Tool or Project Name: Tracee

Short Abstract:
Linux Runtime Security and Forensics using eBPF

Short Developer Bio:
Yaniv Agman is a Security Researcher at Aqua Security. He specializes in low-level Linux instrumentation technologies to perform dynamic analysis on Linux containers and systems. He is currently completing his Master's thesis in cyber security at BGU on detecting Android malware with eBPF technology. While not in front of a computer screen, he likes watching Sci-Fi movies and playing with his kids.

Roi is a Security Researcher at Aqua Security. His work focuses on researching threats in the cloud native world. When not at work, Roi is a B.A. student in Computer Science at the Open University. He also enjoys going out into nature and spending time with family and friends.

URL to any additional information:

Detailed Explanation of Tool:
Tracee is a Runtime Security and forensics tool for Linux.
It is using Linux eBPF technology to trace your system and applications at runtime, analyze collected events to detect suspicious behavioral patterns, and capture forensics artifacts.
It is delivered as a Docker image that monitors the OS and detects suspicious behavior based on a predefined set of behavioral patterns.

Here is a more detailed information about the tool:
Tracee is a runtime security and forensics tool for Linux. It is composed of tracee-ebpf, which collects OS events based on some given filters, and tracee-rules, which is the runtime security detection engine.

Tracee-ebpf is capable of tracing all processes in the system or a group of processes according to some given filters (these are: newly created processes, processes in a container, uid, command name, pid, tid, mount namespace id, process namespace id, uts name).

The user can select the set of events to trace, and also filter by their arguments.

The events which can be traced include the following:
  • System calls and their arguments
  • LSM hooks (e.g. security_file_open, security_bprm_check, cap_capable)
  • Internal kernel functions: (e.g. vfs_write and commit_creds)
  • Special events and alerts (magic_write and mem_prot_alert)
Other than tracing, Tracee-ebpf is also capable of capturing files written to disk or memory (e.g. "fileless" malwares), and extracting binaries that are dynamically loaded to an application's memory (e.g. when a malware uses a packer). Using these capabilities, it is possible to automatically collect forensic artifacts for later investigation. For more detailed information about these capabilities, see:

Tracee-Rules, is a rule engine that helps you detect suspicious behavioral patterns in streams of events. It is primarily made to leverage events collected with Tracee-eBPF into a Runtime Security solution. Tracee supports authoring rules in Golang or in Rego.

Following are some of the currently available rules:
  • Code injection - Possible code injection into another process
  • Dynamic Code Loading - Writing to executable allocated memory region
  • Fileless Execution - Executing a process from memory, without a file in the disk
Supporting Files, Code, etc:

Target Audience: Defense
We believe Tracee is a valuable tool for anyone who want to perform runtime protection on Linux systems.
In the demo we will introduce the tool, and see how it helped us to find real threats and other possible uses.