eBPF is used in several cloud native security tools. In this talk we’ll dive into demos and code to explore how eBPF can be used for the next generation of security enforcement tooling. This talk will cover:
- Why enforcing NetworkPolicy with eBPF has been in place for years, but preventive security for applications has taken longer.
- How Phantom attacks can compromise the use of basic system call hooks.
- How other eBPF attachment points, such as BPF LSM, can be used for preventive security.
5. Runtime Security - Security in Real Time
Active protection while your workload is running
→ Detecting malicious activity in real time
→ Reporting when malicious events occur
-> Even better, preventing them
6.
7. What activity do we care about?
● Network traffic
● File & I/O activity
● Running executables
● System call activity
● Changing privileges & namespace boundaries
● …
8. How could we spot this activity?
● LD_PRELOAD
● ptrace
● seccomp
● LSM
● eBPF
9. LD_PRELOAD
● Standard C library, dynamically linked
● System call API
● Replace the “standard” library
10. LD_PRELOAD
● Standard C library, dynamically linked
● System call API
● Replace the “standard” library
● Bypassed by statically linked executables
12. TOCTTOU with syscalls
For more details
● Leo Di Donato & KP Singh at CN eBPF Day 2021
● Rex Guo & Junyuan Zeng at DEFCON 29 on Phantom attacks
ptrace,
seccomp,
eBPF kprobes on syscall entry