Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add check_syscall_source event #3953

Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Add check_syscall_source event #3953

wants to merge 1 commit into from

Conversation

oshaked1
Copy link
Contributor

@oshaked1 oshaked1 commented Apr 3, 2024
edited
Loading

1. Explain what the PR does

Add a new event, check_syscall_source, which reports invocations of syscalls from unusual code locations (stack, heap and anonymous VMAs).
It is implemented using generic syscall kprobes, which trigger the analysis only for syscalls that were selected using event parameters, e.g. tracee -e check_syscall_source.args.syscall=open,openat.
Closes #4002

2. Explain how to test it

The easiest way to test the event is using the included tester program, which executes a small shellcode that invokes the exit syscall from the stack/heap/anonymous VMA according to the command line argument. Note that it must be compiled with -z execstack to be able to run the shellcode from the stack.

Another way of testing the event (for arbitrary syscalls) is by packing a program:

# compile statically, so libc syscall wrappers are not loaded to separate (legitimate) code areas
gcc -o my_program -static my_program.c

# pack the program
upx -o my_program_upx my_program

# run it
./my_program_upx

@oshaked1
Copy link
Contributor Author

oshaked1 commented Apr 3, 2024
edited
Loading

The ebpf code for this event contains a call to the bpf_find_vma helper if it exists (an alternative logic is implemented for older kernels where the helper doesn't exist).

Because this helper uses a callback function or in verifier terms a "bpf-to-bpf call", this program cannot be combined with tail calls (which it uses) on some older kernels, even though the helper call would not be called on those kernels.

As a result, this event must be split into 2 separate programs that will be loaded conditionally based on kernel version. Currently no such mechanism exists, but is in the works. When such a mechanism will be implemented this event will be split into 2 programs so it can be merged.

EDIT

The logic for newer kernels which uses the bpf_find_vma call was removed, so the event will now only work on kernel version < 6.1. When conditional program loading will be implemented, the logic for newer kernels will be added as a separate program.

@oshaked1 oshaked1 mentioned this pull request Apr 3, 2024
Merged
@oshaked1 oshaked1 force-pushed the syscall_checker branch 3 times, most recently from c45b5fc to a6c4e35 Compare April 4, 2024 15:17
@oshaked1 oshaked1 marked this pull request as ready for review April 7, 2024 11:22
@oshaked1 oshaked1 force-pushed the syscall_checker branch 4 times, most recently from d90fe4e to 3a29a8c Compare May 12, 2024 18:53
@oshaked1 oshaked1 force-pushed the syscall_checker branch 5 times, most recently from daec435 to 03d7be9 Compare June 5, 2024 11:35
@oshaked1 oshaked1 force-pushed the syscall_checker branch 4 times, most recently from abd31e6 to eb312fe Compare June 25, 2024 15:56
@geyslan
Copy link
Member

geyslan commented Aug 23, 2024

@oshaked1 I'm converting this to draft since we're tackling the release and filtering in ready PRs, ok? Please be welcome to set status again the later.

@geyslan geyslan marked this pull request as draft August 23, 2024 13:00
@oshaked1 oshaked1 force-pushed the syscall_checker branch 9 times, most recently from 6fc9f61 to 4c70e9e Compare October 14, 2024 11:29
@oshaked1 oshaked1 force-pushed the syscall_checker branch 7 times, most recently from 82bc699 to 49499c2 Compare October 27, 2024 12:04
@oshaked1 oshaked1 marked this pull request as ready for review October 27, 2024 12:58
@oshaked1 oshaked1 force-pushed the syscall_checker branch 3 times, most recently from 0d4d80e to 6e8e468 Compare October 28, 2024 12:13
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees

@oshaked1 oshaked1

Labels
area/build area/ebpf area/events area/filtering area/testing kind/documentation milestone/v0.23.0
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Add check_syscall_source event
3 participants
@oshaked1 @geyslan @yanivagman