Skip to content

Runtime enforcement of software supply chain capabilities in Go

Notifications You must be signed in to change notification settings

chains-project/goleash

Repository files navigation

GoLeash Logo

Runtime enforcement of software supply chain capabilities in Go

Runnable example

Run a Go program invoking some denied capability, with goleash runtime enforcement attached.

cd examples/example_unrestrict

First, generate the hashes for allowed invocations of capabilities, for the trusted initial version of the program.

make all-hash

Execute the trusted version of the program.

make all

Then, add a new denied capability invocation to the program.

sed -i '27,31s/^[[:space:]]*\/\/[[:space:]]*TestReadFile()/TestReadFile()/' dependencyC/dep.go

Execute the compromised version of the program, with the same previously generated hashes.

make all

Syscall tracing

This tool allows you to track syscalls for a specified binary using eBPF.

Prerequisites

Building the Tracer

  1. Navigate to the track_syscalls folder and build the tracer
cd track_syscalls
make

Testing with CoreDNS

To demonstrate the syscall tracking capabilities, we'll use CoreDNS as an example.

Compiling CoreDNS

  1. Navigate to the CoreDNS folder and compile CoreDNS using the provided script:
./build.sh

This will generate the coreDNS binary to run later.

Generate an allowlist for the CoreDNS Syscalls

  1. Navigate back to the track_syscalls folder and run the syscall tracker (with root privileges), pointing it to the CoreDNS binary:
sudo ./bpf_loader -binary /binary_path -mod-manifest /go.mod -mode build

Replace /binary_path and /go.mod with the actual path to the binary and go manifest of the application you want to monitor.

Start CoreDNS and send a test request

  1. In a new terminal window run coreDNS
./coredns/run.sh

CoreDNS will start with a default configuration.

  1. To trigger some operations to track, you can send a request to coreDNS
./make_request.sh

This script will send a DNS query to the running CoreDNS instance.

  1. Observe the syscall tracking output in the terminal where you ran bpf_loader.

You should now see the syscalls triggered by CoreDNS in response to the DNS query. Closing the tracker with CTRL+C, the allowlist will be saved.

About

Runtime enforcement of software supply chain capabilities in Go

Resources

Stars

Watchers

Forks

Packages

No packages published