Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
1
Security Technologies
Feb 2018
Nadav Markus, Elad Wexler
Kernel Proc Connector and
Containers
2
Agenda
• How to get process events?
Such as: fork(), exec(), exit(), setuid(), ptrace()?
From user space in nearly real ti...
Options:
• Polling /proc file-system
• Not efficient, wasteful CPU cycles
• Not deterministic
• Inotify? – can’t monitor /...
Another Option:
• Use: process-connector kernel primitive
• Provides:
• Flexible socket based API
• Get real, valid kernel...
Kernel Connector
6 | © 2015, Palo Alto Networks. Confidential and Proprietary.
netlink
Connector
Process
Connector
Dallas
...
7 | © 2015, Palo Alto Networks. Confidential and Proprietary.
PROCESS
CONNECTOR CONNECTOR
AF_NETLINK
Socket API
sys_fork()...
Connector
• Built on netlink infra, as easy kernel  user-space IPC
• Added netlink protocol – NETLINK_CONNECTOR
• Netlin...
Process Connector
• Initially added by IBM kernel 2.6.14 (CONFIG_PROC_EVENTS)
• Built on the connector driver
• Register m...
Netlink
• Kernel User space IPC (A flexible ioctl replacement)
• Kernel Kernel
• (User space User space)
• Address Users P...
Demo – Host namespaces
11 | © 2015, Palo Alto Networks. Confidential and Proprietary.
Demo – Host namespaces
12 | © 2015, Palo Alto Networks. Confidential and Proprietary.
struct nlmsghdr struct cn_msg
User
D...
Demo – Host namespaces
13 | © 2015, Palo Alto Networks. Confidential and Proprietary.
struct
proc_event
User space Recv me...
Demo in Container
• Flow of ECONNREFUSED
14 | © 2015, Palo Alto Networks. Confidential and Proprietary.
[PATCH]:
Supporting proc-connector in a container
15 | © 2015, Palo Alto Networks. Confidential and Proprietary.
Demo
16 | © 2015, Palo Alto Networks. Confidential and Proprietary.
More Issues
• Mcast design is broken PROC_CN_MCAST_IGNORE
• Host namespace information disclosure
17 | © 2015, Palo Alto N...
Questions?
18
Upcoming SlideShare
Loading in …5
×

Kernel Proc Connector and Containers

1,013 views

Published on

Elad Wexler talks about the Proc Connector with regards to containers, shows it isn't supported inside a docker container and how it can be supported.

Published in: Software
  • Be the first to comment

Kernel Proc Connector and Containers

  1. 1. 1 Security Technologies Feb 2018 Nadav Markus, Elad Wexler
  2. 2. Kernel Proc Connector and Containers 2
  3. 3. Agenda • How to get process events? Such as: fork(), exec(), exit(), setuid(), ptrace()? From user space in nearly real time? seamlessly? • Can we do that inside a docker container? 3 | © 2015, Palo Alto Networks. Confidential and Proprietary.
  4. 4. Options: • Polling /proc file-system • Not efficient, wasteful CPU cycles • Not deterministic • Inotify? – can’t monitor /proc file-system by design • strace? – possibility - but for each process in the system? • Audit framework – Good possibility, but reserved for auditd 4 | © 2015, Palo Alto Networks. Confidential and Proprietary.
  5. 5. Another Option: • Use: process-connector kernel primitive • Provides: • Flexible socket based API • Get real, valid kernel data to user-space • Can be used for: • Monitoring system activity • Resource Management • Security 5 | © 2015, Palo Alto Networks. Confidential and Proprietary.
  6. 6. Kernel Connector 6 | © 2015, Palo Alto Networks. Confidential and Proprietary. netlink Connector Process Connector Dallas 1-wire bus Microsoft Hyper-V Client driver VBE 2.0 Video Cards
  7. 7. 7 | © 2015, Palo Alto Networks. Confidential and Proprietary. PROCESS CONNECTOR CONNECTOR AF_NETLINK Socket API sys_fork() sys_exec() sys_exit() sys_setuid() sys_ptrace() ….. Socket API User Listener KERNEL USER /drivers/connector/cn_proc.c /drivers/connector/connector.c /net/netlink/af_netlink.c /net/socket.c Process Connector: System Architecture
  8. 8. Connector • Built on netlink infra, as easy kernel  user-space IPC • Added netlink protocol – NETLINK_CONNECTOR • Netlink Connector callback will be called on recv from a netlink socket • Driver API 8 | © 2015, Palo Alto Networks. Confidential and Proprietary.
  9. 9. Process Connector • Initially added by IBM kernel 2.6.14 (CONFIG_PROC_EVENTS) • Built on the connector driver • Register mcast callback & connector identifiers • Send process events via the netlink connector socket Example 9 | © 2015, Palo Alto Networks. Confidential and Proprietary.
  10. 10. Netlink • Kernel User space IPC (A flexible ioctl replacement) • Kernel Kernel • (User space User space) • Address Users PIDs • Socket Family AF_NETLINK – Connectionless Service 10 | © 2015, Palo Alto Networks. Confidential and Proprietary.
  11. 11. Demo – Host namespaces 11 | © 2015, Palo Alto Networks. Confidential and Proprietary.
  12. 12. Demo – Host namespaces 12 | © 2015, Palo Alto Networks. Confidential and Proprietary. struct nlmsghdr struct cn_msg User Data enum proc_cn_mcst_op Netlink layer Connector User space Send message definition
  13. 13. Demo – Host namespaces 13 | © 2015, Palo Alto Networks. Confidential and Proprietary. struct proc_event User space Recv message struct nlmsghdr struct cn_msg User DataNetlink layer Connector
  14. 14. Demo in Container • Flow of ECONNREFUSED 14 | © 2015, Palo Alto Networks. Confidential and Proprietary.
  15. 15. [PATCH]: Supporting proc-connector in a container 15 | © 2015, Palo Alto Networks. Confidential and Proprietary.
  16. 16. Demo 16 | © 2015, Palo Alto Networks. Confidential and Proprietary.
  17. 17. More Issues • Mcast design is broken PROC_CN_MCAST_IGNORE • Host namespace information disclosure 17 | © 2015, Palo Alto Networks. Confidential and Proprietary.
  18. 18. Questions? 18

×