DEF CON Forum Site Header Art

Announcement

Collapse
No announcement yet.

Tracee Demolab at DEF CON 29

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • Tracee Demolab at DEF CON 29

    Tool or Project Name: Tracee

    Short Abstract:
    Linux Runtime Security and Forensics using eBPF

    Short Developer Bio:
    Yaniv Agman is a Security Researcher at Aqua Security. He specializes in low-level Linux instrumentation technologies to perform dynamic analysis on Linux containers and systems. He is currently completing his Master's thesis in cyber security at BGU on detecting Android malware with eBPF technology. While not in front of a computer screen, he likes watching Sci-Fi movies and playing with his kids.

    Roi is a Security Researcher at Aqua Security. His work focuses on researching threats in the cloud native world. When not at work, Roi is a B.A. student in Computer Science at the Open University. He also enjoys going out into nature and spending time with family and friends.

    URL to any additional information:
    https://aquasecurity.github.io/tracee/dev

    Detailed Explanation of Tool:
    Tracee is a Runtime Security and forensics tool for Linux.
    It is using Linux eBPF technology to trace your system and applications at runtime, analyze collected events to detect suspicious behavioral patterns, and capture forensics artifacts.
    It is delivered as a Docker image that monitors the OS and detects suspicious behavior based on a predefined set of behavioral patterns.

    Here is a more detailed information about the tool:
    Tracee is a runtime security and forensics tool for Linux. It is composed of tracee-ebpf, which collects OS events based on some given filters, and tracee-rules, which is the runtime security detection engine.

    Tracee-ebpf is capable of tracing all processes in the system or a group of processes according to some given filters (these are: newly created processes, processes in a container, uid, command name, pid, tid, mount namespace id, process namespace id, uts name).

    The user can select the set of events to trace, and also filter by their arguments.

    The events which can be traced include the following:
    • System calls and their arguments
    • LSM hooks (e.g. security_file_open, security_bprm_check, cap_capable)
    • Internal kernel functions: (e.g. vfs_write and commit_creds)
    • Special events and alerts (magic_write and mem_prot_alert)
    Other than tracing, Tracee-ebpf is also capable of capturing files written to disk or memory (e.g. "fileless" malwares), and extracting binaries that are dynamically loaded to an application's memory (e.g. when a malware uses a packer). Using these capabilities, it is possible to automatically collect forensic artifacts for later investigation. For more detailed information about these capabilities, see: https://blog.aquasec.com/ebpf-contai...ware-detection

    Tracee-Rules, is a rule engine that helps you detect suspicious behavioral patterns in streams of events. It is primarily made to leverage events collected with Tracee-eBPF into a Runtime Security solution. Tracee supports authoring rules in Golang or in Rego.

    Following are some of the currently available rules:
    • Code injection - Possible code injection into another process
    • Dynamic Code Loading - Writing to executable allocated memory region
    • Fileless Execution - Executing a process from memory, without a file in the disk
    Supporting Files, Code, etc:
    https://github.com/aquasecurity/tracee

    Target Audience: Defense
    We believe Tracee is a valuable tool for anyone who want to perform runtime protection on Linux systems.
    In the demo we will introduce the tool, and see how it helped us to find real threats and other possible uses.
    PGP key: dtangent@defcon.org valid 2020 Jan 15, to 2024 Jan 01 Fingerprint: BC5B CD9A C609 1B6B CD81 9636 D7C6 E96C FE66 156A
Working...
X