Feature/bpftrace backend

avilum commented 2 years ago

Added docker scripts and instructions on how to test secimport inside docker
Added eBPF using bpftrace backend (
- WIP
- Comparing with dtrace:
- https://www.brendangregg.com/blog/2018-10-08/dtrace-for-linux-2018.html
- https://trilug.org/files/2021-02-11-bpfTrace-finally-dTrace-replacement-Linux.pdf

seanmcfeely commented 2 years ago

I installed bpftrace on an Ubuntu 20 image in a py3.8 venv and got the following when attempting to import os:

(secimport-py3.8) $ python3
Python 3.8.10 (default, Jun 22 2022, 20:18:18) 
[GCC 9.4.0] on linux
Type "help", "copyright", "credits" or "license" for more information.
>>> from secimport import secure_import
>>> os = secure_import('os', allow_shells=False)
(running bpftrace supervisor):  sudo  /tmp/.secimport/bpftrace_sandbox_os.bt --unsafe -p 3025714 -o /tmp/.secimport/bpftrace_sandbox_os.log &2>/dev/null

/tmp/.secimport/bpftrace_sandbox_os.bt:729:5-6: ERROR: syntax error, unexpected {, expecting }
END {
    ~

>>> 
>>> 
>>> os.system("ps")
    PID TTY          TIME CMD
3024915 pts/1    00:00:00 bash
3025714 pts/1    00:00:00 python3
3025772 pts/1    00:00:00 sh
3025773 pts/1    00:00:00 ps
0

I looked at the script and the code that generates it and I don't see a simple solution at first glance.

Update

I fixed the issue above by placing a newline at the end of the following file to keep the closing } from ending up in a comment.

$ git diff src/secimport/templates/bpftrace/actions/kill_on_processing.bt
diff --git a/src/secimport/templates/bpftrace/actions/kill_on_processing.bt b/src/secimport/templates/bpftrace/actions/kill_on_processing.bt
index b03d0f6..328eb7c 100644
--- a/src/secimport/templates/bpftrace/actions/kill_on_processing.bt
+++ b/src/secimport/templates/bpftrace/actions/kill_on_processing.bt
@@ -2,4 +2,5 @@
             printf("\t\tKILLING...\r\n");
             system("pkill -9 python"); // optional
             printf("\t\tKILLED.\r\n");
-            exit(); // optional
\ No newline at end of file
+            exit(); // optional
+

However, now I'm getting this:

$ python3
Python 3.8.10 (default, Jun 22 2022, 20:18:18) 
[GCC 9.4.0] on linux
Type "help", "copyright", "credits" or "license" for more information.
>>> from secimport import secure_import
>>> os = secure_import('os', allow_shells=False)
(running bpftrace supervisor):  sudo  /tmp/.secimport/bpftrace_sandbox_os.bt --unsafe -p 3027379 -o /tmp/.secimport/bpftrace_sandbox_os.log &2>/dev/null
/tmp/.secimport/bpftrace_sandbox_os.bt:686:1-53: ERROR: usdt target file '/workspace/Python-3.10.0/python' does not exist or is not executable
usdt:/workspace/Python-3.10.0/python:function__entry {
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
/tmp/.secimport/bpftrace_sandbox_os.bt:695:1-54: ERROR: usdt target file '/workspace/Python-3.10.0/python' does not exist or is not executable
usdt:/workspace/Python-3.10.0/python:function__return {
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>>> exit()

So it seems the bpftrace_sandbox_os.bt is somehow getting confused about which python3 binary to wrap on my system?

Update 2

I now understand what you did to PoC execution in a docker container. I made slight changes you can review by comparing this branch to resolve the above issue. You don't need to include these changes but dynamically determining the python executable path may be good for flexibility.

Docker

I attempted to use the docker scripts to test on Apple M1 chip and it failed because of Apple M1 compatibility issues. I then attempted to run the docker script on an older Apple Intel based mac I have and I got the following:

>>> from secimport import secure_import
>>> os = secure_import('os', allow_shells=False)
(running bpftrace supervisor):  sudo  /tmp/.secimport/bpftrace_sandbox_os.bt --unsafe -p 17 -o /tmp/.secimport/bpftrace_sandbox_os.log &2>/dev/null
sh: 1: sudo: not found
>>> os.system('ps')
  PID TTY          TIME CMD
    1 pts/0    00:00:00 sh
   10 pts/0    00:00:00 bash
   17 pts/0    00:00:00 python3
   20 pts/0    00:00:00 sh
   21 pts/0    00:00:00 ps
0
>>>

I think it's failing only because sudo is not installed in the docker container.

Next Step

I'm excited about this, let me have some more time to tune up what you have on this branch to work in the specific type of docker container my use case calls for.

avilum commented 1 year ago

Thank you very much for your time and feedback! I have fixed the following notes in the codebase and implemented tests for bpftrace. I also updated the

Next - I'm implementing the YAML template feature for bpftrace, just like we have for dtrace. https://github.com/avilum/secimport/blob/master/docs/YAML_PROFILES.md

avilum / secimport