Finding Security Events with eBPF - Security Minicamp in Yamanashi 2020-

Slide 1

Slide 1 text

৿ాߒฏ(.01FQBCP *OD ηΩϡϦςΟɾϛχΩϟϯϓJOࢁས F#1'ͰηΩϡϦςΟΠϕϯτΛ ௥͍͔͚Α͏

Slide 2

Slide 2 text

(.0ϖύϘ γχΞΤϯδχΞηΩϡϦςΟରࡦࣨ ৿ాߒฏ!NSUD IUUQTCMPHTTSGJO ηΩϡϦςΟɾΩϟϯϓߨࢣ ηΩϡϦςΟɾΩϟϯϓεςΞϦϯάίϛοςΟ *1"ະ౿ΫϦΤΠλʔ

Slide 3

Slide 3 text

ࠓ೔ͷΰʔϧ CDDͷπʔϧΛ࢖ͬͯΈΔ CQGUSBDFͰεΫϦϓτΛॻ͍ͯΈΔ CDDΛ࢖ͬͯεΫϦϓτΛॻ͍ͯΈΔ CDDͰΞϓϦέʔγϣϯͷΠϯγσϯτΛݕ஌͢Δ

Slide 4

Slide 4 text

ߨٛͰ࢖͏ίʔυ teacher01@teacher01:~$ ls -al ~/bpf-tutorial/ total 28 drwxr-xr-x 7 root root 4096 Sep 19 08:20 . drwxr-xr-x 21 teacher01 teacher01 4096 Sep 19 11:22 .. drwxr-xr-x 2 teacher01 teacher01 4096 Sep 18 07:22 bpftrace drwxr-xr-x 2 teacher01 teacher01 4096 Sep 14 14:02 execsnoop drwxr-xr-x 2 teacher01 teacher01 4096 Sep 18 08:07 opensnoop drwxr-xr-x 2 teacher01 teacher01 4096 Sep 14 12:27 seccomp-bpf drwxr-xr-x 2 teacher01 teacher01 4096 Sep 19 07:32 trace-app

Slide 5

Slide 5 text

F#1'

Slide 6

Slide 6 text

%&.0 root@bpf:/ # execsnoop-bpfcc PCOMM PID PPID RET ARGS ps 1807 1478 0 /usr/bin/ps aux cat 1808 1478 0 /usr/bin/cat /etc/passwd ls 1809 1478 0 /usr/bin/ls --color=auto -al top 1810 1478 0 /usr/bin/top root@bpf:/ # tcpconnect-bpfcc Tracing connect ... Hit Ctrl-C to end PID COMM IP SADDR DADDR DPORT 1812 curl 4 192.168.64.5 93.184.216.34 443 1815 curl 4 192.168.64.5 52.205.86.27 80 1817 curl 4 192.168.64.5 35.227.220.44 80 1819 curl 4 192.168.64.5 35.227.220.44 443

Slide 7

Slide 7 text

IUUQTFCQGJP

Slide 8

Slide 8 text

F#1'ͱ͸ w#SFOEBO(SFHHᐌ͘eBPFEPFTUP-JOVYXIBU+BWB4DSJQUEPFTUP )5.- w+BWB4DSJQU͸ϒϥ΢βͷ҆શͳԾ૝Ϛγϯ্Ͱ೚ҙͷΠϕϯτʹରͯ͠ ϓϩάϥϜΛ࣮ߦͰ͖Δ wF#1'͸-JOVYΧʔωϧͷ҆શͳԾ૝Ϛγϯ্Ͱ೚ҙͷΠϕϯτʹରͯ͠ ϓϩάϥϜΛ࣮ߦͰ͖Δ w೚ҙͷΧʔωϧؔ਺΍ϢʔβʔϥϯυϓϩάϥϜͷؔ਺͕ݺͼग़͞Εͨ Γɺ໭Γ஋͕ฦΔλΠϛϯάͰ೚ҙͷॲཧ͕Ͱ͖Δ

Slide 9

Slide 9 text

F#1')JTUPSZ

Slide 10

Slide 10 text

#1'ͱ͸ w#FSLFMFZ1BDLFU'JMUFS w΋ͱ΋ͱ͸ύέοτΩϟϓνϟͷύϑΥʔϚϯεΛ޲্ͤ͞ΔͨΊʹ ։ൃ͞Εͨ΋ͷ wࠓͰ͸ύέοτϑΟϧλϦϯάҎ֎ʹ΋ύϑΥʔϚϯε෼ੳͳͲ༷ʑ ͳྖҬͰར༻͞Ε͍ͯΔ

Slide 11

Slide 11 text

#1'ͷྺ࢙ w#4%ͰύέοτϑΟϧλϦϯάػߏͱ࣮ͯ͠૷ޙɺ-JOVYʹ΋Ҡ২ wTFDDPNQʹ΋#1'͕ར༻͞ΕΔΑ͏ʹͳΔ w൚༻తͳΧʔωϧ಺Ծ૝Ϛγϯͱͯ͠ར༻͢ΔͨΊʹ֦ு FYUFOEFE ͞Εͨ w֦ு͞Εͨ#1'ΛF#1' FYUFOEFE#1' ͱݺͼɺैདྷͷ#1'͸ D#1' DMBTTJD#1' ͱݺͿ͜ͱ͕͋Δ

Slide 12

Slide 12 text

D#1' $ sudo tcpdump -d icmp (000) ldh [12] (001) jeq #0x800 jt 2 jf 5 (002) ldb [23] (003) jeq #0x1 jt 4 jf 5 (004) ret #262144 (005) ret #0

Slide 13

Slide 13 text

TFDDPNQ w-JOVYͰϓϩηεͷγεςϜίʔϧΛ੍ݶ͢Δٕज़ w͍ΘΏΔ-JOVYίϯςφͰ΋ར༻͞Ε͍ͯΔ wNPEFͱNPEF͕͋ΓɺNPEFͰ͸ΑΓॊೈʹ੍ޚͰ͖ΔΑ͏ ʹͳͬͨ

Slide 14

Slide 14 text

TFDDPNQ#1' ubuntu@sandbox:~/bpf-tutorial/seccomp-bpf$ make build clang -o filter-mkdir main.c ubuntu@sandbox:~/bpf-tutorial/seccomp-bpf$ ./filter-mkdir 'mkdir /tmp/dir' mkdir: cannot create directory ‘/tmp/dir’: Operation not permitted ubuntu@sandbox:~/bpf-tutorial/seccomp-bpf$ strace -f ./filter-mkdir 'mkdir /tmp/dir' execve("./filter-mkdir", ["./filter-mkdir", "mkdir /tmp/dir"], 0x7ffca47f8350 /* 21 vars */) = 0 ... [pid 2593] mkdir("/tmp/dir", 0777) = -1 EPERM (Operation not permitted)

Slide 15

Slide 15 text

D#1'͔ΒF#1'΁ w֦ுͷ಺༰ͱͯ͠͸ w໋ྩηοτͷҰ৽ w࢖༻ՄೳͳϨδελ਺ͷ૿Ճ wF#1'.BQͱݺ͹ΕΔσʔλߏ଄͕ར༻Մೳʹ

Slide 16

Slide 16 text

F#1'͸Ͳ͜Ͱ࢖ΘΕ͍ͯΔ͔ w$JMJVNF#1'CBTFE/FUXPSLJOH 4FDVSJUZ BOE0CTFSWBCJMJUZ w'BMDP$MPVE/BUJWF3VOUJNF4FDVSJUZ w,BUSBO"IJHIQFSGPSNBODFMBZFSMPBECBMBODFS w)VCCMF/FUXPSL 4FSWJDF4FDVSJUZ0CTFSWBCJMJUZGPS,VCFSOFUFTVTJOHF#1' w (PPHMF 'BDF#PPL /FUqJY $MPVEqBSFͳͲͰར༻͞Ε͍ͯΔ

Slide 17

Slide 17 text

F#1''FBUVSFT 4FDVSJUZ /FUXPSLJOH 0CTFSWBCJMJUZ

Slide 18

Slide 18 text

F#1'"SDIJUFDUVSF

Slide 19

Slide 19 text

F#1'"SDIJUFDUVSF IUUQTFCQGJP

Slide 20

Slide 20 text

F#1'ͷϑοΫͷྲྀΕ wF#1'ϓϩάϥϜ͸Πϕϯτ ۦಈܗͰಈ͘ wఆٛ͞Ε͍ͯΔϑοΫϙΠ ϯτ΍ؔ਺΁ͷFOUSZFYJU ͳͲ wϑοΫ͕ఆٛ͞Ε͍ͯͳ͍ ৔߹͸LQSPCF VQSPCFΛ ࢖͏

Slide 21

Slide 21 text

F#1'ϓϩάϥϜ͸ԿͰॻ͔͘ w#1'ϓϩάϥϜࣗମ͸ΧʔωϧͷϨδελϕʔεͷ7.্Ͱಈ͘ w7.Ͱಈ͔ͨ͢Ίʹ͸CZUFDPEF͕ඞཁ wͨͩ͠CZUFDPEFΛ௚઀ॻ͘ͷ͸೉͍͠ wͳͷͰ$ͷํݴͰॻ͍ͨΓɺ͋Δ͍͸CQGUSBDFͳͲͷந৅Խ͞Ε ͨ%4-ݴޠͳͲͰهड़ͯ͠--7.ͳͲͰίϯύΠϧ͢Δ

Slide 22

Slide 22 text

ॲཧͷྲྀΕ

Slide 23

Slide 23 text

7FSJpDBUJPO w#1'ϓϩάϥϜ͸ΧʔωϧϥϯυͰಈ͘ͷͰΫϥογϡ͠ͳ͍Α͏ʹ ݕূػʹΑΔݕূ͕࣮ߦ͞ΕΔ wඞͣϧʔϓ͕ऴྃ͢Δ͜ͱ wڊେͳϓϩάϥϜ͸ϩʔυͰ͖ͳ͍ wݕূػ͕ݕূͰ͖Δ࣮ߦ಺༰ͷൣғͰͷΈWBMJEͱͳΔ

Slide 24

Slide 24 text

F#1'.BQT wF#1'ϓϩάϥϜͰॲཧͨ͠σʔλΛอଘͰ͖Δ wͦͷσʔλ͸ϢʔβʔεϖʔεͷϓϩάϥϜ͔ΒऔಘͰ͖Δ

Slide 25

Slide 25 text

F#1'%FWFMPQNFOU

Slide 26

Slide 26 text

#1'%FWFMPQNFOU5PPMDIBJOT w#1'ϓϩάϥϜͷ։ൃΛ؆୯ʹͯ͘͠ΕΔπʔϧΩοτͨͪ wJPWJTPSCDD wJPWJTPSCQGUSBDF w(P$$ͷϥΠϒϥϦ

Slide 27

Slide 27 text

CDDUPPMTͰF#1'ʹೖ໳͠Α͏ wJPWJTPSCDD w#1'ϓϩάϥϜΛ؆୯ʹॻͨ͘Ίͷϔϧύʔؔ਺΍ϥΠϒϥϦΛఏ ڙ͍ͯ͠Δ wCDDUPPMTͱݺ͹ΕΔγεςϜύϑΥʔϚϯεͷͨΊͷπʔϧ܈͕ ͋Δ w(P 3VTU 3VCZͳͲͷ֤छݴޠͷ#JOEJOH͕͋Δ

Slide 28

Slide 28 text

·ͣ͸৮ͬͯΈΑ͏ wFYFDTOPPQ wUDQDPOOFDU wCJPMBUFODZ wCBTISFBEMJOF wPPNLJMM

Slide 29

Slide 29 text

FYFDTOPPQ root@bpf:/# execsnoop-bpfcc PCOMM PID PPID RET ARGS ps 1865 1478 0 /usr/bin/ps aux cat 1866 1478 0 /usr/bin/cat /etc/passwd htop 1867 1478 0 /usr/bin/htop ping 1868 1478 0 /usr/bin/ping security-camp.or.jp

Slide 30

Slide 30 text

UDQDPOOFDU root@bpf:/# tcpconnect-bpfcc Tracing connect ... Hit Ctrl-C to end PID COMM IP SADDR DADDR DPORT 1812 curl 4 192.168.64.5 93.184.216.34 443 1815 curl 4 192.168.64.5 52.205.86.27 80 1817 curl 4 192.168.64.5 35.227.220.44 80 1819 curl 4 192.168.64.5 35.227.220.44 443

Slide 31

Slide 31 text

CJPMBUFODZ root@bpf:/# biolatency-bpfcc Tracing block device I/O... Hit Ctrl-C to end. ^C usecs : count distribution 0 -> 1 : 0 | | 2 -> 3 : 0 | | 4 -> 7 : 0 | | 8 -> 15 : 7 | | 16 -> 31 : 3 | | 32 -> 63 : 0 | | 64 -> 127 : 237 |******* | 128 -> 255 : 1251 |****************************************| 256 -> 511 : 166 |***** | 512 -> 1023 : 103 |*** |

Slide 32

Slide 32 text

CBSFBEMJOF root@bpf:/# bashreadline-bpfcc TIME PID COMMAND 22:09:03 1478 ls 22:09:07 1478 cat /etc/passwd 22:09:10 1478 htop 22:09:12 1478 ps aux

Slide 33

Slide 33 text

PPNLJMM root@bpf:/# oomkill-bpfcc Tracing OOM kills... Ctrl-C to stop. 22:09:56 Triggered by PID 777 ("snapd"), OOM kill of PID 2279 ("perl"), 1007686 pages, loadavg: 0.09 0.04 0.01 5/159 2280 root@bpf:/# sysctl -w vm.overcommit_memory=1 root@bpf:/# perl -e 'while (1) { $a .= "A" * 124; }'

Slide 34

Slide 34 text

CQGUSBDF wJPWJTPSCQGUSBDF wF#1'ϓϩάϥϜΛ؆୯ʹॻͨ͘Ίͷ%4- wݴޠͱͯ͠͸BXL΍$ʹࣅ͍ͯΔ wCDDಉ༷ʹπʔϧͱͯ͠΋༻ҙ͞Ε͍ͯΔ

Slide 35

Slide 35 text

&YBNQMF root@bpf:/# bpftrace -e \ 'tracepoint:raw_syscalls:sys_enter { @[comm] = count(); }' Attaching 1 probe... @[irqbalance]: 12 @[systemd-network]: 22 @[systemd]: 28 @[bpftrace]: 72 @[cat]: 108 @[bash]: 191 @[sshd]: 747

Slide 36

Slide 36 text

&WFOU4PVSDFT wγεςϜίʔϧ΍ؔ਺ݺͼग़͠ΛτϨʔε͢ΔͨΊʹɺͦͷΠϕϯτ Λऔಘ͢Δํ๏͕͍͔ͭ͋͘Δ wΑ͘࢖͏ͷ͸LQSPCF VQSPCF USBDFQPJOUT 64%5ͷͭ

Slide 37

Slide 37 text

,QSPCFT w೚ҙͷΧʔωϧؔ਺ͷτϨʔεΛಈతʹߦ͏ wର৅ͷؔ਺ͷΞυϨεʹϒϨʔΫϙΠϯτΛઃஔ͢Δ wϒϨʔΫϙΠϯτʹ౸ୡ͢Δͱ#1'ϓϩάϥϜʹඈͿ wΧʔωϧͷ໋ྩΛಈతʹมߋ͢Δͷ͸ةݥʹࢥ͑Δ͕ɺ҆શʹ࣮ߦ͞ ΕΔΑ͏ʹઃܭ͞Ε͍ͯΔ wͨͩ͠ɺେྔͷؔ਺ΛτϨʔε͢ΔͱͦΕ͚ͩύϑΥʔϚϯε͸མ ͪΔ

Slide 38

Slide 38 text

,QSPCFTͷΠϝʔδ

Slide 39

Slide 39 text

,QSPCFͰτϨʔεͯ͠ΈΑ͏ // جຊͷߏจ # bpftrace -e 'kprobe: { Expression }' # bpftrace -l 'kprobe:*' // attach Ͱ͖Δؔ਺ҰཡΛग़ྗ // vfs_open ͕ݺ͹ΕͨΒϝοηʔδΛදࣔ # bpftrace -e \ 'kprobe:vfs_open { printf("called vfs_open\n"); }'

Slide 40

Slide 40 text

,QSPCFͰτϨʔεͯ͠ΈΑ͏ // ίϚϯυ໊Λදࣔ # bpftrace -e \ 'kprobe:vfs_open { printf("%s\n", comm); }' // cat ͚ͩΛදࣔ # bpftrace -e \ 'kprobe:vfs_open /comm == "cat"/ { printf("%s\n", comm); }'

Slide 41

Slide 41 text

,QSPCFͰτϨʔεͯ͠ΈΑ͏ // Ҿ਺ͷදࣔ # bpftrace -e \ 'kprobe:do_sys_open { printf("opening: %s\n", str(arg1)); }' #include #include kprobe:vfs_open { printf("%s %s\n", comm, str(((struct path *)arg0)->dentry->d_name.name)); }

Slide 42

Slide 42 text

6QSPCFT wͬ͘͟Γ͍͏ͱLQSPCFTͷϢʔβʔεϖʔεϓϩάϥϜ൛ root@bpf:/# objdump -T /bin/bash | grep readline 0000000000124e60 g DO .bss 0000000000000008 Base rl_readline_state 00000000000b7cd0 g DF .text 0000000000000252 Base readline_internal_char 00000000000b71a0 g DF .text 000000000000015f Base readline_internal_setup 0000000000087120 g DF .text 000000000000004c Base posix_readline_initialize 00000000000b8530 g DF .text 000000000000009a Base readline # bpftrace -e 'uprobe:/bin/bash:readline { printf("called\n"); }'

Slide 43

Slide 43 text

6QSPCFT root@bpf:/# objdump -T /bin/bash | grep readline 0000000000124e60 g DO .bss 0000000000000008 Base rl_readline_state 00000000000b7cd0 g DF .text 0000000000000252 Base readline_internal_char 00000000000b71a0 g DF .text 000000000000015f Base readline_internal_setup 0000000000087120 g DF .text 000000000000004c Base posix_readline_initialize 00000000000b8530 g DF .text 000000000000009a Base readline # bpftrace -e 'uprobe:/bin/bash:0xb8530 { printf("called\n"); }'

Slide 44

Slide 44 text

6QSPCFT root@bpf:/# nm uprobes-test| grep main 0000000000001149 T main root@bpf:/# bpftrace -e \ 'uprobe:./uprobes-test:main { printf("in main\n"); }' Attaching 1 probe...

Slide 45

Slide 45 text

5SBDFQPJOUT w,FSOFMʹࣄલʹఆٛ͞Ε͍ͯΔϑοΫϙΠϯτ wLQSPCFͱൺֱ͢ΔͱτϨʔεͰ͖Δؔ਺ͳͲ͸গͳ͍͕ɺ4UBCMF "1*͕͋ΔͷͰ҆ఆੑ͕͋Δ wLQSPCF͸όʔδϣϯ͕มΘΔͱτϨʔε͕ػೳ͠ͳ͘ͳΔՄೳੑ ͕͋Δ w5SBDFQPJOUT͸௨ৗOPQ໋ྩͳͷͰύϑΥʔϚϯεʹ΄ͱΜͲӨڹ ͕ͳ͍ͱ΋ݴ͑Δ

Slide 46

Slide 46 text

5SBDFQPJOUTͷΠϝʔδ

Slide 47

Slide 47 text

5SBDFQPJOUT # bpftrace -e \ 'tracepoint:syscalls:sys_enter_execve { printf("%s %s\n", comm, str(args->filename)); }' # cat /sys/kernel/tracing/available_events | grep execve syscalls:sys_exit_execveat syscalls:sys_enter_execveat syscalls:sys_exit_execve syscalls:sys_enter_execve

Slide 48

Slide 48 text

5SBDFQPJOUT # bpftrace -e \ 'tracepoint:syscalls:sys_enter_execve { printf("%s %s\n", comm, str(args->filename)); }' # bpftrace -e \ 'tracepoint:syscalls:sys_enter_execve { printf("%s %s\n", comm, str(args->filename)); }' # cat /sys/kernel/tracing/events/syscalls/sys_enter_execve/format ... field:int __syscall_nr; offset:8; size:4; signed:1; field:const char * filename; offset:16; size:8; signed:0; field:const char *const * argv; offset:24; size:8; signed:0; field:const char *const * envp; offset:32; size:8; signed:0; print fmt: "filename: 0x%08lx, argv: 0x%08lx, envp: 0x%08lx", \ ((unsigned long)(REC->filename)), ((unsigned long)(REC->argv)), ((unsigned long)(REC->envp))

Slide 49

Slide 49 text

64%5 w6TFSMFWFM4UBUJDBMMZ%FpOFE5SBDJOHͷུ w໊લͷ௨ΓɺϢʔβʔϓϩάϥϜʹࣗ෼ͰτϨʔεϙΠϯτΛઃஔͰ ͖Δ wͪ͜Β΋5SBDFQPJOUTͱಉ༷ʹԿ΋͍ͯ͠ͳ͍ͱ͖͸OPQ໋ྩͳͷ ͰύϑΥʔϚϯε΁ͷӨڹ͸ܰඍͱݴ͑Δ

Slide 50

Slide 50 text

64%5 # bpftrace -e \ 'usdt:./usdt:test_probe { printf("got: %d\n", arg0); }' Attaching 1 probe... got: 3 got: 4 got: 5 got: 6 ...

Slide 51

Slide 51 text

GVODUJPOFOUSZFYJU wLQSPCF VQSPCF USBDFQPJOUT͸ͦΕͧΕؔ਺΁ೖͬͨ௚ޙͱؔ਺͕ ໭Γ஋Λฦͨ͠௚ޙΛϑοΫͰ͖Δ wྫ͑͹LQSPCFͩͱLSFUQSPCFͱݺͿ wͦΕͧΕͰϑοΫ͢Δ͜ͱͰϨΠςϯγͷଌఆ͕Մೳ wHFUIPTUMBUFODZ wηΩϡϦςΟతͳ؍఺Ͱݴ͏ͱɺίϚϯυ͕੒ޭ͔ͨ͠ͳͲ

Slide 52

Slide 52 text

ϨΠςϯγͷଌఆ # gethostlatency-bpfcc TIME PID COMM LATms HOST 18:01:33 8892 curl 29.99 example.com 18:01:43 8894 isc-worker0000 0.02 127.0.0.1 18:01:43 8894 isc-worker0000 0.01 ::1 18:01:55 8898 curl 43.45 security-camp.or.jp 18:02:00 8900 curl 97.16 blog.ssrf.in

Slide 53

Slide 53 text

CDD$IBMMFOHF

Slide 54

Slide 54 text

ϑΝΠϧͷΦʔϓϯΛτϨʔε͠Α͏ wCDDͰϑΝΠϧͷΦʔϓϯΛτϨʔεͯ͠ΈΑ͏ wTUSBDFͰτϨʔε͢Δؔ਺Λ֬ೝ wࠓճ͸͞ΒʹΧʔωϧͷίʔυΛΈͯɺΑΓਂ͍ͱ͜ΖΛτϨʔε wCDDͰ࣮૷ // ͜͏͍͏ίϚϯυΛݕ஌͍ͨ͠ $ cat /etc/passwd

Slide 55

Slide 55 text

TUSBDFͰ֬ೝ $ strace -o output.txt cat /etc/passwd $ cat output.txt ... openat(AT_FDCWD, "/etc/passwd", O_RDONLY) = 3 ...

Slide 56

Slide 56 text

PQFOBU SYSCALL_DEFINE4(openat, int, dfd, const char __user *, filename, int, flags, umode_t, mode) { if (force_o_largefile()) flags |= O_LARGEFILE; return do_sys_open(dfd, filename, flags, mode); } IUUQTFMJYJSCPPUMJODPNMJOVYWTPVSDFGTPQFOD-

Slide 57

Slide 57 text

CDDΛॻ͍ͯΈΑ͏ wLQSPCFͰPQFOBUͷ͞ΒʹԞEP@TZT@PQFOΛτϨʔε͠Α͏ wIUUQTHJUIVCDPNJPWJTPSCDDCMPCNBTUFSEPDT SFGFSFODF@HVJEFNE wIUUQTHJTUHJUIVCDPNNSUD BEECCDEGDCB

Slide 58

Slide 58 text

CDDͷجຊ wCDDͷجຊ bpf_code = """ int do_sys_open(struct pt_regs *ctx, ...) { ... } """ # BPF ϓϩάϥϜΛΠχγϟϥΠζ b = BPF(text=bpf_code) # kprobe ʹ attach ͢Δ. # event ʹτϨʔε͢Δؔ਺Λɺfn_name ʹϑοΫ࣌ʹ࣮ߦ͢Δؔ਺Λࢦఆ b.attach_kprobe(event="do_sys_open", fn_name="do_entry_trace")

Slide 59

Slide 59 text

-FWFM wCQG@USBDF@QSJOUL Ͱग़ྗ bpf_code = """ int do_sys_open(struct pt_regs *ctx) { bpf_trace_printk("message\n"); } """ b = BPF(text=bpf_code) b.attach_kprobe(event="do_sys_open", fn_name="do_entry_trace")

Slide 60

Slide 60 text

-FWFM wग़ྗͨ͠಺༰͸USBDF@pFMET Ͱऔಘ b = BPF(text=bpf_code) b.attach_kprobe(event="do_sys_open", fn_name="do_entry_trace") while 1: (task, tid, _, _, ts, msg) = b.trace_fields() printb(b"%f, %s, %d, %s" % (ts, task, tid, msg))

Slide 61

Slide 61 text

PQFOTOPPQ bpf_code = """ int do_entry_trace(struct pt_regs *ctx) { bpf_trace_printk("REPLACEME\\n"); return 0; } """ b = BPF(text=bpf_code) b.attach_kprobe(event="do_sys_open", fn_name="do_entry_trace") while 1: (task, tid, _, _, ts, msg) = b.trace_fields() printb(b"%f, %s, %d, %s" % (ts, task, tid, msg))

Slide 62

Slide 62 text

PQFOTOPPQ wCQG@HFU@DVSSFOU@DPNN Ͱϓϩηε໊Λऔಘ wCQG@QSPCF@SFBE Ͱ҆શʹจࣈྻΛίϐʔ wFWFOUTQFSG@TVCNJU Ͱ1FSG3JOH#V⒎FSʹσʔλΛอଘ wQFSG@CV⒎FS@QPMM ͰσʔλΛϙʔϦϯά

Slide 63

Slide 63 text

PQFOTOPPQ wϑΝΠϧ໊Λग़ྗ͢ΔΑ͏ʹΧελϚΠζ͍ͯͩ͘͠͞ ϙΠϯτ wEP@FOUSZ@USBDFͷҾ਺ʹ஫໨ wจࣈྻΛ҆શʹίϐʔ͢Δؔ਺͸ͳΜ͚ͩͬ wQPMMJOHॲཧͰͷจࣈྻදࣔ΋๨Εͣʹ

Slide 64

Slide 64 text

F#1'$IBMMFOHF

Slide 65

Slide 65 text

/*4541 w /*4541Ͱ͸࣍ͷΠϕϯτΛϞχλϦϯά͢ΔΑ͏ʹॻ͍ͯ͋Δ w *OWBMJEPSVOFYQFDUFEQSPDFTTFYFDVUJPO w *OWBMJEPSVOFYQFDUFETZTUFNDBMMT w $IBOHFTUPQSPUFDUFEDPOpHVSBUJPOpMFBOECJOBSJFT w 8SJUFTUPVOFYQFDUFEMPDBUJPOTBOEpMFUZQFT w $SFBUJPOPGVOFYQFDUFEOFUXPSLMJTUFOFST w 5SB⒏DTFOUUPVOFYQFDUFEOFUXPSLEFTUJOBUJPOT w .BMXBSFTUPSBHFPSFYFDVUJPO

Slide 66

Slide 66 text

F#1'Ͱҟৗݕ஌͠Α͏ wΞϓϦέʔγϣϯ͔Β૝ఆ֎ͷΠϕϯτ͕ى͖ͳ͍͔νΣοΫ͠Α͏ wશ෦Λ࣮૷͸େมͳͷͰɺϑΝΠϧͷॻ͖ࠐΈ PQFO ͱίϚϯυͷ ࣮ߦ FYFDWF Λݕ஌ͯ͠ΈΑ͏ # python3 trace-app.py ... Detect unexpected file open : /etc/passwd Detect unexpected command execution : id

Slide 67

Slide 67 text

ର৅ͷΞϓϦέʔγϣϯ ubuntu@bpf:~/bpf-tutorial/trace-app$ ./app -h Usage: ./app [-ehn] -e echo message -h help -n display hostname ubuntu@bpf:~/bpf-tutorial/trace-app$ ./app -e hello hello ubuntu@bpf:~/bpf-tutorial/trace-app$ ./app -n bpf

Slide 68

Slide 68 text

࣮૷खॱ w·ͣ͸PQFOBUͱFYFDWFΛτϨʔεͯ͠"MMPXFE-JTUΛ࡞Ζ͏ wTUSBDFͰ΋CQGUSBDFͰ΋0, wϗϫΠτϦετʹؚ·Εͳ͍ϑΝΠϧ໊Λ։͍ͨΓίϚϯυͷ࣮ߦ͕ ͋Ε͹ɺϝοηʔδͱͯ͠ग़ྗ͠Α͏ wطʹେ࿮͸ॻ͍͍ͯΔͷͰ݀ຒΊ͠Α͏ w50%0ͱॻ͔Ε͍ͯΔͱ͜ΖΛຒΊ͍ͯͩ͘͞

Slide 69

Slide 69 text

ςετͷํ๏ ubuntu@bpf:~/bpf-tutorial/trace-app$ ./app -i uid=1000(ubuntu) gid=1000(ubuntu) groups=1000(ubuntu) ubuntu@bpf:~/bpf-tutorial/trace-app$ ./app -p root:x:0:0:root:/root:/bin/bash root@bpf:~/bpf-tutorial/trace-app# python3 trace-app.py ... Detect unexpected file open : /etc/passwd Detect unexpected command execution : id

Slide 70

Slide 70 text

/FYU$IBMMFOHF wFYFDWF͚ͩͰͳ͘FYFDܥʹରԠ͠Α͏ wઃఆϑΝΠϧ :".-΍+40/ 50.- ͳͲ͔ΒΞϓϦέʔγϣϯ໊ɺ "MMPXFE-JTUΛऔಘͯ͠ɺ༷ʑͳΞϓϦέʔγϣϯʹରԠͰ͖ΔΑ͏ ʹ͠Α͏

Slide 71

Slide 71 text

όΠύεํ๏ w୯७ʹจࣈྻϚονͰ͸Ͳ͏ͯ͠΋͕݀Ͱ͖ͯ͠·͍͕ͪ wྫͱͯ͠'BMDPͷࣄྫΛ঺հ

Slide 72

Slide 72 text

QSPDTFMGSPPU wQSPDTFMGSPPUFUDQBTTXEΛ։͘͜ͱͰόΠύε - list: sensitive_file_names items: [/etc/shadow] - macro: sensitive_files condition: > fd.name startswith /etc and fd.name in (sensitive_file_names) - rule: Read sensitive file untrusted condition: > sensitive_files and open_read and proc_name_exists

Slide 73

Slide 73 text

wTIDHJUͷνΣοΫΛόΠύε - macro: spawned_process condition: evt.type = execve - rule: Spawn git process from php desc: Spawn git process from php condition: proc.pname=php and spawned_process and proc.cmdline startswith "sh -c git" $ php -r 'system("git --version")'; $ php -r 'system("$(echo \"git --version\")");'

Slide 74

Slide 74 text

ίϝϯτΞ΢τ wҰ෦ͷίϚϯυ໊Λআ֎͍ͯ͠Δ৔߹ʹίϝϯτʹؚΊΔ - macro: batch_job condition: (proc.cmdline contains "run-job.sh") - rule: Spawn processes from php desc: Spawn processes from php condition: proc.pname=php and spawned_process and not batch_job $ php -r 'system("whoami")'; $ php -r 'system("whoami; # run-jon.sh");'

Slide 75

Slide 75 text

·ͱΊ

Slide 76

Slide 76 text

·ͱΊ wF#1'͸ඇৗʹڧྗͰ؆୯ʹτϨʔε͕Ͱ͖ΔͷͰ0CTFSWBCJMJUZΛ ࢧ͑Δେ͖ͳଘࡏʹͳΔ w͜Ε͔Βͷ։ൃɺӡ༻Ͱ΋F#1'ͷར༻͸૿͑ΔͩΖ͏ wηΩϡϦςΟ෼໺Ͱ͸ྺ࢙͕ઙ͍͕ɺGBMDP΍USBDFFͳͲར༻͕૿ ͍͑ͯΔ IUUQTHJUIVCDPNBRVBTFDVSJUZUSBDFF IUUQTHJUIVCDPNGBMDPTFDVSJUZGBMDP

Slide 77

Slide 77 text

΋ͬͱF#1'Λֶͼ͍ͨͻͱ΁