LUP Student Papers

Leveraging eBPF to Produce Container Audit Data for the Purpose of AppArmor Profile Generation

• Mark

Abstract

This thesis investigates the possibility of leveraging eBPF to audit containerized workloads to produce data equivalent to AppArmor auditing, with the goal of later using that data to automatically generate AppArmor profiles to protect those workloads. The report presents several challenges posed by the restrictive nature of eBPF as well as how these challenges were addressed in the implementation of a prototype titled bpfsnoop. The prototype is then evaluated and we find that the performance overhead of this approach is slightly worse than the existing AppArmor-based auditing solution. Despite this, a potential use case is identified by considering availability; several top Linux distributions do not support the existing solution but do... (More)

This thesis investigates the possibility of leveraging eBPF to audit containerized workloads to produce data equivalent to AppArmor auditing, with the goal of later using that data to automatically generate AppArmor profiles to protect those workloads. The report presents several challenges posed by the restrictive nature of eBPF as well as how these challenges were addressed in the implementation of a prototype titled bpfsnoop. The prototype is then evaluated and we find that the performance overhead of this approach is slightly worse than the existing AppArmor-based auditing solution. Despite this, a potential use case is identified by considering availability; several top Linux distributions do not support the existing solution but do support bpfsnoop. In other words, bpfsnoop could provide value by enabling AppArmor-equivalent auditing in environments where it would not otherwise be possible. (Less)

Popular Abstract

Cloud services are a critical component of modern society. Everything from how we consume media and play games to how we pay our bills and do our work relies on cloud services, and the sheer scale of the customer base served by these services requires that cloud applications are constructed in a scalable fashion. The industry's answer to this problem is microservice architectures; instead of building a large monolithic web application that handles all business logic, you build many small services. For example, if you're building a web store, you might build one service for user registration and login, one that keeps track of which products are available, one that handles orders and payments, and a frontend service. These services all talk... (More)

Cloud services are a critical component of modern society. Everything from how we consume media and play games to how we pay our bills and do our work relies on cloud services, and the sheer scale of the customer base served by these services requires that cloud applications are constructed in a scalable fashion. The industry's answer to this problem is microservice architectures; instead of building a large monolithic web application that handles all business logic, you build many small services. For example, if you're building a web store, you might build one service for user registration and login, one that keeps track of which products are available, one that handles orders and payments, and a frontend service. These services all talk to each other, but keeping them separate makes it easy to change one component without affecting others, and perhaps more importantly, makes scaling up components that are under heavy load easier.

A key piece of technology enabling the scalability of microservices is containerization. Essentially, developers can package a service and all its dependencies into an image. Identical copies of the service can then be deployed as containers on servers across the world. From inside the container, the service can only see data included in the image and nothing more. This, however, is a trick - in fact, many containers may be running on the same server, but the operating system gives each container its own view of what files exist.

While containers have allowed tech to scale to levels previously not possible, those levels of scaling bring new security challenges. When companies like Netflix and Tinder may have millions of containers deployed at any given time, you may ask yourself, how do they keep them secure? The answer to this, clearly, is automation.

Enter Bifrost Security: They offer companies the ability to monitor everything their microservices do using AppArmor, a Linux security technology, and analyze their behavior. Based on this, they can generate an AppArmor security profile which only allows behavior which has been previously observed. Because hackers often try to trick services into doing something they're not supposed to, this can prevent breaches of security before they even happen and alert operators to attempts in progress.

However, the entire Bifrost value proposition relies on their customers' servers having AppArmor available, and unfortunately, this is not always the case. The work presented in this thesis attempts to begin to address this by developing bpfsnoop, a new tool for auditing microservices. The goal is to be able to produce audit data equivalent to what AppArmor produces, but instead using eBPF. eBPF is an emerging technology that allows us to write small programs and tell the operating system to run them whenever a specific event occurs; for example, when a process opens a file or sends a message over the internet. By attaching eBPF programs to the same events observed by AppArmor, we can export the same data, achieving our goal.

In the evaluation phase of our work, we compare several aspects of bpfsnoop against the existing solution. We find that while our eBPF-based approach yields worse performance, the goal of achieving better availability is very much accomplished; the features required to support bpfsnoop are available on all popular Linux distributions where AppArmor is not. This indicates a possible niche for bpfsnoop as a fallback solution where AppArmor is not available. (Less)