seccomp — Your Next Layer of Defense
This is a modal window.
The media could not be loaded, either because the server or network failed or because the format is not supported.
Formal Metadata
| Title |
| |
| Title of Series | ||
| Number of Parts | 49 | |
| Author | ||
| License | CC Attribution 4.0 International: You are free to use, adapt and copy, distribute and transmit the work or content in adapted or unchanged form for any legal purpose as long as the work is attributed to the author in the manner specified by the author or licensor. | |
| Identifiers | 10.5446/51781 (DOI) | |
| Publisher | ||
| Release Date | ||
| Language |
Content Metadata
| Subject Area | ||
| Genre | ||
| Abstract |
|
00:00
Point cloudExt functorInformation securityMultiplication signCartesian coordinate systemAdditionComputer animationXMLUML
00:37
FlagElasticity (physics)Instance (computer science)Exploit (computer security)Figurate numberPoint (geometry)Data miningWordCAN busSingle-precision floating-point formatPanel paintingXMLUMLComputer animation
01:13
Elasticity (physics)Physical systemSystem callKernel (computing)AdditionSet (mathematics)WritingControl flowProcess (computing)Cartesian coordinate systemResource allocationConnected spaceComplete metric spacePhysical systemComputer fileProfil (magazine)Asynchronous Transfer ModeSystem callGame controllerKernel (computing)Control flowSoftwareGroup actionCodeVulnerability (computing)Remote procedure callSemiconductor memoryConfiguration spaceReal numberMountain passSuite (music)AngleOpen setSystem identificationRevision control2 (number)Uniform resource locatorForcing (mathematics)MassPhysical lawPole (complex analysis)XMLComputer animation
04:43
SineKernel (computing)System callPhysical systemWeb pageLine (geometry)CloningFlock (web browser)Physical systemForm (programming)Different (Kate Ryan album)Order (biology)System callNumberComputing platformInterface (computing)Bit
05:18
Metropolitan area networkMilitary operationPhysical systemSystem callProcess (computing)Thread (computing)CodeAsynchronous Transfer ModeNetwork socketBlock (periodic table)Sign (mathematics)Reading (process)Web pageLine (geometry)Pointer (computer programming)Digital filterNamespaceParameter (computer programming)CloningProfil (magazine)Execution unitRight angleAsynchronous Transfer ModeRoutingHypermediaCore dumpSoftwareComputer animationSource code
06:17
Digital filterFingerprintSystem callPhysical systemKernel (computing)AdditionNewton's law of universal gravitationCAN busGoogle ChromeComputer-integrated manufacturingSineCloningMilitary operationUser profileSpherical capMathematical singularityComputer architectureFilter <Stochastik>Cartesian coordinate systemRootkitLevel (video gaming)Default (computer science)System callNeuroinformatikPhysical systemProfil (magazine)EmailMultiplication signKernel (computing)Error messageElectronic mailing listRight angleBasis <Mathematik>SpacetimeBitGraphical user interfaceProcess (computing)Java appletNamespaceTerm (mathematics)Shared memoryThread (computing)Information securityComputer programmingOnline chatSimilarity (geometry)WindowResultantParameter (computer programming)AdditionVideo game consolePhysical lawArmGraph coloringReal numberMathematicsColor confinementView (database)Dimensional analysisSet (mathematics)Goodness of fitReduction of orderMessage passing2 (number)VotingProduct (business)PerimeterFigurate numberReading (process)Uniform resource locatorComputer animation
13:20
State of matterSystem callArithmetic mean2 (number)Physical systemProcess (computing)Point (geometry)Physical lawProduct (business)Different (Kate Ryan album)Multiplication signGame theoryPersonal digital assistantSampling (statistics)Beat (acoustics)Filter <Stochastik>Asynchronous Transfer ModeLoginComputer animation
14:38
State of matterSoftware developerSlide rulePhysical systemBeat (acoustics)Software developerSoftwareFilter <Stochastik>Phase transitionProduct (business)2 (number)Computer animation
15:13
FlagBeat (acoustics)Product (business)Open setConnectivity (graph theory)Profil (magazine)Insertion lossPoint (geometry)2 (number)Computer animation
16:04
Beat (acoustics)Electronic data interchangeSingle-board computerJava appletLogical constantSimilarity (geometry)Different (Kate Ryan album)System programmingOperations researchFingerprintHydraulic jumpLibrary (computing)Group actionString (computer science)Electronic mailing listTelnetDemo (music)Beat (acoustics)CodeProjective planeLibrary (computing)Binary codeMoving averageSource codeProcess (computing)BitImplementationMoment (mathematics)Remote procedure callMetric systemProfil (magazine)Group actionWindowFilter <Stochastik>Multiplication signComputing platformJava appletSoftwareDefault (computer science)Operating systemOpen sourceDrop (liquid)Physical systemRule of inferenceLoginRun time (program lifecycle phase)Event horizonData storage deviceInformation securityKeyboard shortcutElectronic mailing listCartesian coordinate systemRootkitComputer architectureRevision controlServer (computing)Exception handlingLatent heatFerry CorstenSystem callOctahedronGoodness of fitVideo gameSineSet (mathematics)MathematicsLimit (category theory)Physical lawProof theoryDigital electronicsFamilyWater vaporCASE <Informatik>Staff (military)Insertion lossTelecommunicationCategory of beingKey (cryptography)Source codeComputer animation
22:17
Gastropod shellLoginCartesian coordinate systemMessage passingKeyboard shortcutDifferent (Kate Ryan album)TelecommunicationProduct (business)Video gameInstance (computer science)WeightComputer animation
23:19
Demo (music)System callStatisticsSpeicherschutzTotal S.A.Network socketMultiplication signBinary codeKeyboard shortcutElectronic mailing listPhysical systemQuantum state1 (number)CASE <Informatik>Spectrum (functional analysis)Computer programmingArmRow (database)Error messageSystem callProfil (magazine)Right angleCartesian coordinate systemFerry CorstenInteractive televisionComputer animation
25:24
System callWeightNamespaceDemo (music)Computer programmingPhysical systemData storage deviceLibrary (computing)Process (computing)CuboidProfil (magazine)System callCodeKeyboard shortcutBoolean algebraTraffic reportingCartesian coordinate systemProjective planeXMLUMLComputer animation
26:22
Total S.A.SpeicherschutzNetwork socketInformationBinary codeKeyboard shortcutPhysical systemMixed realityProfil (magazine)System callProcess (computing)Electronic mailing listCartesian coordinate systemProcedural programmingOrder (biology)Quantum stateSource codeComputer animation
27:16
MathematicsServer (computing)Digital filterFlagBeat (acoustics)Filter <Stochastik>Run time (program lifecycle phase)Proof theoryRemote procedure callKeyboard shortcutSystem callCodeMultiplication signProfil (magazine)MathematicsData structurePoint (geometry)Number1 (number)Rule of inferenceBeat (acoustics)Cartesian coordinate systemPhysical systemBitBinary code2 (number)WordOrder (biology)DemosceneTape driveRight angleRepetitionMoving averageComputer animation
29:39
FlagLibrary (computing)Limit (category theory)DemonBinary codeFunction (mathematics)Open sourceLibrary (computing)Cartesian coordinate systemFile formatBeat (acoustics)Order (biology)Form (programming)Computer animation
30:47
Meta elementEvent horizonPoint cloudNetwork topologyFingerprintComputer reservations systemField (computer science)FlagProcess (computing)Group actionComputer-generated imageryDigital filterOpen setPrice indexACIDRevision controlComputer networkCountingTable (information)Mach's principleSystem callTime zoneMessage passingModule (mathematics)Service (economics)Kernel (computing)Local area networkHaar measureInformationArchitectureSoftware bugAuthenticationOperations researchPhysical systemPlastikkarteSource codeMusical ensembleDrop (liquid)AdditionTimestampStructural loadWeb browserWindowFamilyInformation securityTouchscreenComputer programmingPhysical systemProfil (magazine)Event horizonInstance (computer science)Binary codeInformationOperating systemLoginCloud computingAddress spaceProcess (computing)Type theoryMedical imagingMessage passingReal numberBitGroup action1 (number)Latent heatBefehlsprozessorOrder (biology)RoutingOffice suiteData managementRoundness (object)Goodness of fitInternet service providerHuman migrationCrash (computing)Software testingPole (complex analysis)Service (economics)Beat (acoustics)Wave packetComa BerenicesAliasingBit rateSurgeryComputer animation
34:52
Similarity (geometry)Elasticity (physics)ZugriffskontrolleInterface (computing)Independence (probability theory)System callKernel (computing)CAN busPhysical systemInformation securityCartesian coordinate systemProcess (computing)BitCoefficient of determinationPhysical systemCore dumpRule of inferenceCross-platformKernel (computing)Slide ruleProjective planeLevel (video gaming)Profil (magazine)Set (mathematics)Mobile appWindowAuthorizationSensitivity analysisOnline helpSystem callBinary codeArmVideo game2 (number)Web browserXMLComputer animation
37:27
Digital filterProcess (computing)Event horizonMessage passingGroup actionTimestampStructural loadElasticity (physics)Observational studyBinary codeHypermediaPhysical law2 (number)Process (computing)Profil (magazine)Reading (process)Information securityRight angleRule of inferenceTwitterArithmetic meanMereologyCollaborationismVideo gameCASE <Informatik>Data managementSelf-organizationQuicksortLevel (video gaming)BitProgramming languageMultiplication signModel checkingWeb applicationInterface (computing)Configuration spaceCartesian coordinate systemJava appletSlide ruleMultiplicationMobile appSoftware bugShared memoryGraphical user interfaceServer (computing)RootkitDirectory serviceComputer fileGeneric programmingProjective planeSimilarity (geometry)WritingControl flowMiniDiscLatent heatComputer animationXMLUML
44:17
Point cloudJSONXMLUML
Transcript: English(auto-generated)
00:06
Hi everyone, I'm Philipp. I'm from Austria, Vienna. That's why I'm sticking to English so you don't have to deal with my Austrian accent. But otherwise, if you have any questions in chat, if you're asking German, that's fine as well.
00:21
I will try to keep an eye on everything. Asking English, asking German, I'll try to respond to whatever is going on. So, let's dive into SecComp, the next layer, or maybe an additional layer of security for your applications. So, security is oftentimes this approach where we say everything is fine.
00:41
Maybe we know in the back of our hat that not everything is perfectly fine, but we'll just assume that everything is fine until something happens. And something might be some bad exploit, or somebody starts mining Bitcoin on your AWS instances, or whatever bad happens. And at that point, you then realize that, well, nothing is fine anymore.
01:02
Everything is on fire and terrible. And we don't want to get to this terrible point. So, we want to figure out how we can avoid getting to this bad place, basically. So, obviously, there are no silver bullets. Unless somebody is trying to sell you something, then they probably have some silver bullets. But there's this saying that you should be like a werewolf.
01:23
You should be very afraid of those. So, don't let anybody tell you that there is a single solution to fix all of your problems. But there are many different things you can do to improve your situation. And that improvement is what I want to cover today. So, the main principle that we follow here, and hopefully we follow all in many other places,
01:44
is the principle of the least privileges. So, why have some privileges if you don't really need those? And seccomp is very much playing into that area or that thing. So, seccomp in general is preventing the execution of certain system calls by an application.
02:03
So, let's assume you have a remote code execution vulnerability in your code. But you're using seccomp and you're not allowing certain actions. So, even if somebody can't exploit your application, if your application cannot do certain things, like fork another process, or maybe your system never needs to do a network call,
02:22
then if you have dropped those permissions or privileges, then even if somebody can break into your application, they still cannot do these things because your application can just never reach those. So, it's just one more layer to protect against things that you never need to have or do. And it can either abort the system call or it can kill the entire process.
02:42
So, if somebody breaks into your application and tries to exploit something, it might just kill the process. And then you might see that something is wrong and can't react to that. So, seccomp in general is like an application set box. It's really on the application layer. So, the application registers its seccomp profile to then limit or drop the privileges that it doesn't need, basically.
03:06
And this is really the gist or the idea of it. It was initially added in the Linux kernel in a very, very old version in like, well, 15 years ago or so. But it was only the first step of what we had back then.
03:21
So, you could, in the process of seccomp, you could set that one and put an application into strict mode. And strict mode is really strict, as the name implies. So, it would only allow read, write, exit, or seek return commands. So, you cannot open a network connection.
03:40
You couldn't even dynamically allocate memory with malloc, for example, because all of those system calls would not be allowed. Which makes this very secure, but pretty much useless for most real-world applications. Or you couldn't even open a new file if the file handle wasn't already accessible yet to read or write to a file.
04:01
So, all of that didn't make it very popular because, well, it was very tightly confined, but probably too tightly confined for a real-world application. It was more like, okay, this is possible and we need to evolve this further. Which then happened in 2012 when it was properly added for system call control in the kernel.
04:22
And then a little later on, it actually got the name seccomp for easier configuration of the seccomp profiles. So, this is kind of the history of how we got to where we are today. So, if you want to see the system calls that you have in your system, and I assume everybody has seen those just for the sake of completeness.
04:45
So, in memsys calls, and I will need to scroll a bit further down here, you have all these different system calls. So, whatever you can do here, or which you might require, all of these could be allowed or dropped.
05:01
So, just to get the idea that there are a lot of them by now. There, by the way, are platform-dependent, so you might need to do a platform check because the system call number might be different on different platforms. And this is what you can then allow or drop as you go along. And then you can use seccomp as the easy interface to actually interact with those system calls and allow or deny them.
05:26
So, if you run memsys seccomp, this shows you the right headers, how to interact with the seccomp profile. And then you can either set the strict mode or you can actually set the filter mode, which uses Berkeley Packet Filter BPF.
05:45
Are you already using BPF or where might you already be using BPF? Because probably, I'll try to keep an eye on the chat, probably you are using BPF already somewhere to filter something.
06:00
Probably when you use TCP dump to, well, see what is happening on your network. Yes, those are normally the desperate days when you need to reach for TCP dump. But this is also where you write in BPF to actually find the relevant traffic. So, this is how you can use seccomp.
06:20
And you just need to register that BPF filter, the strict mode, like I said, is probably overly strict for a real-world application. So, you will write in BPF what is allowed and what is not allowed in your application. And just to show you like what the minimal setup would be, you need to include the right headers. And then the BPF proc that contains the filters to your system calls that will be allowed or denied then.
06:47
And then what we are doing here is first, I'm validating the architecture. So, I'm, because if you have like a 32 or 64-bit architecture, those might be different. And we don't want to emulate one or the other.
07:01
We want to make sure that we check for the right architecture. Then we check the system calls. And then we have a list of system calls that we will allow. And everything else will be denied. So, only what is on the allow list will pass through and everything else will be removed.
07:20
The approach with the allow list probably makes more sense because new system calls are being added over time. So, you don't want to be caught off guard by having new capabilities that you accidentally then allow. Rather, you would want to wipe list or allow list what you want to have in your system. And everything that you don't know, you also stop to be on the safe side.
07:42
Which, of course, will need much more maintenance. But that is the trade-off here. The kind of like simpler approach would be just to disallow some calls that you know that you don't need. But of course, it is never as complete in terms of protection as with the allow approach.
08:04
What you need to keep in mind is when you register the profile, every system call of that application actually gets checked against that seccomp filter then. Which sounds very expensive, but it's not that expensive because all of that is running in kernel space.
08:21
So, you don't have to reach over to user space for every call. But all of that is being just done in kernel space. And maybe I should have mentioned that earlier. Obviously, I'm only talking about Linux here. Mac has a kind of similar concept that, from what I've heard, is a bit buckier and not as widely used.
08:40
Windows has something remotely similar, though I haven't touched Windows in many years. So, I cannot tell you too much about that. So, we will be focusing on Linux and the Linux kernel here. And there the seccomp filter is running in kernel space. And the filter results that you can get are a call can be allowed,
09:02
the process of the thread can be killed, or an error is returned to the caller and it is being logged. And we will see later on the being logged of how you can actually see seccomp violations in your applications or on your hosts. So, is anybody using seccomp already?
09:21
And actually, quite a lot of applications do. This is not a complete list, but probably you're using those on a pretty daily basis. So, from Chrome to Firefox, OpenSSH, Docker, which we'll look a bit into, systemd, Firecracker, many other systems use seccomp filters for additional security.
09:46
On the other hand, unfortunately, many other programs don't. But those who are more security aware, many of those are already shipping seccomp profiles with their application because it's always the application sandbox driven by the application itself. So, how you could add your application to that list is
10:02
you would need to ship a seccomp profile filter with your application. And I'll show you some examples how you could do that then, for example, from your own Java application or from a Go application. So, Docker, since I assume many of you are using Docker, it's trying to have some same defaults for what makes sense security wise,
10:24
what is allowed and what is not allowed. And it does disable around 44 system calls out of the 300 plus that are available. And you can actually find that here in the default JSON, you will find what is allowed.
10:41
And if I'm not mistaken, they also use an allow list where they have all the system calls that they do allow are listed in that JSON file. Some of the system calls that Docker is blocking is clock set time, for example, because the time of your computer is not namespaced.
11:00
So, if the container would try to change it, it would change the time on the host as well, which you probably don't want. You cannot clone a namespace. You cannot reboot the host. You cannot share or change a namespace. All of those are things that you normally don't need or don't want to have.
11:20
And that's why they are forbidden with system calls or seccomp filters. You can run Docker without the default seccomp profile, but this is definitely not recommended. Like, do that at your own risk. But, for example, if you pass the parameter security opt seccomp unconfined,
11:43
it would skip all the default seccomp filters. And then, for example, you could just run something as root directly here. Whereas with the default seccomp profile filters, running the whoami on the map user root
12:00
would fail because you would not have the capability to unshare this command. So, this is where seccomp is coming into play here. By the way, if you're using that capability add, for example, if you add whatever capability for networking, for example, to your Docker container, that adds both the capability
12:21
and what is not really explicit in the name, it also allows the right system call if it would be blocked otherwise. So, you don't need to manually change anything with the system calls, but that capability add will take care of that for you transparently as well. Just when you might be confused why some calls are allowed or not allowed,
12:41
that capability add takes care of the seccomp filter for you as well. Yes, I see firejail mentioned in the chat. We'll get to firejail a little later. Firejail is very handy to actually try out seccomp filters. This is like the hello world of seccomp filters
13:02
and firejail is definitely the right tool for that in there. Is any of your applications using seccomp filters already? To figure that out, what you want to do is... Let me change to my console again.
13:22
We want to grab for seccomp in all the processes that we have running. And then you can see zero means, well, it's not using seccomp. One would be the strict mode and two is it's using the BPF filter for a seccomp profile. So, for example, we could just take a look. I don't know.
13:41
Let's take a look at this process here, have proc status. Okay, this seems to be system B that is using seccomp or let's take a look at something else. It's always a surprise for me as well which process we're getting here. Okay, this is another system D login.
14:00
Let's see, maybe we're lucky here to see something other than system D but that's also a starting point to see that this is using seccomp filters. Okay, heartbeat. Heartbeat is the elastic heartbeat which is basically like a pinger to check if the system is up or down. For example, I work for elastic. I'll get into depth in a moment. Our products all use seccomp.
14:21
That's also why I'm talking about that because we have invested quite some time to make seccomp available on most of our products. And well, the beats that we have, those all use seccomp filters like heartbeat or the other beats. Okay, so this is what we've just seen. This would be one example for, okay, I had system D network here as well.
14:44
So, you have all the examples in the slides but you can just check on your system what is actually using seccomp filters and what isn't. Okay, so why am I talking about all of that? As I mentioned, I work for Elastic, the company behind Elasticsearch, Logstash, Kibana, Beats.
15:01
I'm officially a developer advocate so I mostly talk about the good stuff that we do or I try to understand how stuff works and why it breaks so I can help out others to see why their systems might not be behaving the way they do. This is what we normally do and most people probably know that. Does anybody know which of our products use seccomp profiles and which don't?
15:24
So, Elasticsearch does. Logstash and Kibana so far don't. I think Kibana has an open issue for seccomp profiles with Node which seems to be slightly trickier. Logstash is JRuby and is not using that
15:42
and we added another component more recently or it's been a couple of years by now as well called Beats for lightweight agents or shippers which also has the reason that since we have now a bee in elk and there is no bee in elk so far we tried to come up with something new and it looks something like this so you can see.
16:00
At first it was an elk and then it developed into this which we call the elk or elkbee. As you can see it has horns and is a bee. And Beats is also using seccomp profiles which basically leaves us in our stack here. We have Elasticsearch that stores the data so this is secured by seccomp profiles
16:21
and Beats which are the agents that you roll out on many of or all of your hosts to collect logs or get metrics or check if systems are up or collect security events. Those are also protected by seccomp which kind of makes sense. The thing that keeps your data should be well protected and the agents that you roll out across your hosts
16:42
also are well protected. Kibana and Logstash are still on the to-do list to add seccomp profiles. So how are you doing that with seccomp profiles in a Java process? Because Elasticsearch is a Java process. So what you're using in Java is JNA, the Java Native Access
17:01
and with that Java Native Access you can actually influence or change what is being allowed down to the seccomp profiles. And I've linked the right piece in the current release in the source code here so I'll show you some pieces of source code but I've also always linked to the right pieces so if you have a Java application and want to do something similar
17:21
this is where you can just copy the code from. So I hope that it's not too small for you to see. It might be slightly small, not sure. I'll try to explain what is going on here. So the first thing that we are doing here is we have a check running as root.
17:40
This is not seccomp specific, I'm just mentioning this here because it's another kind of brick or layer in that wall of protection is if you try to run Elasticsearch as root on Linux because Windows doesn't have the same concept then the process will throw a runtime exception and system exit because you should not run any server processes as root
18:03
and the process will just fail. This is not seccomp but this is just another layer here. And after that, if we are not running as root then we actually install the system called filters. And those then look like this. And if this is too small, this just shows that
18:23
if you're on Linux, then you're calling the Linux seccomp profile implementation. If we're on a Mac, we're calling that one. We have a check for SunOS and FreeBSD even though they are not officially supported anymore and we also have some check for that on Windows.
18:41
And if the operating system is anything else that we don't support it would also fail immediately. And then, like I said, on other operating systems like on Mac or on Windows, there are similar concepts but I would just focus on seccomp profiles here. So we'll skip over the other operating systems.
19:01
So here on Linux, we check the architecture and then, for example, we limit that you cannot fork the process so even if we had a remote code execution in Elasticsearch which I hope we don't even if you could run arbitrary code
19:21
you could not fork out another process or you could not execute another binary because we never do that so we drop the capabilities for that since we never need those permissions we'll just not allow the process and drop those. Heading over to Beats
19:40
which are written in Go we have written our own seccomp BPF DSL or nicer syntax in Go which is an open source project which you can use in your own Go binaries. What that looks like here you can define your rules in YAML. If that is a good or bad idea
20:01
depends a bit on your taste around YAML some people will say this is the only right way to do stuff probably those who use a lot of Kubernetes many others will say well, if I could have it in code, I would rather do it in code the library that we have built here is doing it in YAML so it is what it is. You can set a default action
20:21
which here is allow so by default it will allow everything by the way, these are not the actual rules that we have in Beats because in Beats the default action would be denied so there we also need to add the capabilities that we actually need because it is the more secure approach this is just an example of how you could use that library
20:42
but this is not what the Beats do. And here what we allow is what we drop here is these permissions connect, accept, send all of those are dropped
21:01
which again for Beats it's a shipper over the network doesn't make much sense if it cannot connect to anything then it's probably not going to be a very useful shipper but this is just an example for the actual rules you can see those in this piece of code here and you can see this is platform specific
21:22
so on Linux on the 64-bit platform we have a very long list of what is allowed so what is allowed is accept and access and bind etc so lots of things that are allowed here generally like I've said two times
21:42
I think already allow over deny so since new system calls might be added over time you don't want to be caught off guard by the new Linux version it allows something that you don't want to have in your application so if you only allow what you explicitly need you will never be in
22:01
or have that problem so we get to fire jail in a moment and how to do that so just to give you a bit of an idea of how or what we could do here again this is like the hello world application of everything
22:21
I'm using Netcat I'm listening on port 1025 and I can chat with myself so I'm just using CalNet this is a live instance if you're quick you might be able to send me a message as well please behave so if I say hello
22:41
then I'm receiving the hello that I have sent here and you can see I am here using the Austrian telecom and this is from where this message has originated and we use Netcat not because Netcat is a great application that anybody would be using in production but because Netcat is very nice to see
23:00
we will focus on the bind here that Netcat is binding to this port and then able to receive something and we want to dive into different things that we can deny here and how you could even figure out what permissions or what capabilities it is needing so we have started the chat
23:20
if you run STrace you could then check the bind that it's using and then just run the general binary again so if I run that just one more time here
23:42
am I in the right process? here we go so I'm only interested in the bind because otherwise you would see a lot of system calls happening here and okay somebody tried to just connect which is not me anymore
24:02
so here this was the bind command that we have tried and you can see we have had the bind so if we take away the bind this system would not run afterwards one other thing that is by the way pretty interesting is if you run STrace with the dash C command and let it run
24:20
and then for example interact with it it will at the end show you a collection of all the system calls it has been using because then once you try to add your own seccomp filter you will have the question of which system calls do I even need to allow here? this might be one of the ways to do this here so once I
24:40
exit that it shows me which system calls have been used and you can see how many times they were used if there were any errors or not and then to write the right seccomp profile filter you would just need to parse out this list of calls let's assume those are all the valid ones
25:01
that you want to allow and you just put all of those on the allow list and then your application should be able to run if you have kind of covered the full application spectrum and features and of course if you add new features that will need new capabilities you will need to run this again to complete your list or extend your list of things that should be allowed
25:21
you can also do that programmatically by the way so if you want to have that programmatically there are two projects that I've found one is just some C code that will run a syscall reporter that you can add to your C program and list those out at the end and then there is another
25:41
program or library that will help you figure out which system calls your application has been doing so you can actually see what you need ok now getting to firejail that somebody already mentioned in chat it can add seccomp vpf sendboxes
26:01
so we can take away capabilities from the process so what we basically want to do is I'm running firejail I don't have specified any profile so this you can just run and I'm dropping the capability to bind so if I run this it will obviously fail to actually start the process
26:21
because well it didn't have the capability and I just exited the process here you can throw strace in the mix again by the way so if you run that it will show you these are all the system calls that have happened and then you can see ok here the bind is being called and then you have the system call
26:40
or the binary is killed immediately as soon as you try to use that bind which you have forbidden so this is how you can simulate like either you create a profile for your binary or you just list out the capabilities that you want to add or drop you can try to run it
27:00
and then you can figure out is this working or is this too strict or maybe it's still too lenient and with strace you can actually see these are all the system calls that happened before and what is happening right around when the application is then exiting for example so this is just a nice overview to see what is going on here ok
27:20
one question that comes up sometimes is how do you stop permission changes because let's assume you have a binary you have a remote code execution somebody runs whatever code you want inside your application you have dropped some capability could they not just use the remote code execution to re-add the capability so basically extend
27:42
the privileges of the application again which would totally circumvent the point of seccomp filters right so what would be the solution there are probably multiple solutions to that or there are possible solutions how seccomp could be doing that either can you never change seccomp profiles after you have
28:02
set them up initially could you limit the changes to seccomp profile filters or more the YOLO approach don't care if somebody is smart enough to do that it's tough luck no it's actually the second one so you can set and you should set that the no new privileges basically
28:22
that means when you set this any privilege that you have dropped you cannot take back again so once you have disabled bind even if you have no remote code execution your binary could not add the capability to bind anymore because we have taken this no new privileges you could further tighten
28:42
down the rules afterwards so at run time you could always add more kind of or disallow more system calls over time but you could not re-add what the ones that you have already removed we're doing that in Elasticsearch as well so that's a bit better hidden in the system call filter but
29:02
there the system call set no new privileges is number 38 which has been around since Linux 3.5 and we actually set that at the very beginning so generally you set that at the beginning that whatever you drop after this point you can never take back again
29:21
same goes for beats where you just have since it has like this nice structure and it you just set no new proofs to true and then you can never retake the privileges that you don't need anymore so we can limit down all the things and hopefully
29:41
protect against that which leaves us with one thing how do we figure out what has gone wrong like if we have any seccomp violations in our applications and for that we can use another tool in the Linux toolchain which is auditd the Linux auditing daemon which can also
30:01
react to certain activities that your applications are doing and for that we have wrapped that in one of the beats which is called auditbeat which auditd auditbeat kind of makes sense we basically wrap the output of auditd because the format of that is a pain in the ass to parse and we've wrapped
30:21
that in a beat so that can ship it directly to Elasticsearch that is by the way wrapped again in a Go binary so we have go-lib-audit which wraps auditd so we can use it in auditbeat again
30:40
this is an open source library that you could then use in your own applications and what this looks like let me try to find my browser my browser sorry my browser is on the other window what we have here let me quickly refresh
31:00
so here I have auditbeat running and it's collecting all kinds of things on my system that might be security violations so you can see in the last 30 minutes we had a couple of thousand hits of things that were possible or were happening
31:21
what I want to do now is I have this event action violated seccomp policy and let's filter down to that event action violated seccomp policy that sounds good and you can see in the last 30 minutes those were my two fire jail calls where we had two seccomp
31:42
violations let me add one to show you what we have actually collected here so you can see auditbeat has collected the data you can also see where this is running so this is my instance on AWS where this is running you can see the message type
32:02
is it's coming from seccomp you can see which binary we were using so it was netcat that we tried to run you can see which was the primary actor so the ubuntu user is the user that I was using that one here I've enriched those events with some additional information so for example you can see
32:20
that this is running on my cloud provider which is AWS and you can see details about the host like the operating system maybe this is operating system specific that you had some security issue you can see the process name and well the user name and user id so with this information you could
32:40
figure out that okay there was a seccomp profile violation which binary was affected from which user has this been started maybe which instance on Amazon this is using or which ip address is affected or which base image is affected and then you could figure out is this a real problem or don't I care that much about it
33:02
by the way we have also a bit of a nicer interview for that which is called SIEM the where you can see I have here all my host which is a single host and we have logins and whatever what I'm interested in
33:20
now is events which will probably have quite a few events in here and with all the screen sharing my CPU is struggling a bit but you can see here you can see what is happening on that host since it this is all based on elastic search which is
33:40
pretty good with search I'm just searching for seccomp because that's what I'm interested in and now it's showing me violated seccomp policy so this is just a full text search over everything and now I could say for example oh I'm interested just in that binary or just in that host or just in that user let's say I'm interested in that user so I'm taking that user dragging and dropping it
34:01
here and then I could just see in the timeline what has that specific user been up to and then you can see okay here with S trace program crashed program crashed here we have seccomp process violation so this user is up to something weird or you can
34:21
see here I was executing netcat this was when it was actually successful when I just was opening port 1025 and we could check with it so that one was actually successful whereas the other ones were not so successful on the accuracy crashed or seccomp violation so this way you could see this is what the user is up to and then we could either
34:41
isolate the user or take down the host that is affected or whatever so this is just building on top all around what seccomp profiles can already provide to you we've seen that so to wrap up I'm always comparing this a bit to one of the many bricks in the wall of your security
35:01
setup and seccomp is one very handy tool so if your application doesn't need specific permissions why give it to the application in the first place just drop them and you're good to go and you don't need to worry that somebody will execute the binary or fork your process because you know that you will never do that
35:21
one question that I see that comes up every now and then is seccomp versus se Linux or app armor both of them are similar that they are doing kernel level filtering or inception of system cores where they are different is that seccomp is actively set by the process itself whereas se Linux or app
35:41
armor are mandated by well the system on the whole system level and is run before the process runs whereas for seccomp the binary sets or brings its own rules and enforces them which is nice if the application author provides those
36:01
but if they don't that's kind of like problematic because you would need to add them yourself seccomp is pretty widely available so your browser, docker firecracker, firej lots of other systems can use it and it should be used more widely I think so if you can and have some application
36:21
that has some security sensitivity it might be an interesting project to add seccomp profiles to your application so that those can then be installed when you run your binary if you want to have a platform independent way to interface with the Linux kernel system cores there is libseccomp that might make
36:41
writing those rules a bit easier for you which is I think the final tip I have in my slides to work with seccomp oh yeah windows that's quite a mouthful so process mitigation system called disable policy is I think the thing that is pretty close to seccomp
37:00
on windows because it also has restrictions on what system calls the process can invoke but it seems to behave quite differently than what you have in seccomp and Linux but like I said I haven't touched windows in a couple of years so I haven't tried that one out and I will
37:20
try to avoid it if I can't help it and with that are there any questions let me try to find my chat again
37:42
can you share that notes in the share tab which share tabs wait the one thing that I wanted to drop just in case once there are the slides give me one second
38:03
this is it so if anybody wants to have the slides, these are the slides any other questions
38:28
sure cool the Jedi mind trick seems to be working today any other questions we should have plenty of time though I don't think anybody wants to hear me ramble for 55
38:40
minutes so I think 40 was good any other questions seccomp elastic related auditd whatever you want if not I wish
39:11
everybody seccomp seccomp I haven't stumbled over any GUIs for
39:21
seccomp to be honest but since BPF and everything seems pretty low level maybe this is your chance to write a nice project on github or wherever I haven't stumbled over anything but to be honest I have never looked for a GUI explicitly for seccomp writing seccomp profiles
39:44
the question does the app centric approach still force you to trust the application yes I mean of course it does but I mean if you run somebody's binary I guess you trust that the binary is doing the right thing so seccomp is not
40:01
going to save you from anything seccomp is just like if they have a security issue in their application that they can add a layer of protection against that it will not protect you against malicious binaries so yeah I mean you can compile it yourself and add your own seccomp profile
40:20
as another layer of protection but generally the seccomp profiles I would see as a security feature that somebody who writes an application is security sensitive adds as a benefit it doesn't protect you against bad binaries does it make sense to use for web apps
40:43
hmm I mean web app is it depends a bit like what you define as web app so Elasticsearch is also like has an HTTP interface and just you send it JSON and send it to JSON back and you still want to protect it by
41:01
seccomp it's probably getting a lot trickier if you have a general purpose programming language and run that in an application server where you register those but maybe so for example what you might want to add are other features so for example what we have in
41:20
in Elasticsearch we have like there are multiple checks of security things that we do so seccomp is one so you cannot fork the process or you cannot call another binary because we don't do that then we check that you're not running as root and for example we're also using the Java security manager and with the Java security manager that's like
41:40
Java security concept there you could limit that you can only read files from a specific directory for example from this package so you could with the Java security manager you could say like only this one package here is allowed to access these configuration files because no other part of my application
42:00
needs to read or write anything or for example only the thing or there is like a package that writes to the disk out only this one package can write to the disk so if you have a bug or problem in another package it would not be allowed to actually write to your data directory but that's another layer here I don't think
42:20
seccomp is like vanilla seccomp will not be the solution for a generic web application but it's one of the many pieces that you want to have in there for example I would need to check if for example nginx uses seccomp maybe somebody has it running and can quickly check that the command was a bit earlier
42:40
to see if for example nginx could fork out another process or if that doesn't care because that's I think where seccomp will come into play yeah to be honest I have not compared it to sandbox init and
43:01
pledge I'm not really sure if anybody has any experiences with those I would also be curious I'm not I once had a discussion that somebody said like MacOS has a similar concept as seccomp but it was less mature from what I know I'm not sure if that is sandbox init or if that is also called
43:22
seccomp on Mac I have been very Linux focused here to be honest
43:42
any final questions? or is everybody happy to head over to their Sunday afternoon the next talk or break well if you have any other questions this is Twitter so just ping me if you have anything
44:03
thanks a lot for joining on a Sunday which is a tough day especially Sunday afternoon enjoy the rest of your day thanks for having me and let me know if you have anything else on Twitter thanks everyone bye