The document discusses eBPF-based security observability and runtime enforcement using Cilium Tetragon, focusing on real-time detection and prevention of malicious activities in cloud-native environments. It outlines various technical techniques and integrations for monitoring system calls, network traffic, and file access while ensuring minimal overhead and high visibility. Additionally, it emphasizes the dynamic and preventive nature of security measures that can be implemented using Cilium Tetragon in Kubernetes and other platforms.

1. eBPF-based Security
Observability & Runtime
Enforcement
with Cilium Tetragon
Raphaël Pinson | @raphink — 🧪 Cilium Alchemist

2. with Cilium Tetragon
eBPF-based Security
Observability & Runtime
Enforcement
⬢ Security Observability
⬢ eBPF
⬢ Cloud Native Metadata
⬢ Runtime Enforcement

3. with Cilium Tetragon
eBPF-based Security
Observability & Runtime
Enforcement
⬢ Security Observability

4. Who am I
Raphaël Pinson
Cilium Alchemist @ Isovalent

5. Runtime Security - Security in Real Time
Active protection while your workload is running
→ Detecting malicious activity in real time
→ Reporting when malicious events occur
-> Even better, preventing them

7. What activity do we care about?
● Network traffic
● File & I/O activity
● Running executables
● System call activity
● Changing privileges & namespace boundaries
● …

8. How could we spot this activity?
● LD_PRELOAD
● ptrace
● seccomp
● LSM
● eBPF

9. LD_PRELOAD
● Standard C library, dynamically linked
● System call API
● Replace the “standard” library

10. LD_PRELOAD
● Standard C library, dynamically linked
● System call API
● Replace the “standard” library
● Bypassed by statically linked executables

11. Syscall checks within the kernel
ptrace,
seccomp,
eBPF kprobes on syscall entry

12. TOCTTOU with syscalls
For more details
● Leo Di Donato & KP Singh at CN eBPF Day 2021
● Rex Guo & Junyuan Zeng at DEFCON 29 on Phantom attacks
ptrace,
seccomp,
eBPF kprobes on syscall entry

13. Need to make the check at the right place

14. Linux Security Modules
● Stable interface
● Safe places to make checks

15. with Cilium Tetragon
eBPF-based Security
Observability & Runtime
Enforcement
⬢ Security Observability
⬢ eBPF

17. Process
Scheduler
execve()
Linux
Kernel
Syscall

18. How does it work?
@raphink | @raphink@mastodon.social

19. How does it work?
@raphink | @raphink@mastodon.social

20. How does it work?
@raphink | @raphink@mastodon.social

21. How does it work?
@raphink | @raphink@mastodon.social

22. How does it work?
@raphink | @raphink@mastodon.social

23. How does it work?
@raphink | @raphink@mastodon.social

24. How does it work?
@raphink | @raphink@mastodon.social

25. How does it work?
@raphink | @raphink@mastodon.social

27. BPF LSM
● Stable interface
● Safe places to make checks
● eBPF makes it dynamic
● Protect pre-existing processes

28. BPF LSM
● Stable interface
● Safe places to make checks
● eBPF makes it dynamic
● Protect pre-existing processes
● Needs kernel 5.7+

29. Cilium Tetragon
● eBPF makes it dynamic
● Protect pre-existing processes
● Uses kernel knowledge to hook into
sufficiently stable functions

30. Cilium Tetragon
● eBPF makes it dynamic
● Protect pre-existing processes
● Uses kernel knowledge to hook into
sufficiently stable functions
● Multiple co-ordinated eBPF programs

31. Cilium Tetragon
● eBPF makes it dynamic
● Protect pre-existing processes
● Uses kernel knowledge to hook into
sufficiently stable functions
● Multiple co-ordinated eBPF programs
● In-kernel event filtering

32. Observability
● Deep Visibility
○ System, network, protocols,
filesystem, applications, …
● Transparent
○ App agonistic
○ No changes to applications
● Low-Overhead
○ Minimal overhead
○ Extensive filtering & aggregation
● Integrations
○ Prometheus, Grafana, SIEM, fluentd,
OpenTelemetry, elasticsearch

33. with Cilium Tetragon
eBPF-based Security
Observability & Runtime
Enforcement
⬢ Security Observability
⬢ eBPF
⬢ Cloud Native Metadata

34. Context is everything

35. Cloud Native Metadata

36. YAML Config Example

37. YAML/Kubernetes as Control Plane

38. Network Interface Metrics

39. TCP Latency (sRTT)

40. Traffic Accounting

41. TLS/SSL Visibility

42. Detecting weak/vulnerable TLS Versions

43. Observing DNS, HTTP, TCP, …

44. Audit Listening Ports

45. Detect DNS bypass attempts

46. Detecting Nmap Scans

47. Monitoring Process Execution & Syscalls

48. Combined Network & Runtime Visibility

49. Detect Late Process Execution

50. Monitoring File Access

51. Network Policy Compliance

52. Observing HTTP & gRPC

53. with Cilium Tetragon
eBPF-based Security
Observability & Runtime
Enforcement
⬢ Security Observability
⬢ eBPF
⬢ Cloud Native Metadata
⬢ Runtime Enforcement

54. Runtime Enforcement
● Preventive Security
○ System, network, filesystem, and
applications
● Synchronous enforcement
● Integrations
○ Kubernetes CRD, JSON, OPA, …
○ Convert from existing rule sets
(Falco, PodSecurity Policies, …)

55. Preventative actions from user space

56. Preventative actions from kernel

57. Preventing Sensitive File Access

58. Detecting re-mount of root filesystem

59. Monitoring & Preventing Capabilities Abuse

60. Security Observability &
Runtime Enforcement
github.com/cilium/tetragon

61. Tetragon Tetragon Enterprise
Advanced Visibility
● Extended Network Visibility
● DNS, HTTP, HTTPS, TLS
● SIEM Integration
● Process Ancestry Information
● High-performance Protocol Parsers,
Aggregation, & Filtering
● File Integrity Monitoring (Digest SHA256)
Advanced Enforcement
● Extended Runtime Enforcement Capabilities
● Threat Detection
● Baseline Policies
Visibility
● Process & Syscall Visibility
● L3-L4 Network Visibility
● File Access Monitoring
● Capabilities & Namespacing
Enforcement
● System call-based enforcement
(kprobes, tracepoints)

62. Which eBee are you?
@raphink | @raphink@mastodon.social
Cloud Network
Engineer
Platform
Engineer
Platform Ops
(Service Mesh)
Security
Professional
Cloud Architect

64. Practical Labs
… to become a Cilium & eBPF Jedi
🌐 https://labs-map.isovalent.com
Get badges 🏅
@raphink | @raphink@mastodon.social

65. eBPF resources
eCHO
eBPF YouTube podcast:
https://www.youtube.com/channel/UCJFUxkVQTBJh3LD1wYB
WvuQ
eBPF & Cilium Slack
http://slack.cilium.io/
eCHO News
Bi-weekly eBPF newsletter:
https://cilium.io/newsletter/
@raphink | @raphink@mastodon.social

66. Thank you!