Ce diaporama a bien été signalé.
Nous utilisons votre profil LinkedIn et vos données d’activité pour vous proposer des publicités personnalisées et pertinentes. Vous pouvez changer vos préférences de publicités à tout moment.

Kernel Proc Connector and Containers

798 vues

Publié le

Elad Wexler talks about the Proc Connector with regards to containers, shows it isn't supported inside a docker container and how it can be supported.

Publié dans : Logiciels
  • Soyez le premier à commenter

Kernel Proc Connector and Containers

  1. 1. 1 Security Technologies Feb 2018 Nadav Markus, Elad Wexler
  2. 2. Kernel Proc Connector and Containers 2
  3. 3. Agenda • How to get process events? Such as: fork(), exec(), exit(), setuid(), ptrace()? From user space in nearly real time? seamlessly? • Can we do that inside a docker container? 3 | © 2015, Palo Alto Networks. Confidential and Proprietary.
  4. 4. Options: • Polling /proc file-system • Not efficient, wasteful CPU cycles • Not deterministic • Inotify? – can’t monitor /proc file-system by design • strace? – possibility - but for each process in the system? • Audit framework – Good possibility, but reserved for auditd 4 | © 2015, Palo Alto Networks. Confidential and Proprietary.
  5. 5. Another Option: • Use: process-connector kernel primitive • Provides: • Flexible socket based API • Get real, valid kernel data to user-space • Can be used for: • Monitoring system activity • Resource Management • Security 5 | © 2015, Palo Alto Networks. Confidential and Proprietary.
  6. 6. Kernel Connector 6 | © 2015, Palo Alto Networks. Confidential and Proprietary. netlink Connector Process Connector Dallas 1-wire bus Microsoft Hyper-V Client driver VBE 2.0 Video Cards
  7. 7. 7 | © 2015, Palo Alto Networks. Confidential and Proprietary. PROCESS CONNECTOR CONNECTOR AF_NETLINK Socket API sys_fork() sys_exec() sys_exit() sys_setuid() sys_ptrace() ….. Socket API User Listener KERNEL USER /drivers/connector/cn_proc.c /drivers/connector/connector.c /net/netlink/af_netlink.c /net/socket.c Process Connector: System Architecture
  8. 8. Connector • Built on netlink infra, as easy kernel  user-space IPC • Added netlink protocol – NETLINK_CONNECTOR • Netlink Connector callback will be called on recv from a netlink socket • Driver API 8 | © 2015, Palo Alto Networks. Confidential and Proprietary.
  9. 9. Process Connector • Initially added by IBM kernel 2.6.14 (CONFIG_PROC_EVENTS) • Built on the connector driver • Register mcast callback & connector identifiers • Send process events via the netlink connector socket Example 9 | © 2015, Palo Alto Networks. Confidential and Proprietary.
  10. 10. Netlink • Kernel User space IPC (A flexible ioctl replacement) • Kernel Kernel • (User space User space) • Address Users PIDs • Socket Family AF_NETLINK – Connectionless Service 10 | © 2015, Palo Alto Networks. Confidential and Proprietary.
  11. 11. Demo – Host namespaces 11 | © 2015, Palo Alto Networks. Confidential and Proprietary.
  12. 12. Demo – Host namespaces 12 | © 2015, Palo Alto Networks. Confidential and Proprietary. struct nlmsghdr struct cn_msg User Data enum proc_cn_mcst_op Netlink layer Connector User space Send message definition
  13. 13. Demo – Host namespaces 13 | © 2015, Palo Alto Networks. Confidential and Proprietary. struct proc_event User space Recv message struct nlmsghdr struct cn_msg User DataNetlink layer Connector
  14. 14. Demo in Container • Flow of ECONNREFUSED 14 | © 2015, Palo Alto Networks. Confidential and Proprietary.
  15. 15. [PATCH]: Supporting proc-connector in a container 15 | © 2015, Palo Alto Networks. Confidential and Proprietary.
  16. 16. Demo 16 | © 2015, Palo Alto Networks. Confidential and Proprietary.
  17. 17. More Issues • Mcast design is broken PROC_CN_MCAST_IGNORE • Host namespace information disclosure 17 | © 2015, Palo Alto Networks. Confidential and Proprietary.
  18. 18. Questions? 18

×