Cfgmgmtcamp 2024 — eBPF-based Security Observability & Runtime Enforcement with Cilium Tetragon.pdf

Transcript

1. eBPF-based Security Observability & Runtime Enforcement with Cilium Tetragon Raphaël

   Pinson | @raphink — 🧪 Cilium Alchemist

2. with Cilium Tetragon eBPF-based Security Observability & Runtime Enforcement ⬢

   Security Observability ⬢ eBPF ⬢ Cloud Native Metadata ⬢ Runtime Enforcement

3. with Cilium Tetragon eBPF-based Security Observability & Runtime Enforcement ⬢

   Security Observability

4. Who am I Raphaël Pinson Cilium Alchemist @ Isovalent

5. Runtime Security - Security in Real Time Active protection while

   your workload is running → Detecting malicious activity in real time → Reporting when malicious events occur -> Even better, preventing them
6. None

7. What activity do we care about? • Network traffic •

   File & I/O activity • Running executables • System call activity • Changing privileges & namespace boundaries • …

8. How could we spot this activity? • LD_PRELOAD • ptrace

   • seccomp • LSM • eBPF

9. LD_PRELOAD • Standard C library, dynamically linked • System call

   API • Replace the “standard” library

10. LD_PRELOAD • Standard C library, dynamically linked • System call

    API • Replace the “standard” library • Bypassed by statically linked executables

11. Syscall checks within the kernel ptrace, seccomp, eBPF kprobes on

    syscall entry

12. TOCTTOU with syscalls For more details • Leo Di Donato

    & KP Singh at CN eBPF Day 2021 • Rex Guo & Junyuan Zeng at DEFCON 29 on Phantom attacks ptrace, seccomp, eBPF kprobes on syscall entry

13. Need to make the check at the right place

14. Linux Security Modules • Stable interface • Safe places to

    make checks

15. with Cilium Tetragon eBPF-based Security Observability & Runtime Enforcement ⬢

    Security Observability ⬢ eBPF
16. None

17. Process Scheduler execve() Linux Kernel Syscall

18. How does it work? @raphink | @[email protected]

19. How does it work? @raphink | @[email protected]

20. How does it work? @raphink | @[email protected]

21. How does it work? @raphink | @[email protected]

22. How does it work? @raphink | @[email protected]

23. How does it work? @raphink | @[email protected]

24. How does it work? @raphink | @[email protected]

25. How does it work? @raphink | @[email protected]

26. None

27. BPF LSM • Stable interface • Safe places to make

    checks • eBPF makes it dynamic • Protect pre-existing processes

28. BPF LSM • Stable interface • Safe places to make

    checks • eBPF makes it dynamic • Protect pre-existing processes • Needs kernel 5.7+

29. Cilium Tetragon • eBPF makes it dynamic • Protect pre-existing

    processes • Uses kernel knowledge to hook into sufficiently stable functions

30. Cilium Tetragon • eBPF makes it dynamic • Protect pre-existing

    processes • Uses kernel knowledge to hook into sufficiently stable functions • Multiple co-ordinated eBPF programs

31. Cilium Tetragon • eBPF makes it dynamic • Protect pre-existing

    processes • Uses kernel knowledge to hook into sufficiently stable functions • Multiple co-ordinated eBPF programs • In-kernel event filtering

32. Observability • Deep Visibility ◦ System, network, protocols, filesystem, applications,

    … • Transparent ◦ App agonistic ◦ No changes to applications • Low-Overhead ◦ Minimal overhead ◦ Extensive filtering & aggregation • Integrations ◦ Prometheus, Grafana, SIEM, fluentd, OpenTelemetry, elasticsearch

33. with Cilium Tetragon eBPF-based Security Observability & Runtime Enforcement ⬢

    Security Observability ⬢ eBPF ⬢ Cloud Native Metadata

34. Context is everything

35. Cloud Native Metadata

36. YAML Config Example

37. YAML/Kubernetes as Control Plane

38. Network Interface Metrics

39. TCP Latency (sRTT)

40. Traffic Accounting

41. TLS/SSL Visibility

42. Detecting weak/vulnerable TLS Versions

43. Observing DNS, HTTP, TCP, …

44. Audit Listening Ports

45. Detect DNS bypass attempts

46. Detecting Nmap Scans

47. Monitoring Process Execution & Syscalls

48. Combined Network & Runtime Visibility

49. Detect Late Process Execution

50. Monitoring File Access

51. Network Policy Compliance

52. Observing HTTP & gRPC

53. with Cilium Tetragon eBPF-based Security Observability & Runtime Enforcement ⬢

    Security Observability ⬢ eBPF ⬢ Cloud Native Metadata ⬢ Runtime Enforcement

54. Runtime Enforcement • Preventive Security ◦ System, network, filesystem, and

    applications • Synchronous enforcement • Integrations ◦ Kubernetes CRD, JSON, OPA, … ◦ Convert from existing rule sets (Falco, PodSecurity Policies, …)

55. Preventative actions from user space

56. Preventative actions from kernel

57. Preventing Sensitive File Access

58. Detecting re-mount of root filesystem

59. Monitoring & Preventing Capabilities Abuse

60. Security Observability & Runtime Enforcement github.com/cilium/tetragon

61. Tetragon Tetragon Enterprise Advanced Visibility • Extended Network Visibility •

    DNS, HTTP, HTTPS, TLS • SIEM Integration • Process Ancestry Information • High-performance Protocol Parsers, Aggregation, & Filtering • File Integrity Monitoring (Digest SHA256) Advanced Enforcement • Extended Runtime Enforcement Capabilities • Threat Detection • Baseline Policies Visibility • Process & Syscall Visibility • L3-L4 Network Visibility • File Access Monitoring • Capabilities & Namespacing Enforcement • System call-based enforcement (kprobes, tracepoints)

62. Which eBee are you? @raphink | @[email protected] Cloud Network Engineer

    Platform Engineer Platform Ops (Service Mesh) Security Professional Cloud Architect
63. None

64. Practical Labs … to become a Cilium & eBPF Jedi

    🌐 https://labs-map.isovalent.com Get badges 🏅 @raphink | @[email protected]

65. eBPF resources eCHO eBPF YouTube podcast: https://www.youtube.com/channel/UCJFUxkVQTBJh3LD1wYB WvuQ eBPF &

    Cilium Slack http://slack.cilium.io/ eCHO News Bi-weekly eBPF newsletter: https://cilium.io/newsletter/ @raphink | @[email protected]

66. Thank you!