = execve
- rule: Spawn git process from php
desc: Spawn git process from php
condition: proc.pname=php and spawned_process and proc.cmdline startswith "sh -c git"
$ php -r 'system("git --version")';
$ php -r 'system("$(echo \"git --version\")");'

View Slide

ίϝϯτΞ΢τ
wҰ෦ͷίϚϯυ໊Λআ֎͍ͯ͠Δ৔߹ʹίϝϯτʹؚΊΔ
- macro: batch_job
condition: (proc.cmdline contains "run-job.sh")
- rule: Spawn processes from php
desc: Spawn processes from php
condition: proc.pname=php and spawned_process and not batch_job
$ php -r 'system("whoami")';
$ php -r 'system("whoami; # run-jon.sh");'

View Slide

·ͱΊ

View Slide

·ͱΊ
wF#1'͸ඇৗʹڧྗͰ؆୯ʹτϨʔε͕Ͱ͖ΔͷͰ0CTFSWBCJMJUZΛ
ࢧ͑Δେ͖ͳଘࡏʹͳΔ
w͜Ε͔Βͷ։ൃɺӡ༻Ͱ΋F#1'ͷར༻͸૿͑ΔͩΖ͏
wηΩϡϦςΟ෼໺Ͱ͸ྺ࢙͕ઙ͍͕ɺGBMDP΍USBDFFͳͲར༻͕૿
͍͑ͯΔ
IUUQTHJUIVCDPNBRVBTFDVSJUZUSBDFF
IUUQTHJUIVCDPNGBMDPTFDVSJUZGBMDP

View Slide

΋ͬͱF#1'Λֶͼ͍ͨͻͱ΁

View Slide

Finding Security Events with eBPF - Security Minicamp in Yamanashi 2020-

Finding Security Events with eBPF - Security Minicamp in Yamanashi 2020-

mrtc0

More Decks by mrtc0

Other Decks in Technology

Featured

Transcript