ebpf-needle-haystack.pdf

1、Finding the Needles in a Haystack:identifying suspicious behaviors with eBPFJeremy CowanDeveloper Advocate,Amazon EKSWasiq MuhammadSecurity Engineer,Amazon GuardDutyThe challenges Capturing and monitoring runtime events for threat detectionwithout impacting the stability or performance of the OS Han

2、dling a high volume of events while providing actionable insightsAccurate detectionsLow false positivesDifferent approachesMethodProsConsExtend Linux KernelFlexibility Has to be broadlyapplicable to be accepted by the community Very slowWrite a Kernel moduleFlexibility Users apprehensive about insta

3、lling Kernel modules Can affect the stability and security of the systemDeploy a sidecar container(k8s)Separation of concerns Increases overhead Can be circumventedIntroducing Extended Berkeley Packet Filter(eBPF)Extremely versatileAllows you to capture system call events occurring within the kernel

4、 Run sandboxed programs in an operating system kernel Loaded and unloaded into the kernel dynamically Originally used to filter network traffic Evolved to deny user space applications from making certain syscalls(SECCOMP)How it works The operating system loads the bytecode,verifies it,JIT(just-in-ti

5、me)compiles it,and runs it Userspace program loads eBPF program and reads the output Requires CAP_BPF linux capability because it needs additional privileges on the system Additional metadata,e.g.process ID,program,etc can be included in the output Program executes within an eBPF VM that runs within

6、 the kernelLinux kernel diagramSyscallsUserspaceKernelAppAppAppFilesMemoryNetworkingProcessesHow GD is using eBPFProcessopen()User-spaceagentSyscall handlereBPF probeKernelUserspaceeBPF Capture of Open SyscallAll arguments are passedto the probeOpen(file_path,flags,mode)Getting started with eBPF eBP