ehids-agent
ehids-agent copied to clipboard
A Linux Host-based Intrusion Detection System based on eBPF.
English | 中文介绍
Introduction to eHIDS
HIDS demo implemented by eBPF kernel technology.
Implementations & Functionalities:
- TCP network data capture
- UDP network data capture
- DNS information capture in uprobe mode
- Process data capture
- Uprobe way to achieve JAVA RASP command execution scene event capture
- Go framework implementation of eBPF, abstract implementation of multi-type events for the kprobe\uprobe mounting method.
- Developers only need to implement three files:
- The kernel-mode C file.
- The user-mode go file.
- The user-mode event message structure, and the framework will automatically load and execute.
- Users can implement data reporting and processing according to the logger interface, such as reporting to ES\kafka and other log centers.
Principle
Reference : eBPF Official Website
- In the kernel mode, eBPF code is written in C, and llvm is compiled into eBPF bytecode.
- User mode is written in golang, cilium/ebpf pure go class library, kernel loading of eBPF bytecode, kprobe/uprobe HOOK corresponding function.
- User mode uses golang for event reading, decoding, and processing.
Planning
Scheduling
The author is analyzing the runtime security protection products implemented by cloud-native eBPF technologies such as cilium, datadog, tracee, falco, and kubeArmor from the perspective of source code. After the analysis is completed, I will continue to share the design, ideas, and functions of this product.
Current progress & Changes
- 【DONE】2021-12-09 Source code analysis of Cilium eBPF implementation mechanism
- 【DONE】2021-12-19 Analysis of datadog's eBPF security detection mechanism
- 【DONE】2021-12-30 Kernel state eBPF program to implement container escape and hide account rootkit
- 【DING】2022-1-31 tracee Source code analysis of eBPF implementation mechanism
- ...
Prodcut Features
- Complete functions (network, process, file, event)
- Monitoring
- Alert
- Fusing
- Statistics
- Reconciliation
- Unified management and control
Instructions
- The kernel mode part is the ebpf programming code implemented by the linux native class library, and uses clang (llvm) for bytecode compilation.
- The user mode part is written for golang's cilium/ebpf class library, which implements functions such as loading eBPF bytecodes to the kernel, mounting to hook points, and event reading.
- This project uses kprobe and uprobe respectively to realize the network event capture of TCP and UDP.
Development Environment
- UBUNTU 21.04 server
- go version go1.17.2 linux/amd64
- Ubuntu clang version 12.0.0-3ubuntu1~21.04.2
- openjdk version "1.8.0_292"
Environment installation steps
See also : CFC4N's eBPF development environment
- sudo apt-get install -y make gcc libssl-dev bc libelf-dev libcap-dev clang gcc-multilib llvm libncurses5-dev git pkg-config libmnl-dev bison flex graphviz
- sudo apt-get install -y make gcc clang llvm git pkg-config dpkg-dev gcc-multilib
- cd ~/download/
- sudo apt update
- sudo apt-get source linux-image-$(uname -r)
- sudo apt-get source linux-image-unsigned-$(uname -r)
- sudo apt install libbfd-dev libcap-dev zlib1g-dev libelf-dev libssl-dev
Compiling and running
Compilation
git clone https://github.com/ehids/ehids-agent.git
cd ehids
make
./bin/ehids-agent
Runnig
Open another shell, execute network commands, and trigger network behavior
wget www.cnxct.com
Or compile and run the java command execution example to test the function of java RASP. Uprobe mounts the JDK_execvpe function of libjava.so, and the corresponding offset address offset is 0x19C30. For other versions, please locate the offset address by yourself.
cd examples
javac Main.java
java Main
JAVA JDK version information
~$java -version
openjdk version "1.8.0_292"
OpenJDK Runtime Environment (build 1.8.0_292-8u292-b10-0ubuntu1-b10)
OpenJDK 64-Bit Server VM (build 25.292-b10, mixed mode)
Results
root@vmubuntu:/home/cfc4n/project/ehids# ./bin/ehids
2021/12/01 19:27:08 start to run EBPFProbeUJavaRASP probe
2021/12/01 19:27:08 start to run EBPFProbeKTCP probe
2021/12/01 19:27:08 start to run EBPFProbeKTCPSec probe
2021/12/01 19:27:08 start to run EBPFProbeKUDP probe
2021/12/01 19:27:08 start to run EBPFProbeUDNS probe
2021/12/01 19:27:08 probeName:EBPFProbeKTCPSec, probeTpye:kprobe, start time:07:23:49, PID:864, UID:101, AF:2, TASK:5systemd-resolv
2021/12/01 19:27:08 probeName:EBPFProbeKUDP, probeTpye:kprobe, PID:0, comm:systemd-resolve, qname:57.22.91.101.in-addr.arpa, qclass:1, qtype:12.
2021/12/01 19:27:09 probeName:EBPFProbeKTCP, probeTpye:kprobe, start time:19:31:19, family:AF_INET, PID:409744, command:curl, UID:0, rx:67408, tx:79, dest:118.31.44.218:20480, source:172.16.71.4, type:OUT, result:True
2021/12/01 19:27:10 probeName:EBPFProbeUJavaRASP, probeTpye:uprobe, JAVA RASP exec and fork. PID:409049, command:ifconfig, mode:MODE_VFORK
References
- https://ebpf.io
- https://github.com/trichimtrich/dns-tcp-ebpf
- https://github.com/p-/socket-connect-bpf
Malicious exploitation and detection mechanism of eBPF
The article on malicious exploitation and detection mechanism based on eBPF has been shared on the WeChat public account of Meituan Security Emergency Response Center
,Malicious utilization and detection mechanism of eBPF
Wechat Group
Notes
It is not the official warehouse of Meituan, and is only contributed by engineers.
The repository does not contain the full HIDS version in use by Meituan, for the streamlined demo, if you need to see the full source code in detail, please click:https://www.cnxct.com/jobs/