今回のテーマはAqua社が主導するコンテナトレーサ:traceeです。
システムコールフックのeBPFを利用していることからsysdig社Falcoが類似ツールだと思います。
aquasecurity.github.io
インストール
#eBPFモジュールのビルド $ git clone --recursive https://github.com/aquasecurity/tracee.git $ cd tracee $ make bpf $ ls tracee.bpf.5_11_0-25-generic.v0_6_0-7-g26a9eb2.o tracee.bpf.core.o
eBPFモジュールをマウントしてtraceeコンテナを起動します。
# docker run --privileged -it -v /path/in/host/tracee.bpf.5_11_0-25-generic.v0_6_0-7-g26a9eb2.o:/path/in/container/tracee.bpf.o -e TRACEE_BPF_FILE=/path/in/container/tracee.bpf.o aquasec/tracee Loaded signature(s): [TRC-1 TRC-2 TRC-3 TRC-4 TRC-5 TRC-6 TRC-7]
7つのシグネチャがロードされたみたいですが、特に何も出力されません。
動作確認
シグネチャ機能は鋭意作成中とのことです。
現状のシグネチャにはアンチデバッグやコードインジェクションなど、マルウェアチックな挙動が並んでいます。
シグネチャ機能
We are currently working on creating a library of behavioral signature detections. Currently, the following are available:
| Name | Description |
|---|---|
| Standard Input/Output Over Socket | Redirection of process's standard input/output to socket |
| Anti-Debugging | Process uses anti-debugging technique to block debugger |
| Code injection | Possible code injection into another process |
| Dynamic Code Loading | Writing to executable allocated memory region |
| Fileless Execution | Executing a process from memory, without a file in the disk |
| kernel module loading | Attempt to load a kernel module detection |
| LD_PRELOAD | Usage of LD_PRELOAD to allow hooks on process |
今回はアンチデバッグ検出機能を確認してみます。
#適当なコンテナを起動します。 $ sudo docker run --rm -it ubuntu root@d23f0851e601:/# #デバッグ検出プログラムの用意 $ nano antidebug.c #include <stdio.h> #include <sys/ptrace.h> int main() { if (ptrace(PTRACE_TRACEME, 0, 1, 0) < 0) { printf("Debugging Dedected , Fuck You !\n"); return 1; } printf("Normal Execution\n"); return 0; } $gcc antidebug.c # デバッグ検出プログラムをコンテナに配置 $docker cp a.out d23f0851e601:/a.out #コンテナでデバッグ検出プログラムを実行 root@d23f0851e601:/# ./a.out Normal Execution
コンテナでデバッグ検出プログラムを実行すると、traceeコンテナのコンソールでAnti-Debuggingのアラートが出力されました。
おー動いた。
# docker run --privileged -it -v /path/in/host/tracee.bpf.5_11_0-25-generic.v0_6_0-7-g26a9eb2.o:/path/in/container/tracee.bpf.o -e TRACEE_BPF_FILE=/path/in/container/tracee.bpf.o aquasec/tracee Loaded signature(s): [TRC-1 TRC-2 TRC-3 TRC-4 TRC-5 TRC-6 TRC-7] Detection Time: 2021-08-08T12:52:30Z Signature ID: TRC-2 Signature: Anti-Debugging Data: map[] Command: a.out Hostname: d23f0851e601
シグネチャはRego言語で書かれている?ようです。
MITRE ATT&CKの記載もあるので、実装方針はfalcoと似ているのでしょうか。
package tracee.TRC_2 __rego_metadoc__ := { "id": "TRC-2", "version": "0.1.0", "name": "Anti-Debugging", "description": "Process uses anti-debugging technique to block debugger", "tags": ["linux", "container"], "properties": { "Severity": 3, "MITRE ATT&CK": "Defense Evasion: Execution Guardrails", } } tracee_selected_events[eventSelector] { eventSelector := { "source": "tracee", "name": "ptrace" } } tracee_match { input.eventName == "ptrace" arg := input.args[_] arg.name == "request" arg.value == "PTRACE_TRACEME" }
トレース機能
traceサブコマンド実行するシステムコールトレースっぽいログが出力されます。
フォレンジックあたりで使えそうです。
Traceeという名前からトレース機能がメインと思われますが、今後シグネチャが充実すればEDRツールとしても期待できそうです。
# docker run --privileged -it -v /path/in/host/tracee.bpf.123.o:/path/in/container/tracee.bpf.o -e TRACEE_BPF_FILE=/path/in/container/tracee.bpf.o aquasec/tracee trace TIME UID COMM PID TID RET EVENT ARGS ... 13:36:50:056945 1000 dbus-daemon 1835 1835 0 close fd: 9 13:36:50:059291 1000 snap-store 2279 2279 0 security_file_open pathname: /usr/share/zoneinfo/Japan, flags: O_RDONLY|O_LARGEFILE, dev: 7340033, inode: 9322 13:36:50:059272 1000 snap-store 2279 2279 16 openat dirfd: -100, pathname: /etc/localtime, flags: O_RDONLY, mode: 0 13:36:50:059416 1000 snap-store 2279 2279 0 fstat fd: 16, statbuf: 0x7FFFBE8FF1D0 13:36:50:059466 1000 snap-store 2279 2279 0 close fd: 16 13:36:50:059629 1000 snap-store 2279 2279 0 security_file_open pathname: /usr/share/zoneinfo/Japan, flags: O_RDONLY|O_LARGEFILE, dev: 7340033, inode: 9322 13:36:50:059617 1000 snap-store 2279 2279 16 openat dirfd: -100, pathname: /etc/localtime, flags: O_RDONLY, mode: 0 13:36:50:059712 1000 snap-store 2279 2279 0 fstat fd: 16, statbuf: 0x7FFFBE8FF1D0 13:36:50:059746 1000 snap-store 2279 2279 0 close fd: 16 13:36:50:106080 118 pool-whoopsie 838 8281 0 security_file_open pathname: /etc/services, flags: O_RDONLY|O_LARGEFILE, dev: 8388611, inode: 1704147 13:36:50:106070 118 pool-whoopsie 838 8281 11 openat dirfd: -100, pathname: /etc/services, flags: O_RDONLY|O_CLOEXEC, mode: 0 13:36:50:106162 118 pool-whoopsie 838 8281 0 close fd: 11 13:36:50:106192 118 pool-whoopsie 838 8281 0 security_file_open pathname: /etc/services, flags: O_RDONLY|O_LARGEFILE, dev: 8388611, inode: 1704147 13:36:50:106187 118 pool-whoopsie 838 8281 11 openat dirfd: -100, pathname: /etc/services, flags: O_RDONLY|O_CLOEXEC, mode: 0 13:36:50:106238 118 pool-whoopsie 838 8281 0 close fd: 11 13:36:50:106402 118 pool-whoopsie 838 8281 0 security_socket_create family: AF_NETLINK, type: SOCK_RAW, protocol: 0, kern: 0 13:36:50:106398 118 pool-whoopsie 838 8281 11 socket domain: AF_NETLINK, type: SOCK_RAW|SOCK_CLOEXEC, protocol: 0 13:36:50:106429 118 pool-whoopsie 838 8281 0 bind sockfd: 11, addr: {'sa_family': 'AF_NETLINK'}, addrlen: 12 13:36:50:106465 118 pool-whoopsie 838 8281 0 getsockname sockfd: 11, addr: {'sa_family': 'AF_NETLINK'}, addrlen: 0x7F9770D5A3D4 13:36:50:106538 118 pool-whoopsie 838 8281 0 close fd: 11 13:36:50:106577 118 pool-whoopsie 838 8281 0 security_file_open pathname: /etc/hosts, flags: O_RDONLY|O_LARGEFILE, dev: 8388611, inode: 1704099 13:36:50:106572 118 pool-whoopsie 838 8281 11 openat dirfd: -100, pathname: /etc/hosts, flags: O_RDONLY|O_CLOEXEC, mode: 0 13:36:50:106632 118 pool-whoopsie 838 8281 0 close fd: 11 13:36:50:106668 118 pool-whoopsie 838 8281 0 security_socket_create family: AF_INET, type: SOCK_DGRAM, protocol: 0, kern: 0 13:36:50:106665 118 pool-whoopsie 838 8281 11 socket domain: AF_INET, type: SOCK_DGRAM|SOCK_NONBLOCK|SOCK_CLOEXEC, protocol: 0 13:36:50:106707 118 pool-whoopsie 838 8281 0 security_socket_connect sockfd: 11, remote_addr: {'sa_family': 'AF_INET','sin_port': '53','sin_addr': '127.0.0.53'} 13:36:50:106702 118 pool-whoopsie 838 8281 0 connect sockfd: 11, addr: {'sa_family': 'AF_INET','sin_port': '53','sin_addr': '127.0.0.53'}, addrlen: 16 13:36:50:107084 101 systemd-resolve 592 592 0 security_socket_create family: AF_INET, type: SOCK_DGRAM, protocol: 0, kern: 0 13:36:50:107081 101 systemd-resolve 592 592 16 socket domain: AF_INET, type: SOCK_DGRAM|SOCK_NONBLOCK|SOCK_CLOEXEC, protocol: 0 13:36:50:107142 101 systemd-resolve 592 592 0 security_socket_connect sockfd: 16, remote_addr: {'sin_addr': '192.168.11.1','sa_family': 'AF_INET','sin_port': '53'} 13:36:50:107138 101 systemd-resolve 592 592 0 connect sockfd: 16, addr: {'sa_family': 'AF_INET','sin_port': '53','sin_addr': '192.168.11.1'}, addrlen: 16 13:36:50:138031 101 systemd-resolve 592 592 0 close fd: 16 13:36:50:138165 118 pool-whoopsie 838 8281 0 close fd: 11 13:36:50:138236 118 pool-whoopsie 838 8281 0 security_socket_create family: AF_INET, type: SOCK_DGRAM, protocol: 0, kern: 0 13:36:50:138200 118 pool-whoopsie 838 8281 11 socket domain: AF_INET, type: SOCK_DGRAM|SOCK_CLOEXEC, protocol: 0 13:36:50:138273 118 pool-whoopsie 838 8281 0 security_socket_connect sockfd: 11, remote_addr: {'sin_addr': '162.213.33.108','sa_family': 'AF_INET','sin_port': '0'} 13:36:50:138268 118 pool-whoopsie 838 8281 0 connect sockfd: 11, addr: {'sa_family': 'AF_INET','sin_port': '0','sin_addr': '162.213.33.108'}, addrlen: 16 13:36:50:138301 118 pool-whoopsie 838 8281 0 getsockname sockfd: 11, addr: {'sa_family': 'AF_INET','sin_port': '35285','sin_addr': '10.0.2.15'}, addrlen: 0x7F9770D5A540 13:36:50:138317 118 pool-whoopsie 838 8281 0 connect sockfd: 11, addr: {'sa_family': 'AF_UNSPEC'}, addrlen: 16 13:36:50:138334 118 pool-whoopsie 838 8281 0 security_socket_connect sockfd: 11, remote_addr: {'sa_family': 'AF_INET','sin_port': '0','sin_addr': '162.213.33.132'} 13:36:50:138330 118 pool-whoopsie 838 8281 0 connect sockfd: 11, addr: {'sin_addr': '162.213.33.132','sa_family': 'AF_INET','sin_port': '0'}, addrlen: 16 13:36:50:138349 118 pool-whoopsie 838 8281 0 getsockname sockfd: 11, addr: {'sa_family': 'AF_INET','sin_port': '57882','sin_addr': '10.0.2.15'}, addrlen: 0x7F9770D5A540 13:36:50:138371 118 pool-whoopsie 838 8281 0 close fd: 11 13:36:50:181517 1000 gnome-shell 1982 1982 0 cap_capable cap: CAP_SYS_ADMIN 13:36:50:181618 1000 gnome-shell 1982 1982 0 cap_capable cap: CAP_SYS_ADMIN 13:36:50:181730 1000 gnome-shell 1982 1982 0 cap_capable cap: CAP_SYS_ADMIN 13:36:50:181908 1000 gnome-shell 1982 1982 0 cap_capable cap: CAP_SYS_ADMIN
