Now Reading
Introducing eBPFGuard: A Library for Inline Mitigation of Threats

Introducing eBPFGuard: A Library for Inline Mitigation of Threats

2023-06-03 09:25:24

Shyam Krishnaswamy, Thomas Legris, Tomasz Jonak & Michal Rostecki

Hey, Deepfence neighborhood! We have now some thrilling information to share. We’re thrilled to announce that eBPFGuard, our groundbreaking open-source Rust library, is changing into an integral a part of our cutting-edge business answer for menace detection and mitigation, ThreatStryker!

What does this imply for you? In a cybersecurity panorama that is changing into more and more complicated and complicated, you want an answer that’s equally superior and sturdy. That is the place eBPFGuard steps in. By integrating eBPFGuard into ThreatStryker, we’re taking a large leap ahead in our exploitation detection capabilities. This dynamic duo will present alerts and make mitigation selections, making use of essentially the most appropriate options straight on the host kernel degree, proper the place you want it essentially the most.

eBPFGuard is a product of our ardour for securing digital landscapes. If you wish to learn extra about how we make the most of eBPF extra typically inside our safety instruments, learn our weblog put up, “Aya: your tRusty eBPF Companion.” Developed by the good minds at Deepfence, it protects purposes from exploitation by selectively blocking particular kernel perform calls based mostly on user-defined insurance policies. The very best half? It does this with out having you take care of the kernel straight, lowering complexity whereas maximizing effectivity.

However there’s extra! eBPFGuard also comes packed with impressive features designed to make your life easier, like managing the lifecycle of eBPF programs, ensuring kernel version independence, and alerting you with contextual data whenever a policy is enforced. One of many standout options of eBPFGuard is its utilization of eBPF packages connected to LSM hooks. This characteristic lets you create customized insurance policies utilizing code, thereby considerably lowering your assault floor. Furthermore, now we have fastidiously designed eBPFGuard to work throughout a variety of eventualities, from single-machine enforcement to enforcement in pods on the identical cluster node. Let’s dig into two of those highly effective options rapidly. 

Execution Management: Harnessing LSM Hook Factors with eBPFGuard

The Linux Security Modules (LSM) framework is a strong device that empowers builders to sculpt the safety logic working on the Linux kernel. For a complete understanding of this framework, be happy to delve into the Linux kernel documentation for LSM.

In essence, the Linux kernel reaches out to particular LSM hooks to make a name on whether or not or to not proceed with a given code execution. These hooks perform as decision-making checkpoints, receiving a variety of arguments that present the context required for implementing knowledgeable coverage selections. The main points of those arguments are neatly outlined within the lsm_hook_defs.h header.

Coverage Selections By eBPF Hook Applications

The sport modified with Linux 5.7 when the kernel started permitting eBPF objects to be tethered to LSM hook factors. This transformation uncorked the potential to craft customized insurance policies utilizing code. eBPFGuard capitalizes on this functionality by shaping and attaching the hooks to the LSM hook factors as dictated by consumer necessities. As soon as this setup is full, customers can sculpt insurance policies that will likely be dropped at bear throughout hook execution.

Because it stands, eBPFGuard paves the best way for customers to append insurance policies to a set of hooks:

  • file_open – Providing you with the facility to restrict entry to any file you select.
  • sb_mount/sb_remount/sb_umount – Offering management over operations regarding filesystem administration.
  • task_fix_setuid – Providing the flexibility to constrain modifications to consumer id, as an illustration, stopping a shift to root.
  • socket_bind – Enabling you to manage the ports that purposes can faucet into.
  • socket_connect – Permitting you to manage outbound connections.

So, step into a brand new world of safety management with eBPFGuard, harnessing the facility of LSM hook factors to guard your system in a extra granular and customised manner.

However don’t simply take our phrase for it! We have a hands-on demo ready for you to explore. On this demo, we stroll you thru the method of establishing a coverage to dam attackers from establishing an SSH server on a compromised machine.


On this demonstration, each the eBPFGuard software and its enforcement mechanisms run on the identical native machine. We’re absolutely cognizant of the truth that our clients have a spectrum of deployment fashions to contemplate. As an example, when an software is deployed throughout a set of containers managed by orchestration platforms like Docker or Kubernetes, single-machine enforcement won’t be enough.

The great thing about eBPFGuard is that for the reason that hooks function on the kernel degree, it might probably carry out coverage matching and enforcement on all processes managed by a single kernel occasion. This permits a broad scope of enforcement that transcends particular person machines or containers. We have put eBPFGuard to the check and confirmed its effectiveness in numerous eventualities:

  • eBPFGuard working on a bunch machine, performing matching and enforcement on each the host and deployed containers
  • eBPFGuard housed inside a container on a bunch, conducting matching and enforcement on different containers on the identical host, and the host itself
  • eBPFGuard deployed as a Kubernetes DaemonSet, with enforcement carried out in pods on the identical cluster node

Code Breakdown

Now, let’s take a step-by-step stroll by the key components of the demonstration source code and delve into the eBPFGuard APIs. We’ll be analyzing barely simplified variations of the samples in comparison with the executed demo code for readability.

It is vital to notice that every one instance code needs to be seen as if encapsulated inside the following block.

eBPFGuard embrace line must be current in Cargo.toml. The next snippet incorporates all dependencies utilized by our instance code.

First, we’d like a prime degree object referred to as PolicyManager. It’ll allow us to choose hook factors we wish to connect to.

Instance is centered round blocking processes from listening on port 22. Processes normally do that by binding to some socket. We will use socket_bind hook to intercept and restrict this operation.

After this operation now we have an object representing a hook connected to socket_bind name. It isn’t implementing any insurance policies for now. Default motion for hooks is to permit all calls.

Earlier than we outline any insurance policies for this hook, we must always arrange alerts channel. It’s a manner for the hook to ship us details about denied bind calls.

Insurance policies are hook scoped, so are notifications. Granularity of coverage definition depends on hook level. In case of bind we will presently scope ourselves to both all processes or course of executing a specific binary through PolicySubject and units of layer 4 protocol ports through permit and deny lists.

Demo coverage applies to all processes and permits all ports however 22.

See Also

Lastly we will add an outlined coverage to socket_bind hook.

When add_policy name succeeds, the socket_bind hook begins implementing our coverage. At this level we will begin listening for alerts.

Placing this all collectively:

Roadmap and Trying Forward

eBPFGuard is in early phases of growth and we’re simply beginning. We have now a roadmap chalked out for eBPFGuard with thrilling options and enhancements on the horizon, together with assist for added hooks, improved per-hook coverage filtering granularity, and enhanced API documentation.

eBPFGuard is a testomony to Deepfence’s dedication to staying forward of the curve within the cybersecurity world. We imagine will probably be a major asset in your protection arsenal, serving to you fight and mitigate threats like by no means earlier than.

Get able to expertise a brand new period of cybersecurity with eBPFGuard and ThreatStryker. Let’s redefine safety collectively!

For extra info, check out the project page on GitHub or be part of the dialog within the Deepfence Slack workspace. We’re at all times right here to reply your questions and listen to your suggestions. Keep secure and safe with Deepfence!

Source Link

What's Your Reaction?
In Love
Not Sure
View Comments (0)

Leave a Reply

Your email address will not be published.

2022 Blinking Robots.
WordPress by Doejo

Scroll To Top