aurae icon indicating copy to clipboard operation
aurae copied to clipboard

Published 20 hours ago verified publisher icon aurae-runtime

Execution Authentication

Open krisnova opened this issue 1 year ago • 1 comments

Recently we discussed eBPF architecture in https://github.com/aurae-runtime/aurae/issues/394.

This conversation called out a potential need for the project to intercept syscall__execve functionality at runtime such that Aurae can instrument any new processes that might be created by a user's workload.

While the original discussion was intended to serve as a potential path to ensure there aren't rogue processes on an Aurae deployment, this begs a set of critical questions for the project.

Should Aurae authenticate all new spawned process to ensure they are anticipated by the runtime?

If it is possible to authenticate every process on a host at runtime, what are the security and supply chain implications of this feature?

I assumed I should kick off the discussion two fold.

  1. How exactly would we pull this off? What can we learn from packet level authentication in other parts of the kernel?
  2. Do we actually care about this? If so... why? Specifically? What specific security features does this unlock?

krisnova avatar Feb 13 '23 05:02 krisnova