清单文件是如何欺骗你的以及为什么 eBPF 是你最好的测谎仪？.pdf

1、#SECTORCA SecTorCAHow Manifest Files Are Lying to You,and Why eBPF Is Your Best Lie Detector?Aleksandr Krasnov#SECTORCA SecTorCAsectorcan:$whoami-Security Engineer-Independent Researcher-DevSecOps&“The Office”geekIntroduction#SECTORCA SecTorCAsectorcan:$less Threat LandscapeSolarWinds Orion Attack-2

2、020a.$1B lost in market value,$18M lost in additional costs like legal fees+settlementsb.https:/www.sec.gov/ix?doc=/Archives/edgar/data/1739942/000162828020017451/swi-20201214.htmPyPI Typosquatting Attack-2019a.Unknown loss in value due to affecting numerous customersb.https:/ NPM Library Hack-2021a

3、.Over$20M lost in audits,system remediation,and security patchingb.https:/ Why:Threat Landscape#SECTORCA SecTorCAsectorcan:$grep-ri“shift left”Well,of course there is Shift Left#SECTORCA SecTorCAsectorcan:$ls/opt/my-appThe What:SDLCDesignDevelopBuildDeployManifest File:-Metadata-Dependencies-Configu

4、ration Information-Entry Points#SECTORCA SecTorCAsectorcan:$bpftool prog showShort Intro:eBPFSource:ebpf.io/what-is-ebpf#SECTORCA SecTorCAsectorcan:$cd/opt/my-app&eval$stageShort Intro:Build Processnpm init-ynpm run buildnpm updateSounds easy?Nope.#SECTORCA SecTorCAsectorcan:$nc-lvnp 8080Attackers P

5、erspectiveIdentify Package NameRegister a malicious package on public repositoryDependency Resolution+Code Execution#SECTORCA SecTorCAsectorcan:$cat risk_classificationRisk ClassificationStaleSketchyHijackedInconclusive#SECTORCA SecTorCAsectorcan:$more architecture.txtArchitectural Weaknesses Enviro

6、nmentCodeLibrary3rd party serverMalicious C2Legit#SECTORCA SecTorCAsectorcan:$find/-type f-name“*attack*”Example of eBPF control:ScenarioEnvironmentCodeLibrariesMalicious C257.129.63.131:8080Everything Else#SECTORCA SecTorCAsectorcan:$vim/cilium/program.cExamp