Falco: runtime security analysis through syscalls

Abstract: How to secure things by tracing signals from the Kernel up?Our daily job, as Software Engineers, is commonly to build software, a.k.a. abstractions. While doing so, we hide some complexity, but at the same time, we also increase the entropy and often the attack surface too. It turns out that to secure things we need to dig deeper into the abstraction layers, uncovering all their complexities that we carefully tried to avoid, putting those abstractions in place. For example, to securely run our applications on our Kubernetes clusters we first need to understand how all the Kubernetes layers interface with the Linux kernel. To understand it, we need to have full visibility from the kernel up. A way to have broad and deep visibility into our systems, when doing security analysis, is going to look directly what's happening into the Linux kernel. This is what Falco does. Falco provides runtime security using an eBPF probe or a kernel module as the driver, plus a ring buffer, to trace syscalls caused by userspace processes. In every Linux system, we have the syscalls interface to trace what user space processes are doing at the upper level and eventually take action. Anyway, this is easier said than done. Because tracing and processing every system call in userspace results in a very unique set of challenges. Join this talk to discover exactly what those challenges are and how Falco approaches them using eBPF or a kernel module! Bio: Leo is an Open Source Software Engineer at Sysdig in the Office of the CTO, where he's in charge of the Open Source methodologies and projects. He's a core maintainer of Falco, a Cloud Native tool for runtime security incubated by the CNCF. He is also involved in the Linux Foundation's eBPF project (IO Visor) as a maintainer of the kubectl-trace project. He's also the creator of go-syslog, a blazingly fast Go parser for syslogs and transports, and of kubectl-dig, a tool about deep visibility into Kubernetes directly from the kubectl. He's also involved from the early days into the CNCF SIG-Security. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Security BSides Athens 2020 CyberSecurity | InfoSec | Ethical Hacking | Computer Security | Evolving Threats | Threat Landscape | Privacy | Cyber Resilience Security BSides is a community-driven framework for building events by and for information security community members. These events are already happening in major cities all over the world! We are responsible for organizing an independent Security BSides-Approved event for Athens, Greece. More: https://www.bsidesath.gr Follow on Twitter: @BSidesAth