基于eBPF的云上威胁观测系统

doi:10.3969/j.issn.1671-1122.2024.04.004

摘要/Abstract

摘要：

随着云上威胁的种类和攻击路径更加多样化，单一维度的威胁数据难以准确刻画复杂多变的威胁行为。文章提出一种基于扩展伯克利数据包过滤器（extended Berkeley Packet Filter，eBPF）的威胁观测系统ETOS（eBPF-Based Threat Observability System），首先，通过评估威胁行为中各动作的危险程度，对关键动作分层分类设置观测点位，从而在目标机器上实现按需动态激活eBPF探针，获取多维结构化威胁行为数据，能够有效表达云环境中的威胁行为，降低数据分析的预处理成本；然后，设计一种通用eBPF探针模板，实现探针库的自动化扩展；最后，文章在容器云平台上复现了18个容器逃逸通用漏洞披露（Common Vulnerabilities and Exposures，CVE），并利用ETOS观测威胁行为。实验结果表明，ETOS能够在多个层次观测威胁行为，输出多维结构化威胁数据，引入系统和网络的总体开销均低于2%，满足云平台运行要求。

关键词: 威胁观测, eBPF可观测性, 云计算安全, 数据采集

Abstract:

As the types of threats in the cloud and the diversity of attack vectors increase, single-dimensional threat data struggles to accurately portray complex and ever-changing threat behaviors. This paper proposed ETOS (eBPF-based threat observability system), a multi-level threat observation system tailored for cloud environments. By assessing the risk of each action within threat behaviors, ETOS strategically setd up observation points for hierarchical classification of critical actions, dynamically activates eBPF probes as needed on the target machines, and thus acquiring multi-dimensional structured threat behavior data. This approach effectively represents threat behaviors in cloud environments, significantly reduces the preprocessing cost for data analysis. We also designed a generic eBPF threat probe template to automate the expansion of the probe library. ETOS was examined on a container cloud platform by reproducing 18 container escape CVE and observing their threat behaviors. The experimental results show that ETOS is capable of observing threat behaviors on multiple levels, collecting multi-dimensional structured threat data. The introduced overhead on the system and network remains below 2%, meeting the operational requirements of cloud platforms.

Key words: threat observability, eBPF observability, cloud computing security, data acquisition

中图分类号:

TP309

刘斯诺, 阮树骅, 陈兴蜀, 郑涛. 基于eBPF的云上威胁观测系统[J]. 信息网络安全, 2024, 24(4): 534-544.

LIU Sinuo, RUAN Shuhua, CHEN Xingshu, ZHENG Tao. An eBPF-Based Threat Observability System for Cloud-Oriented Environment[J]. Netinfo Security, 2024, 24(4): 534-544.

图/表 17

图1

图2

图3

表1

表2

图4

表3

表4

表5

表6

图5

图6

图7

表7

表8

图8

图9

参考文献 28

[1]	CHAYKOVSKY V. STRACE[EB/OL]. [2024-01-23]. https://strace.io/.
[2]	SYSSTAT. Sysstat Home Page[EB/OL]. (2023-12-17)[2024-01-23]. https://sysstat.github.io/.
[3]	MCCANNE S, JACOBSON V. TCPDUMP & LiBPCAP[EB/OL]. [2024-01-23]. https://www.tcpdump.org/.
[4]	WIKIPEDIA. Observability[EB/OL]. (2023-12-21)[2024-01-23]. https://en.wikipedia.org/w/index.php?title=Observability&oldid=1191145038.
[5]	CALAVERA D, FONTANA L. Linux Observability with BPF: Advanced Programming for Performance Analysis and Networking[M]. Boston: O’Reilly Media, 2019.
[6]	WIKIPEDIA. eBPF[EB/OL]. (2024-01-05)[2024-01-23]. https://en.wikipedia.org/w/index.php?title=EBPF&oldid=1193818980.
[7]	Tencent Cloud Computing (Beijing) Co., Ltd. Tencent Cloud Container Security White Paper[EB/OL]. (2021-11-09)[2024-01-23]. https://cloud.tencent.com/developer/article/1898557.
	腾讯云计算北京有限公司. 腾讯云容器安全白皮书[EB/OL]. (2021-11-09)[2024-01-23]. https://cloud.tencent.com/developer/article/1898557.
[8]	The/proc Filesystem. The Linux Kernel Documentation[EB/OL]. [2024-01-23]. https://www.kernel.org/doc/html/next/filesystems/proc.html.
[9]	SYED H J, GANI A, NASARUDDIN F H, et al. CloudProcMon: A Non-Intrusive Cloud Monitoring Framework[J]. IEEE Access, 2018, 6: 44591-44606.
[10]	LAI C A, KIMBALL J, ZHU Tao, et al. MilliScope: A Fine-Grained Monitoring Framework for Performance Debugging of N-Tier Web Services[C]// IEEE. 2017 IEEE 37th International Conference on Distributed Computing Systems (ICDCS). New York: IEEE, 2017: 92-102.
[11]	CORDINGLY R, YU Hanfei, HOANG V, et al. The Serverless Application Analytics Framework: Enabling Design Trade-off Evaluation for Serverless Software[C]// ACM. The 2020 Sixth International Workshop on Serverless Computing. New York: ACM, 2021: 67-72.
[12]	DATTA P, KUMAR P, MORRIS T, et al. Valve: Securing Function Workflows on Serverless Computing Platforms[C]// ACM. The Web Conference 2020. New York: ACM, 2020: 939-950.
[13]	DATTA P, POLINSKY I, INAM M A, et al. {ALASTOR}: Reconstructing the Provenance of Serverless Intrusions[C]// USENIX. 31st USENIX Security Symposium (USENIX Security 22). Berkeley: USENIX, 2022: 2443-2460.
[14]	CHEN Pengfei, QI Yong, HOU Di. CauseInfer: Automated End-to-End Performance Diagnosis with Hierarchical Causality Graph in Cloud Environment[J]. IEEE Transactions on Services Computing, 2019, 12(2): 214-230.
[15]	WANG Yulong, WANG Qixu, CHEN Xingshu, et al. ContainerGuard: A Real-Time Attack Detection System in Container-Based Big Data Platform[J]. IEEE Transactions on Industrial Informatics, 2022, 18(5): 3327-3336.
[16]	ZHAN Mengqi, LI Yang, YANG Huiran, et al. Coda: Runtime Detection of Application-Layer CPU-Exhaustion DoS Attacks in Containers[J]. IEEE Transactions on Services Computing, 2022, 16(3): 1-12.
[17]	ZOU Zhuping, XIE Yulai, HUANG Kai, et al. A Docker Container Anomaly Monitoring System Based on Optimized Isolation Forest[J]. IEEE Transactions on Cloud Computing, 2022, 10(1): 134-145.
[18]	SAKURABA M, KAWASAKI J, MIYASAKA T, et al. An Anomaly Detection Approach by Aiml in Ip Networks with eBPF-Based Observability[C]// IEEE. 2023 24st Asia-Pacific Network Operations and Management Symposium (APNOMS). New York, 2023: 171-176.
[19]	WU Shenglin, LIU Wanggen, YAN Ming, et al. A Real-Time Anomaly Detection System for Container Clouds Based on Unsupervised System Call Rule Generation[J]. Netinfo Security, 2023, 23(12): 91-102.
	吴圣麟, 刘汪根, 严明, 等. 基于无监督系统调用规则生成的容器云实时异常检测系统[J]. 信息网络安全, 2023, 23(12): 91-102.
[20]	LIU Chang, CAI Zhengong, WANG Bingshen, et al. A Protocol-Independent Container Network Observability Analysis System Based on eBPF[C]// IEEE. 2020 IEEE 26th International Conference on Parallel and Distributed Systems (ICPADS). New York: IEEE, 2020: 697-702.
[21]	LIU Chang. Methodology and Practice of Container Network Observability Based on eBPF[D]. Hangzhou: Zhejiang University, 2021.
	刘畅. 基于eBPF的容器网络可观测性方法与实践[D]. 杭州: 浙江大学, 2021.
[22]	LEVIN J, BENSON T A. ViperProbe: Rethinking Microservice Observability with eBPF[C]// IEEE. 2020 IEEE 9th International Conference on Cloud Networking (CloudNet). New York: IEEE, 2020: 1-8.
[23]	WANG Zhe, MA Teng, KONG Linghe, et al. Zero Overhead Monitoring for Cloud-Native Infrastructure Using {RDMA}[C]// USENIX. 2022 USENIX Annual Technical Conference (USENIX ATC 22). Berkeley: USENIX, 2022: 639-654.
[24]	LIN Xin, LEI Lingguang, WANG Yuewu, et al. A Measurement Study on Linux Container Security: Attacks and Countermeasures[C]// ACM. The 34th Annual Computer Security Applications Conference. New York: ACM, 2018: 418-429.
[25]	DAS-SECURITY Co., Ltd. Docker Port 2375 Vulnerability Network-Wide Security Risk Report[EB/OL]. (2017-02-22)[2024-01-22]. https://cloud.tencent.com/developer/article/1090829.
	杭州安恒信息技术股份有限公司. Docker 2375端口漏洞全网安全风险报告[EB/OL]. (2017-02-22)[2024-01-22]. https://cloud.tencent.com/developer/article/1090829.
[26]	IOVISOR/BCC[EB/OL]. IO Visor Project, 2024[2024-01-23]. https://github.com/iovisor/bcc.
[27]	WIKIPEDIA. Ftrace[EB/OL]. (2023-11-29)[2024-01-23]. .
[28]	DAMATO J. ltrace[EB/OL]. (2023-11-29)[2024-01-23]. https://github.com/ice799/ltrace.

威胁动作	风险等级
S0.获取并保存当前容器init进程命名空间	UA
S1.暴露内核基址并绕过KASLR、SMEP和SMAP	NA
S2.调用switch_task_namespaces()切换容器init进程的命名空间	CD
S3.调用commit_creds(prepare_kernel_cred(0))获取全部Capabilities	CD
S4.调用setns切换当前进程命名空间至root	CD
S5.还原容器init进程的原始命名空间	UA

威胁动作	风险等级
N0.检查宿主机2375端口状态	UA
N1.远程请求创建恶意容器镜像	CND
N2.远程请求创建并启动恶意容器	CD
N3.远程停止恶意容器并删除容器镜像	UA

观测点位	探针名称
nsSwtich(sys-kernel-kfunc, new_ns)	sys/kernel/kfunc/nsSwtich(new_ns)
preKCred(sys-kernel-kfunc, daemon)	sys/kernel/kfunc/preKCred(daemon)
commitCred(sys-kernel-kfunc, cred->uid, cred->gid)	sys/kernel/kfunc/commitCred(cred->uid, cred->gid)
setns(sys-si-syscall, fd, nstype)	sys/si/syscall/setns(fd, nstype)
socket(net, src_ip, src_pot, dst_ip, dst_port, fd)	net/socket(sip, sp, dip, sp, fd)
tcp(net-L4, src_ip, src_port, dst_ip, dst_port)	net/L4/tcpconn(sip, sp, dip, sp)
http(net-L7, src_ip, src_port, dst_ip, dst_port, paylaod)	net/L7/http(sip, sp, dip, sp, payload)

字段	类型	说明
pid	long	进程号
comm	string	进程名称
obType	string	威胁事件类型
uid	long	用户号
ppid	long	父进程号
cid	string	容器号

字段	类型	说明
proto	string	协议类型
obType	string	威胁事件类型
src_ip	string	源IP地址
src_ port	int	源端口号
dst_ip	string	目的IP地址
dst_ port	int	目的端口号