Detector
The detector currently uses BCC (BPF Compiler Collection) and consists of 2 parts: - kernel space: eBPF program written in C and attached to various hooks, see detection methods - tracepoints on open/openat and unlink/unlinkat syscall - uprobe on libcrypto.so functions (EVP_EncryptInit_ex, EVP_CipherInit_ex and EVP_SealInit) - user space: python program that reads data from the eBPF ring buffer output map
This data can then be post-processed in python by a machine learning algorithm like k-NN, SVM, RNN and others (eg. with scikit-learn or tensorflow).
Note: as an exercise these programs could also be implemented with: - libbpf-bootstrap - both kernel & user space written in C - or libbpfgo - only for the user-space program (replacing python)
# generate vmlinux.h when using libbpf
$ bpftool btf dump file /sys/kernel/btf/vmlinux format c > vmlinux.h
BCC (BPF Compiler Collection)
BCC is a toolkit for creating efficient kernel tracing and manipulation programs, and includes several useful tools and examples. It makes use of extended BPF (Berkeley Packet Filters), formally known as eBPF, a new feature that was first added to Linux 3.15. Much of what BCC uses requires Linux 4.1 and above.
See explanations, sample programs, available hooks and format in bcc.
See also BCC reference guide.
Install BCC
Follow: https://github.com/iovisor/bcc
# example for debian
$ echo deb http://cloudfront.debian.net/debian sid main >> /etc/apt/sources.list
$ sudo apt-get install -y bpfcc-tools libbpfcc libbpfcc-dev linux-headers-$(uname -r)
Running the detector
Sample output
Displays file access events with: - PID: process ID - TYPE: type of event (0=open, 1=create, 2=delete) - FLAG: indicates the event severity - PATT: indicates a pattern match (for example a sequence of open, create, delete) - TRESH: indicate which types of event exceed the threshold (number of events > 50) - FILENAME: file name or crypto function in question
Printing file & crypto events, ctrl-c to exit.
PID TYPE FLAG PATT TRESH FILENAME
26858 Enc MIN - ---E EVP_EncryptInit_ex
26858 Enc MIN - ---E EVP_EncryptInit_ex
26858 Enc MIN - ---E EVP_EncryptInit_ex
26858 Enc MIN - ---E EVP_EncryptInit_ex
28178 Del MAJ Match OCD- /tmp/tmp8imczwuu/Asia/Shanghai
28178 Open MIN - OCD- /tmp/tmp8imczwuu/Asia/Jayapura
28178 Crea MIN - OCD- /tmp/tmp8imczwuu/Asia/Jayapura.aes
28178 Del MAJ Match OCD- /tmp/tmp8imczwuu/Asia/Jayapura
28178 Open MIN - OCD- /tmp/tmp8imczwuu/Asia/Harbin
28178 Crea MIN - OCD- /tmp/tmp8imczwuu/Asia/Harbin.aes
28178 Del MAJ Match OCD- /tmp/tmp8imczwuu/Asia/Harbin
28178 Open MIN - OCD- /tmp/tmp8imczwuu/Asia/Irkutsk
28178 Crea MIN - OCD- /tmp/tmp8imczwuu/Asia/Irkutsk.aes
28178 Del MAJ Match OCD- /tmp/tmp8imczwuu/Asia/Irkutsk
28178 Open MIN - OCD- /tmp/tmp8imczwuu/Asia/Bangkok
28178 Crea MIN - OCD- /tmp/tmp8imczwuu/Asia/Bangkok.aes
28178 Del MAJ Match OCD- /tmp/tmp8imczwuu/Asia/Bangkok
28178 Open MIN - OCD- /tmp/tmp8imczwuu/Asia/Sakhalin
28178 Crea MIN - OCD- /tmp/tmp8imczwuu/Asia/Sakhalin.aes
28178 Del MAJ Match OCD- /tmp/tmp8imczwuu/Asia/Sakhalin
28178 Open MIN - OCD- /tmp/tmp8imczwuu/Asia/Ust-Nera
28178 Crea MIN - OCD- /tmp/tmp8imczwuu/Asia/Ust-Nera.aes
28178 Del MAJ Match OCD- /tmp/tmp8imczwuu/Asia/Ust-Nera
28178 Open MIN - OCD- /tmp/tmp8imczwuu/Asia/Macao
28178 Crea MIN - OCD- /tmp/tmp8imczwuu/Asia/Macao.aes
28178 Del MAJ Match OCD- /tmp/tmp8imczwuu/Asia/Macao
28178 Open MIN - OCD- /tmp/tmp8imczwuu/Asia/Magadan
28178 Crea MIN - OCD- /tmp/tmp8imczwuu/Asia/Magadan.aes
28178 Del MAJ Match OCD- /tmp/tmp8imczwuu/Asia/Magadan
868 Open OK - ---- /etc/fstab
868 Open OK - ---- /proc/self/mountinfo
868 Open OK - ---- /proc/self/mountinfo
221 Open OK - ---- /proc/525/comm
221 Open OK - ---- /proc/525/cmdline
221 Open OK - ---- /proc/525/status
221 Open OK - ---- /proc/525/attr/current
221 Open OK - ---- /proc/525/sessionid