Ecosyste.ms: Awesome
An open API service indexing awesome lists of open source software.
https://github.com/leodido/demo-cloud-native-ebpf-day
Various eBPF programs for tracing network connections
https://github.com/leodido/demo-cloud-native-ebpf-day
attack auditing bpf defense demo ebpf enforcement experimentation kernel lsm lsm-hooks prevention security talk tracepoints tracing
Last synced: about 2 months ago
JSON representation
Various eBPF programs for tracing network connections
- Host: GitHub
- URL: https://github.com/leodido/demo-cloud-native-ebpf-day
- Owner: leodido
- License: gpl-3.0
- Created: 2021-09-11T16:35:31.000Z (over 3 years ago)
- Default Branch: main
- Last Pushed: 2021-10-26T23:54:02.000Z (about 3 years ago)
- Last Synced: 2024-10-14T20:44:15.688Z (2 months ago)
- Topics: attack, auditing, bpf, defense, demo, ebpf, enforcement, experimentation, kernel, lsm, lsm-hooks, prevention, security, talk, tracepoints, tracing
- Language: C
- Homepage:
- Size: 74.2 KB
- Stars: 29
- Watchers: 4
- Forks: 7
- Open Issues: 1
-
Metadata Files:
- Readme: README.md
- License: LICENSE
Awesome Lists containing this project
README
# LSM BPF Changes Everything
This repository contains the code I used for the demo during my [talk](https://sched.co/mFTQ) @ [Cloud Native eBPF Day NA 2021](https://events.linuxfoundation.org/cloud-native-ebpf-day-north-america/).
Here you'll find the following eBPF programs:
- restrict_connect
- BPF LSM program (on
socket_connect
hook) that prevents any connection towards 1.1.1.1 to happen - audit_connect
- program that shows BPF LSM for auditing (on
socket_connect
hook) - kprobe_connect
- program that instruments a kprobe on the Kernel function (
security_socket_connect
) installing thesocket_connect
hook - trace_net
- eBPF program for the
net/net_dev_queue
tracepoint - trace_connect
- eBPF program tracing the entering of the
connect
syscall
## Usage
First thing you'd need to clone this repository, isn't it?
```console
git clone --recurse-submodules -j8 https://github.com/leodido/demo-cloud-native-ebpf-day.git
```
I guess you wanna now build this machinery. Cool!
### Prerequisites
Wait a sec, here are some preconditions to get all of this demo working...
You need a BTF capable Kernel (Linux Kernel 4.18+).
To check whether you have a BTF enabled kernel run:
```console
$ zcat /proc/config.gz | grep CONFIG_DEBUG_INFO_BTF=
```
Otherwise, you need to recompile you kernel with `CONFIG_DEBUG_INFO_BTF=y`: it's size will increase of ~1.5MB, not a big deal.
You need to install bpftool
and clang
.
On ArchLinux this is as easy as running:
```console
$ sudo pacman -S bpf clang
```
If you also wanna try the BPF LSM programs, you need a Linux Kernel 5.7+ with BPF LSM on.
To check whether you have it enabled or not:
```console
$ zcat /proc/config.gz | grep CONFIG_LSM=
```
Check if BPF hooks are enabled for LSM by looking at the output to contain them:
```console
CONFIG_LSM="...,bpf"
```
Remember that BPF hooks for LSM can also be enabled via the `lsm` Kernel boot parameters, so take a look there too.
Also check your Kernel supports [BPF LSM instrumentation](https://github.com/torvalds/linux/blob/5d6ab0bb408ffdaac585982faa9ec8c7d5cc349f/kernel/bpf/Kconfig#L77) with:
```console
$ zcat /proc/config.gz | grep CONFIG_BPF_LSM=
```
### Building
Ok, now you can move to the `src` directory. Here you'll find a nice [Makefile](./src/Makefile) to build all the things at once:
```console
$ make
```
Or, one by one. For example:
```console
$ make trace_net
$ make V=1 restrict_connect # in case you like to be verbose
```
### Running
Now it's time to run 🏃
Wanna try to restrict connections towards 1.1.1.1? Try this:
```console
$ sudo ./restrict_connect
```
Then, in another terminal:
```console
$ curl https://1.1.1.1
$ ping 1.1.1.1
```
And observe the output!
Notice that all the other eBPF programs in this repo (so, except `restrict_connect` at the moment)
work only against connections coming from executables which name is `attack_connect`.
This means they'll ignore connections generating from `curl`, etc.
## Evaluation
One of the reasons because this repository (and its talk) exist was because I wanted to test an attack ([CVE-2021-33505](https://nvd.nist.gov/vuln/detail/CVE-2021-33505))
that in some circumstances (ie., `userfaultfd` syscall enabled) is able to bypass security auditing tools
based on tracepoints (that were not exactly made to accomplish this goal, but still...).
So, I wanted to verify which tracing implementations for the security context
are vulnerable to this attack... And here we are. 🙃
Wanna know more about this attack? Watch this [DEFCON talk](https://youtu.be/yaAdM8pWKG8) by my friend Xiaofei Rex Guo.
Now, let's say that you wanna try the attack yourself targeting one of the eBPF programs here.
First, you'll need to verify whether you have the `userfaultfd` syscall...
```console
$ zcat /proc/config.gz | grep CONFIG_USERFAULTFD
```
You'll also need to verify if it is enabled for unprivileged users
(surprisingly, it is enabled for unprivileged users in many distro kernels).
```console
$ cat /proc/sys/vm/unprivileged_userfaultfd
```
If `/proc/sys/vm/unprivileged_userfaultfd` is set to `0`, for the sake of this experimentation set it to `1`, like so:
```console
$ sudo sysctl -w vm.unprivileged_userfaultfd=1
```
Now you should be able to doo you experimentations!
First, start an eBPF program of your choice...
Then, it's attack time:
```console
$ pushd phantom-attack/phantom_v1/
$ make
$ popd
$ ./phantom-attack/phantom_v1/attack_connect
```
I also wrote a bash script to make these experimentations more straightforward.
Maybe, one day, I'll publish the results of such experimentations among different kernel releases, eBPF programs, etc.
Anyways, you can find it at [experiment.sh](./experiment.sh) in this repo and you can execute it by providing the number of times you want the attack to run (let's say 10?) and the eBPF program to target (let's say `trace_connect`?).
```console
$ ./experiment.sh -i 100 -p trace_connect
```
Have fun!
~
Leo
---
[![Analytics](https://ga-beacon.appspot.com/UA-49657176-1/demo-cloud-native-ebpf-day?flat)](https://github.com/igrigorik/ga-beacon)