Description

Many security tools need to record system calls like execve. Using the Linux audit system for this can have a detrimental performance impact in some cases.

Goals

The goal is to investigate eBPF as an alternative and do some benchmarking to see the impact and how it compares to using the audit subsystem.

Progress

BPF done - traceexec

Benchmark report

Resources

eBPF doc

libbpf

libMicro benchmark tool

Looking for hackers with the skills:

bpf ebpf

This project is part of:

Hack Week 24

Activity

  • about 1 month ago: alessio.biancalana liked this project.
  • about 1 month ago: doreilly started this project.
  • about 1 month ago: janvhs liked this project.
  • about 1 month ago: doreilly added keyword "ebpf" to this project.
  • about 1 month ago: doreilly added keyword "bpf" to this project.
  • about 1 month ago: bmwiedemann liked this project.
  • about 1 month ago: doreilly originated this project.

  • Comments

    • jiriwiesner
      about 1 month ago by jiriwiesner | Reply

      If I were to do this task the syscount script from bcc-tools would be my starting point: https://github.com/iovisor/bcc/blob/master/tools/syscount.py

    Similar Projects

    Model checking the BPF verifier by shunghsiyu

    Project Description

    BPF verifier plays a crucial role in securing the system (though less so now that unprivileged BPF is disabled by default in both upstream and SLES), and bugs in the verifier has lead to privilege escalation vulnerabilities in the past (e.g. CVE-2021-3490).

    One way to check whether the verifer has bugs to use model checking (a formal verification technique), in other words, build a abstract model of how the verifier operates, and then see if certain condition can occur (e.g. incorrect calculation during value tracking of registers) by giving both the model and condition to a solver.

    For the solver I will be using the Z3 SMT solver to do the checking since it provide a Python binding that's relatively easy to use.

    Goal for this Hackweek

    Learn how to use the Z3 Python binding (i.e. Z3Py) to build a model of (part of) the BPF verifier, probably the part that's related to value tracking using tristate numbers (aka tnum), and then check that the algorithm work as intended.

    Resources


    Model checking the BPF verifier by shunghsiyu

    Project Description

    BPF verifier plays a crucial role in securing the system (though less so now that unprivileged BPF is disabled by default in both upstream and SLES), and bugs in the verifier has lead to privilege escalation vulnerabilities in the past (e.g. CVE-2021-3490).

    One way to check whether the verifer has bugs to use model checking (a formal verification technique), in other words, build a abstract model of how the verifier operates, and then see if certain condition can occur (e.g. incorrect calculation during value tracking of registers) by giving both the model and condition to a solver.

    For the solver I will be using the Z3 SMT solver to do the checking since it provide a Python binding that's relatively easy to use.

    Goal for this Hackweek

    Learn how to use the Z3 Python binding (i.e. Z3Py) to build a model of (part of) the BPF verifier, probably the part that's related to value tracking using tristate numbers (aka tnum), and then check that the algorithm work as intended.

    Resources