Securing the Superpowers - Who loaded that eBPF program_.pptx

1、John Fastabend,Natalia Reka IvankoSecuring the Superpowers-Who loaded that eBPF program?SpeakersNatalia Reka IvankoSecurity Product LeadIsovalentJohn FastabendTetragon Lead&Cilium Maintainer,EngineerIsovalentWould just adeBPF is on the riseMotivation-High Performance-Load BalancingNetworkingObservab

2、ility-Application tracing-Performance troubleshooting-Performance monitoringSecurity-Detect suspicious behaviour-Least privileged policies-Preventative SecuritySecurity Use CasesData ExfiltrationFile Integrity MonitoringSecurity Use CasesCapability AbuseNamespace AccesseBPF became cross platformWind

3、ows Runtime recentlyMost Linux distributionsCloud providersSince eBPF became so powerful,Security Teams need to answer questions like:Who is watching eBPF?To remain secure its really important to keep track and audit:-what BPF programs were loaded-what BPF maps were createdMotivationWhat does audit

4、mean?-Who loaded it?-Which Kubernetes workload,which process,which binary,from which ancestors?-When was it loaded?-Should this program be expected?-Have we seen this program or the process before?-Should the process touch bpf()at all?Auditing BPF programsAuditing BPF programs with TetragonSecurity

5、Observability&Runtime EnforcementTetragon-Auditing eBPF programsWhat is a BPF ProgramA Running BPF Program:Set of BPF instructions CO-RE Set of Maps Set of Syscalls BPF program Type BPF Attach locationThe BPF Filesystem(Lifetime management)/sys/fs/bpf/BPFPrograminsnmapssyscallstypeattached/sys/fs/bp

6、f/tetragon/linkTetragon-Auditing eBPF programs modified from Gregg,BPF Internals,LISA21 BPF bytecodePer-event dataStatistics,stacksShared BPF mapsBPF compilerBPF verifierBPF JITBPF ringbufperf bufferKernelUser,program dataBPF applicationtcsock_addr/skstruct_opsCore networkingCongestion controlreusep