refactoring

README.md

@@ -48,47 +48,43 @@ make
 
 To demonstrate the syscall tracking capabilities, we'll use CoreDNS as an example.
 
-### Compiling and Running CoreDNS
+### Compiling CoreDNS
 
-1. Navigate to the CoreDNS folder. Compile and run CoreDNS using the provided script:
+1. Navigate to the CoreDNS folder and compile CoreDNS using the provided script:
 ```bash
-./build_and_run.sh
+./build.sh
 ```
+This will generate the coreDNS binary to run later.
 
-This script will build CoreDNS and start it with a default configuration.
+### Generate an allowlist for the CoreDNS Syscalls
 
-### Tracking CoreDNS Syscalls
-
-1. In a new terminal window, navigate back to the `track_syscalls` folder.
-2. Run the syscall tracker (with root privileges), pointing it to the CoreDNS binary:
+2. Navigate back to the `track_syscalls` folder and run the syscall tracker (with root privileges), pointing it to the CoreDNS binary:
 ```bash
-sudo ./bpf_loader -binary /binary_path -allowlist /allowlist_path
+sudo ./bpf_loader -binary /binary_path -mod-manifest /go.mod -mode build
 ```
 
-Replace `/binary_path` with the actual path to the binary you want to monitor.
-Replace `/allowlist_path` with the actual path to the allowlist.
-
-3. The program will start tracking syscalls for the specified binary. You'll see output in the termi>
-
-4. To stop the tracking, press Ctrl+C.
+Replace `/binary_path` and `/go.mod` with the actual path to the binary and go manifest of the application you want to monitor.
 
 
-### Sending a Test Request to CoreDNS
+### Start CoreDNS and send a test request
+3.  In a new terminal window run coreDNS
+```bash
+./coredns/run.sh
+```
 
-To generate some DNS activity and observe the syscalls:
+CoreDNS will start with a default configuration.
 
-1. Open another terminal window.
+4. To trigger some operations to track, you can send a request to coreDNS
 
-2. Execute the test request script:
 ```bash
 ./make_request.sh
 ```
 
 This script will send a DNS query to the running CoreDNS instance.
 
-3. Observe the syscall tracking output in the terminal where you ran `bpf_loader`.
+4. Observe the syscall tracking output in the terminal where you ran `bpf_loader`.
 
-You should now see the syscalls triggered by CoreDNS in response to the DNS query, allowing you to analyze its behavior at the system call level.
+You should now see the syscalls triggered by CoreDNS in response to the DNS query. Closing the tracker with CTRL+C, the allowlist will be saved. 
 
 
 

TODO

@@ -0,0 +1,70 @@
+Objective:
+We want to generate allowlists for dependencies we import, and enforce these allowlists of capabilities at runtime. 
+
+e.g.
+depA -> [CAP_NETWORK, CAP_FILE]
+depB -> [CAP_ENV_VARIABLE]
+
+Monitor the capabilities at runtime, and block the execution if a dependency
+trigger a capability out of its allowlist.
+
+---------------------------
+
+First prototype: Monkey Patching
+
+Monkey patching allow to hook the execution of specific function calls 
+(e.g., the Go standard library). During the hook of these function calls:
+1. We use the call stack trace to infer which dependency have invoked the function
+
+   ^ file_open(...)
+   ^ file_library_function(...)
+   ^ DEP_A/some_file/wrapper_file_open()
+
+2. We add validation checks against the allowlist
+
+Advantages: potential low overhead since only a subset of functions 
+(standard libary function implementing capabilities are tracked and hooked) 
+and not all the syscalls
+
+Limitations: we can only hook and enforce capabilities invoked through Go code
+(e.g., standard library functions) since we need to know the address of the 
+function to track, at compile time. 
+We cannot track capabilities invoked "dynamically" through
+- CGO
+- inline assembly code
+- pre-built Go plugins
+- external binaries invoked through syscalls like exec(), or spawning childs  
+
+--------------------------
+
+Second prototype: eBPF syscall tracing
+
+We hook and enforce all the syscalls invoked by the Go application we 
+want to trace. 
+
+1. We first run the application with an eBPF tracer enabled. This allow us
+to dynamically collect a subset of trusted capabilities (in terms of syscalls)
+2. We can further enhance this allowlist with the callgraph analysis provided
+by Capslock
+3. We use the generated allowlist to enforce the capabilities invoked 
+at runtime by tracing each syscall.
+
+Advantages: we can cover capabilities invoked "dynamically
+
+Limitations: potentially we have high overhead due to the hooking of all the 
+syscalls invoked by the traced application. 
+
+
+
+-----------
+
+TODO
+
+1. Create a MAP of capabilities/syscalls and track capabilities instead of syscalls
+2. Integrate Capslock in the allowlist generation phase
+3. Design a inheritance model for handling imported capabilities
+
+
+
+
+

track_syscalls/backend.c

@@ -8,7 +8,7 @@
 
 char __license[] SEC("license") = "Dual MIT/GPL";
 
-static char target_comm[10] = "basiccgo";
+static char target_comm[10] = "coredns";
 
 struct event {
     u32 pid;