-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathTODO
70 lines (45 loc) · 2.19 KB
/
TODO
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
Objective:
We want to generate allowlists for dependencies we import, and enforce these allowlists of capabilities at runtime.
e.g.
depA -> [CAP_NETWORK, CAP_FILE]
depB -> [CAP_ENV_VARIABLE]
Monitor the capabilities at runtime, and block the execution if a dependency
trigger a capability out of its allowlist.
---------------------------
First prototype: Monkey Patching
Monkey patching allow to hook the execution of specific function calls
(e.g., the Go standard library). During the hook of these function calls:
1. We use the call stack trace to infer which dependency have invoked the function
^ file_open(...)
^ file_library_function(...)
^ DEP_A/some_file/wrapper_file_open()
2. We add validation checks against the allowlist
Advantages: potential low overhead since only a subset of functions
(standard libary function implementing capabilities are tracked and hooked)
and not all the syscalls
Limitations: we can only hook and enforce capabilities invoked through Go code
(e.g., standard library functions) since we need to know the address of the
function to track, at compile time.
We cannot track capabilities invoked "dynamically" through
- CGO
- inline assembly code
- pre-built Go plugins
- external binaries invoked through syscalls like exec(), or spawning childs
--------------------------
Second prototype: eBPF syscall tracing
We hook and enforce all the syscalls invoked by the Go application we
want to trace.
1. We first run the application with an eBPF tracer enabled. This allow us
to dynamically collect a subset of trusted capabilities (in terms of syscalls)
2. We can further enhance this allowlist with the callgraph analysis provided
by Capslock
3. We use the generated allowlist to enforce the capabilities invoked
at runtime by tracing each syscall.
Advantages: we can cover capabilities invoked "dynamically
Limitations: potentially we have high overhead due to the hooking of all the
syscalls invoked by the traced application.
-----------
TODO
1. Create a MAP of capabilities/syscalls and track capabilities instead of syscalls
2. Integrate Capslock in the allowlist generation phase
3. Design a inheritance model for handling imported capabilities