DOCSLIB.ORG

Application of Extended Berkeley Packet Filters in Cloud Environment

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Application of Extended Berkeley Packet Filters in Cloud Environment Budapesti Mûszaki és Gazdaságtudományi Egyetem Villamosmérnöki és Informatikai Kar Távközlési és Médiainformatikai Tanszék Application of Extended Berkeley Packet Filters in Cloud Environment Diplomaterv Készítette Konzulens Ipari konzulens Bartha Csongor Dr. Simon Csaba Szabó Gergely December 21, 2019 Contents Kivonat 6 Abstract 7 1 Introduction8 2 Berkeley Packet Filter mechanisms and system components9 2.1 Concepts......................................9 2.1.1 Cloud computing.............................9 2.1.2 Kubernetes................................9 2.1.3 User- and kernelspace.......................... 10 2.1.4 System calls................................ 10 2.1.5 Userspace packet-filtering........................ 10 2.2 The classic Berkeley Packet Filters....................... 12 2.2.1 Compiling cBPF............................. 12 2.2.2 PCAP................................... 13 2.2.3 Tcpdump................................. 14 2.3 Extended Berkeley Packet Filters........................ 14 2.3.1 How eBPF works............................. 15 2.3.2 Code verification............................. 16 2.3.3 Compiling eBPF............................. 17 2.3.4 XDP - eXpress Data Path........................ 18 2.3.5 An eBPF vulnerability.......................... 19 2.3.6 The overhead of eBPF.......................... 20 1 2.3.7 Further possibilities........................... 20 2.4 Monitoring toolset................................ 21 2.4.1 Prometheus................................ 21 2.4.2 Grafana.................................. 21 2.4.3 AlertManager............................... 21 2.5 Projects leveraging eBPF technology...................... 21 2.5.1 Tools and libraries using eBPF..................... 23 3 The main approaches of programming eBPF 26 3.1 Raw BPF..................................... 26 3.2 BCC - BPF Compiler Collection........................ 26 3.2.1 Probe-types................................ 27 3.3 High level tracing languages........................... 28 3.3.1 BPFtrace................................. 28 3.3.2 DTrace.................................. 30 3.3.3 Ply..................................... 31 4 eBPF in practice 32 4.1 Using eBPF in Kubernetes............................ 32 4.1.1 Cilium................................... 34 4.1.2 Weave Scope............................... 35 4.2 Tracing and monitoring with BCC and BPFtrace............... 36 4.2.1 BCC.................................... 36 4.2.2 BPFtrace................................. 37 4.3 BCC in practice.................................. 37 4.3.1 The BPF section............................. 38 4.3.2 The Python section............................ 40 4.3.3 Getting data from the kernel...................... 41 4.4 The ebpf-exporter................................ 43 4.4.1 Configuration and structure....................... 43 2 5 The implementation in Kubernetes 45 5.1 The infrastructure of the Kubernetes cluster.................. 46 5.2 Setting up Prometheus.............................. 47 5.2.1 General configuration.......................... 47 5.3 Creating the ebpf exporter............................ 49 5.3.1 The Dockerfile.............................. 49 5.3.2 Privileged mode............................. 50 5.3.3 Accessing the image from Google Cloud Platform........... 51 5.4 Deploying the monitoring stack in Kubernetes................. 52 5.4.1 Deploying the exporter.......................... 52 5.4.2 Deploying Prometheus.......................... 56 5.4.3 Deploying Grafana............................ 62 5.5 The BPF programs in the exporter....................... 63 5.5.1 Cachestat................................. 63 5.5.2 Tcp-counter................................ 64 5.5.3 The resulting time-series......................... 66 6 Measuring system performance 67 6.1 The test system.................................. 67 6.1.1 Using Prometheus............................ 67 6.1.2 The exporters............................... 68 6.1.3 Visualizing the data with Grafana................... 72 6.2 Programs and scripts for testing......................... 73 6.2.1 Testing tcp-counter............................ 73 6.2.2 Testing cachestat............................. 75 6.2.3 The spikes on the graphs........................ 76 6.3 Discussion..................................... 78 7 Summary 79 Bibliography 84 3 Appendices 85 A.1 Filelife....................................... 85 A.2 Ebpf-exporter Dockerfile............................. 87 A.3 The yaml file configuring the ebpf-exporter daemonset............ 88 A.4 The yaml file of the configMap for Prometheus................ 90 4 HALLGATÓI NYILATKOZAT Alulírott Bartha Csongor, szigorló hallgató kijelentem, hogy ezt a diplomatervet meg nem engedett segítség nélkül, saját magam készítettem, csak a megadott forrásokat (szakiro- dalom, eszközök stb.) használtam fel. Minden olyan részt, melyet szó szerint, vagy azonos értelemben, de átfogalmazva más forrásból átvettem, egyértelmûen, a forrás megadásával megjelöltem. Hozzájárulok, hogy a jelen munkám alapadatait (szerzõ(k), cím, angol és magyar nyelvû tartalmi kivonat, készítés éve, konzulens(ek) neve) a BME VIK nyilvánosan hozzáférhetõ elektronikus formában, a munka teljes szövegét pedig az egyetem belsõ hálózatán keresztül (vagy autentikált felhasználók számára) közzétegye. Kijelentem, hogy a benyújtott munka és annak elektronikus verziója megegyezik. Dékáni engedéllyel titkosított diplomatervek esetén a dolgozat szövege csak 3 év eltelte után válik hozzáférhetõvé. Budapest, December 21, 2019 Bartha Csongor hallgató Kivonat A modern felhő alapú megoldások egyik fontos komponense a Kubernetes konténer menedzs- ment rendszer. A Kubernetes klaszterekbe telepített nagy komplexitású szolgáltatások üzemeltetésének elengedhetetlen része a rendszert alkotó konténerek és egyéb erőforrások teljesítményének felügyelete, mivel az jelentős mértékben meghatározza a szolgáltatások minőségét. A szakdolgozatomban bemutatom a hatékony felügyeleti lehetőségeket, valamint az álta- lam egy Kubernetes rendszer teljesítményének monitorozására kiválasztott Berkeley cso- magszűrő új változatát (extended Berkeley Packet Filter - eBPF). Az eBPF egy általános célú Linux kernel mechanizmus, mely a felhasználói térben leírt csomagkezelési szabályokon túl egyszerű programok futtatását is lehetővé teszi a kernelben különféle csatlakozási pon- tok használatával ("probe"), ami által tetszőleges adatok nyerhetők ki az adott rendszerről. Részletesen bemutatom az eBPF programozás menetét és áttekintem a jelenleg elérhető fontosabb eBPF alapú felhasználási eseteket. Bemutatom egy eBPF alapú Kubernetes monitorozási rendszer tervét, annak alkotóelemeit és a megvalósítás lépéseit. Mérések alapján megvizsgálom, hogy miként lehet alkalmazni két erőforrástípus (TCP hálózati forgalom és cache memória) monitorozására. Dolgozatomat az eredmények értékelésével és a jövőbeli bővítési lehetőségekkel zárom. 6 Abstract The wide-scale adoption of container-based virtualization technologies is supported by the Kubernetes container management system, which provides the required tools to implement reliable and scalable services. It is inevitable to create a monitoring system for the con- tainers and all kinds of computing resources that make up a Kubernetes cluster, when operating services of great complexity, as it influences the quality of those services to a great extent. In my thesis, I present, how the Berkeley Packet Filter, and especially its enhanced version (the extended Berkeley Packet Filter - eBPF) can be used for detailed monitoring of cloud systems. The eBPF is a Linux kernel mechanism, that lets executing packet filtering and other small programs of data collecting purpose inside the kernel, that was written in the user space, by using different kinds of probes. I present eBPF in detail, including its programming possibilities and its applications, with special focus on the networking and monitoring areas. I also illustrate the more important use cases related to eBPF, that are currently available. I present the design of an eBPF-based Kubernetes monitoring system along with its com- ponents and also the detailed steps of its implementation. I examine, how this system can be used for collecting metrics and monitoring two kinds of resources (TCP network traffic and cache memory). I finish my thesis evaluating the results of the measurements with the help of some of the most popular monitoring tools, and also cover the topic of how this system could be extended in the future. 7 1. Introduction Nowadays, more and more companies and projects shift their focus on container-based virtualization. Containers have taken the place of virtual machines in many different areas, especially in cloud services, due to the containers’ much higher performance and lower costs in the first place. The cloud model provides convenient, on-demand access for customiz- able, shared resources like servers, networks, services, etc. with ideal operational managing costs compared to traditional models. Cloud services are also scalable and provide high availability. One of the fundamental concepts processed in this thesis is the Berkeley Packet Filter (BPF), which is an in-kernel virtual machine with the initial purpose of network packet filtering and processing [39]. The later iterations of BPF called Extended Berkeley Packet Filters (eBPF), however, offer many more possibilities - the ability to define programs in the user-space and executing them in the kernel in a protocol-independent way, while saving a great amount of
Load more

Recommended publications
  • Jitk: a Trustworthy In-Kernel Interpreter Infrastructure
    Jitk: A trustworthy in-kernel interpreter infrastructure Xi Wang, David Lazar, Nickolai Zeldovich, Adam Chlipala, Zachary Tatlock MIT and University of Washington Modern OSes run untrusted user code in kernel In-kernel interpreters - Seccomp: sandboxing (Linux) - BPF: packet filtering - INET_DIAG: socket monitoring - Dtrace: instrumentation Critical to overall system security - Any interpreter bugs are serious! 2/30 Many bugs have been found in interpreters Kernel space bugs - Control flow errors: incorrect jump offset, ... - Arithmetic errors: incorrect result, ... - Memory errors: buffer overflow, ... - Information leak: uninitialized read Kernel-user interface bugs - Incorrect encoding/decoding User space bugs - Incorrect input generated by tools/libraries Some have security consequences: CVE-2014-2889, ... See our paper for a case study of bugs 3/30 How to get rid of all these bugs at once? Theorem proving can help kill all these bugs seL4: provably correct microkernel [SOSP'09] CompCert: provably correct C compiler [CACM'09] This talk: Jitk - Provably correct interpreter for running untrusted user code - Drop-in replacement for Linux's seccomp - Built using Coq proof assistant + CompCert 5/30 Theorem proving: overview specification proof implementation Proof is machine-checkable: Coq proof assistant Proof: correct specification correct implementation Specification should be much simpler than implementation 6/30 Challenges What is the specification? How to translate systems properties into proofs? How to extract a running
    [Show full text]
  • Chapter 1. Origins of Mac OS X
    1 Chapter 1. Origins of Mac OS X "Most ideas come from previous ideas." Alan Curtis Kay The Mac OS X operating system represents a rather successful coming together of paradigms, ideologies, and technologies that have often resisted each other in the past. A good example is the cordial relationship that exists between the command-line and graphical interfaces in Mac OS X. The system is a result of the trials and tribulations of Apple and NeXT, as well as their user and developer communities. Mac OS X exemplifies how a capable system can result from the direct or indirect efforts of corporations, academic and research communities, the Open Source and Free Software movements, and, of course, individuals. Apple has been around since 1976, and many accounts of its history have been told. If the story of Apple as a company is fascinating, so is the technical history of Apple's operating systems. In this chapter,[1] we will trace the history of Mac OS X, discussing several technologies whose confluence eventually led to the modern-day Apple operating system. [1] This book's accompanying web site (www.osxbook.com) provides a more detailed technical history of all of Apple's operating systems. 1 2 2 1 1.1. Apple's Quest for the[2] Operating System [2] Whereas the word "the" is used here to designate prominence and desirability, it is an interesting coincidence that "THE" was the name of a multiprogramming system described by Edsger W. Dijkstra in a 1968 paper. It was March 1988. The Macintosh had been around for four years.
    [Show full text]
  • Packet Capture Procedures on Cisco Firepower Device
    Packet Capture Procedures on Cisco Firepower Device Contents Introduction Prerequisites Requirements Components Used Steps to Capture Packets Copy a Pcap File Introduction This document describes how to use the tcpdump command in order to capture packets that are seen by a network interface of your Firepower device. It uses Berkeley Packet Filter (BPF) syntax. Prerequisites Requirements Cisco recommends that you have knowledge of the Cisco Firepower device and the virtual device models. Components Used This document is not restricted to specific software and hardware versions. The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any command. Warning: If you run tcpdump command on a production system, it can impact network performance. Steps to Capture Packets Log in to the CLI of your Firepower device. In versions 6.1 and later, enter capture-traffic. For example, > capture-traffic Please choose domain to capture traffic from: 0 - eth0 1 - Default Inline Set (Interfaces s2p1, s2p2) In versions 6.0.x.x and earlier, enter system support capture-traffic. For example, > system support capture-traffic Please choose domain to capture traffic from: 0 - eth0 1 - Default Inline Set (Interfaces s2p1, s2p2) After you make a selection, you will be prompted for options: Please specify tcpdump options desired. (or enter '?' for a list of supported options) Options: In order to capture sufficient data from the packets, it is necessary to use the -s option in order to set the snaplength correctly.
    [Show full text]
  • Ebpf-Based Content and Computation-Aware Communication for Real-Time Edge Computing
    eBPF-based Content and Computation-aware Communication for Real-time Edge Computing Sabur Baidya1, Yan Chen2 and Marco Levorato1 1Donald Bren School of Information and Computer Science, UC Irvine e-mail: fsbaidya, [email protected] 2America Software Laboratory, Huawei, e-mail: [email protected] Abstract—By placing computation resources within a one-hop interference constraints on IoT data streams and facilitate their wireless topology, the recent edge computing paradigm is a key coexistence. enabler of real-time Internet of Things (IoT) applications. In In this paper, we propose a computation-aware commu- the context of IoT scenarios where the same information from a sensor is used by multiple applications at different locations, the nication control framework for real-time IoT applications data stream needs to be replicated. However, the transportation generating high-volume data traffic processed at the network of parallel streams might not be feasible due to limitations in the edge. Driven by QoC requirements, the framework provides capacity of the network transporting the data. To address this real-time user-controlled packet replication and forwarding issue, a content and computation-aware communication control inside the in-kernel Virtual Machines (VM) using an extended framework is proposed based on the Software Defined Network (SDN) paradigm. The framework supports multi-streaming using Berkeley Packet Filter (eBPF) [9]. The implementation uses the extended Berkeley Packet Filter (eBPF), where the traffic flow the concepts of SDN and NFV to achieve highly program- and packet replication for each specific computation process is able and dynamic packet replication. Resource allocation is controlled by a program running inside an in-kernel Virtual Ma- semantic and content-aware, and, in the considered case, chine (VM).
    [Show full text]
  • Monitoring Container Environment with Prometheus and Grafana
    Matti Holopainen Monitoring Container Environment with Prometheus and Grafana Metropolia University of Applied Sciences Bachelor of Engineering Information and Communication Technology Bachelor’s Thesis 3.5.2021 Abstract Tekijä Matti Holopainen Otsikko Monitoring Container Environment with Prometheus and Grafana Sivumäärä Aika 50 sivua 3.5.2021 Tutkinto Insinööri (AMK) Tutkinto-ohjelma Tieto- ja viestintätekniikka Ammatillinen pääaine Ohjelmistotuotanto Ohjaajat Nina Simola, Projektipäällikkö Auvo Häkkinen, Yliopettaja Insinöörityön tavoitteena oli oppia pystyttämään monitorointijärjestelmä konttiympäristön re- surssien käytön seuraamista, monitorointia ja analysoimista varten. Tavoitteena oli helpot- taa monitorointijärjestelmän käyttöönottoa. Työ tehtiin käytettävien ohjelmistojen dokumen- taation ja käytännön tekemisellä opittujen asioiden pohjalta. Insinöörityön alussa käytiin läpi työssä käytettyjä teknologioita. Tämän jälkeen käytiin läpi monitorointi järjestelmän konfiguraatio ja käyttöönotto. Seuraavaksi tutustuttiin PromQL-ha- kukieleen, jonka jälkeen näytettiin kuinka pystyttää valvontamonitori ja hälytykset sähköpos- timuistutuksella. Työn lopussa käydään läpi kuinka monitorointijärjestelmässä saatua dataa analysoidaan ja mietitään miten monitorointijärjestelmää voisi parantaa. Keywords Monitorointi, Kontti, Prometheus, Grafana, Docker Abstract Author Matti Holopainen Title Monitoring Container Environment with Prometheus and Grafana Number of Pages Date 50 pages 3.5.2021 Degree Bachelor of Engineering Degree Programme Information
    [Show full text]
  • Security Bugs in Embedded Interpreters
    Security bugs in embedded interpreters The MIT Faculty has made this article openly available. Please share how this access benefits you. Your story matters. Citation Haogang Chen, Cody Cutler, Taesoo Kim, Yandong Mao, Xi Wang, Nickolai Zeldovich, and M. Frans Kaashoek. 2013. Security bugs in embedded interpreters. In Proceedings of the 4th Asia-Pacific Workshop on Systems (APSys '13). ACM, New York, NY, USA, Article 17, 7 pages. As Published http://dx.doi.org/10.1145/2500727.2500747 Publisher Edition Open Access Version Author's final manuscript Citable link http://hdl.handle.net/1721.1/86887 Terms of Use Creative Commons Attribution-Noncommercial-Share Alike Detailed Terms http://creativecommons.org/licenses/by-nc-sa/4.0/ Security bugs in embedded interpreters Haogang Chen Cody Cutler Taesoo Kim Yandong Mao Xi Wang Nickolai Zeldovich M. Frans Kaashoek MIT CSAIL Abstract Embedded interpreters raise interesting security con- Because embedded interpreters offer flexibility and per- cerns. First, many real-world systems do not adopt sand- formance, they are becoming more prevalent, and can be boxing techniques such as process isolation [20] or soft- found at nearly every level of the software stack. As one ware fault isolation [28] for embedded interpreters, possi- example, the Linux kernel defines languages to describe bly due to performance considerations. Consequently, a packet filtering rules and uses embedded interpreters to compromise of the interpreter is likely to lead to a com- filter packets at run time. As another example, theRAR promise of the host system as well. Second, embedded in- archive format allows embedding bytecode in compressed terpreters often validate untrusted bytecode using ad-hoc files to describe reversible transformations for decompres- rules, which is error-prone.
    [Show full text]
  • Host-Based Anomaly Detection with Extended BPF
    Host-Based Anomaly Detection with Extended BPF COMP4906 Honours Thesis William Findlay April 5, 2020 Under the supervision of Dr. Anil Somayaji Carleton University Abstract William Findlay Abstract System introspection is becoming an increasingly attractive option for maintaining operating system stability and security. This is primarily due to the many recent advances in system introspection technology; in particular, the 2013 introduction of Extended Berkeley Packet Filter (eBPF ) into the Linux Kernel [63, 64] along with the recent development of more usable interfaces such as the BPF Compiler Collection (bcc)[29] has resulted in a highly compelling, performant, and (perhaps most importantly) safe subsystem for both kernel and userland instrumentation. The scope, safety, and performance of eBPF system introspection has potentially powerful applications in the domain of computer security. In order to demonstrate this, I present ebpH, an eBPF implementation of Somayaji’s [58] Process Homeostasis (pH ). ebpH is an intrusion detection system (IDS) that uses eBPF programs to instrument system calls and establish normal behavior for processes, building a profile for each executable on the system; subsequently, ebpH can warn the user when it detects process behavior that violates the established profiles. Experimental results show that ebpH can detect anomalies in process behavior with negligible overhead. Furthermore, ebpH’s anomaly detection comes with zero risk to the system thanks to the safety guarantees of eBPF, rendering it an ideal solution for monitoring production systems. This thesis will discuss the design and implementation of ebpH along with the technical challenges which occurred along the way. It will then present experimental data and per- formance benchmarks that demonstrate ebpH’s ability to monitor process behavior with minimal overhead.
    [Show full text]
  • Securing Linux
    466_HTC_Linux_FM.qxd 10/2/07 10:05 AM Page iii How to Cheat at Securing Linux Mohan Krishnamurthy Eric S. Seagren Raven Alder Aaron W. Bayles Josh Burke Skip Carter Eli Faskha 466_HTC_Linux_FM.qxd 10/2/07 10:05 AM Page iv Elsevier, Inc., the author(s), and any person or firm involved in the writing, editing, or production (collectively “Makers”) of this book (“the Work”) do not guarantee or warrant the results to be obtained from the Work. There is no guarantee of any kind, expressed or implied, regarding the Work or its contents.The Work is sold AS IS and WITHOUT WARRANTY.You may have other legal rights, which vary from state to state. In no event will Makers be liable to you for damages, including any loss of profits, lost savings, or other incidental or consequential damages arising out from the Work or its contents. Because some states do not allow the exclusion or limitation of liability for consequential or incidental damages, the above limitation may not apply to you. You should always use reasonable care, including backup and other appropriate precautions, when working with computers, networks, data, and files. Syngress Media®, Syngress®,“Career Advancement Through Skill Enhancement®,”“Ask the Author UPDATE®,” and “Hack Proofing®,” are registered trademarks of Elsevier, Inc.“Syngress:The Definition of a Serious Security Library”™,“Mission Critical™,” and “The Only Way to Stop a Hacker is to Think Like One™” are trademarks of Elsevier, Inc. Brands and product names mentioned in this book are trademarks or service marks of their respective companies. PUBLISHED BY Syngress Publishing, Inc.
    [Show full text]
  • Experimental Methods for the Evaluation of Big Data Systems Abdulqawi Saif
    Experimental Methods for the Evaluation of Big Data Systems Abdulqawi Saif To cite this version: Abdulqawi Saif. Experimental Methods for the Evaluation of Big Data Systems. Computer Science [cs]. Université de Lorraine, 2020. English. NNT : 2020LORR0001. tel-02499941 HAL Id: tel-02499941 https://hal.univ-lorraine.fr/tel-02499941 Submitted on 5 Mar 2020 HAL is a multi-disciplinary open access L’archive ouverte pluridisciplinaire HAL, est archive for the deposit and dissemination of sci- destinée au dépôt et à la diffusion de documents entific research documents, whether they are pub- scientifiques de niveau recherche, publiés ou non, lished or not. The documents may come from émanant des établissements d’enseignement et de teaching and research institutions in France or recherche français ou étrangers, des laboratoires abroad, or from public or private research centers. publics ou privés. AVERTISSEMENT Ce document est le fruit d'un long travail approuvé par le jury de soutenance et mis à disposition de l'ensemble de la communauté universitaire élargie. Il est soumis à la propriété intellectuelle de l'auteur. Ceci implique une obligation de citation et de référencement lors de l’utilisation de ce document. D'autre part, toute contrefaçon, plagiat, reproduction illicite encourt une poursuite pénale. Contact : [email protected] LIENS Code de la Propriété Intellectuelle. articles L 122. 4 Code de la Propriété Intellectuelle. articles L 335.2- L 335.10 http://www.cfcopies.com/V2/leg/leg_droi.php http://www.culture.gouv.fr/culture/infos-pratiques/droits/protection.htm
    [Show full text]
  • How to Cheat at Configuring Open Source Security Tools
    436_XSS_FM.qxd 4/20/07 1:18 PM Page ii 441_HTC_OS_FM.qxd 4/12/07 1:32 PM Page i Visit us at www.syngress.com Syngress is committed to publishing high-quality books for IT Professionals and deliv- ering those books in media and formats that fit the demands of our customers. We are also committed to extending the utility of the book you purchase via additional mate- rials available from our Web site. SOLUTIONS WEB SITE To register your book, visit www.syngress.com/solutions. Once registered, you can access our [email protected] Web pages. There you may find an assortment of value- added features such as free e-books related to the topic of this book, URLs of related Web sites, FAQs from the book, corrections, and any updates from the author(s). ULTIMATE CDs Our Ultimate CD product line offers our readers budget-conscious compilations of some of our best-selling backlist titles in Adobe PDF form. These CDs are the perfect way to extend your reference library on key topics pertaining to your area of expertise, including Cisco Engineering, Microsoft Windows System Administration, CyberCrime Investigation, Open Source Security, and Firewall Configuration, to name a few. DOWNLOADABLE E-BOOKS For readers who can’t wait for hard copy, we offer most of our titles in downloadable Adobe PDF form. These e-books are often available weeks before hard copies, and are priced affordably. SYNGRESS OUTLET Our outlet store at syngress.com features overstocked, out-of-print, or slightly hurt books at significant savings. SITE LICENSING Syngress has a well-established program for site licensing our e-books onto servers in corporations, educational institutions, and large organizations.
    [Show full text]
  • Pentest-Report Prometheus 05.-06.2018 Cure53, Dr.-Ing
    Dr.-Ing. Mario Heiderich, Cure53 Bielefelder Str. 14 D 10709 Berlin cure53.de · [email protected] Pentest-Report Prometheus 05.-06.2018 Cure53, Dr.-Ing. M. Heiderich, M. Wege, MSc. N. Krein, BSc. J. Hector, Dipl.-Ing. A. Inführ, J. Larsson Index Introduction Scope Test Methodology Part 1 (Manual Code Auditing) Part 2 (Code-Assisted Penetration Testing) Hardening Recommendations General Security Recommendations HTTP Security Headers Content Security Policy & Beyond Authentication / Authorization Non-Idempotent Request Protection Transport Security Clients/metrics endpoint API Endpoint Admin GUI Identified Vulnerabilities PRM-01-001 Web: Prometheus lifecycle killed with CSRF (Medium) PRM-01-003 Web: CORS header exposes API data to all origins (High) PRM-01-005 Server: Clients can cause Denial of Service via Gzip Bomb (Medium) Miscellaneous Issues PRM-01-002 Client: Clients leak Metrics data through unprotected endpoint (Low) PRM-01-004 Web: Parameters used insecurely in HTML templates (Low) Conclusions Cure53, Berlin · 06/11/18 1/18 Dr.-Ing. Mario Heiderich, Cure53 Bielefelder Str. 14 D 10709 Berlin cure53.de · [email protected] Introduction “An open-source monitoring system with a dimensional data model, flexible query language, efficient time series database and modern alerting approach.” From https://prometheus.io/ This report documents the findings of a security assessment targeting the Prometheus software compound and carried out by Cure53 in 2018. It should be noted that the project was sponsored by The Linux Foundation / Cloud Native Computing Foundation. In terms of the scope, the assignment entailed two main components as the Prometheus project was investigated through both a dedicated source code audit and comprehensive penetration testing.
    [Show full text]
  • BERKELEY PACKET FILTER: Theory, Practice and Perspectives
    Alma Mater Studiorum · Universita` di Bologna SCUOLA DI SCIENZE Corso di Laurea in Informatica BERKELEY PACKET FILTER: theory, practice and perspectives Relatore: Presentata da: Chiar.mo Prof. MICHELE DI STEFANO RENZO DAVOLI Sessione II Anno Accademico 2019/2020 All operating systems sucks, but Linux just sucks less. Linus Torvalds Introduction Initially packet filtering mechanism in many Unix versions was imple- mented in the userspace, meaning that each packet was copied from the kernel-space to the user-space before being filtered. This approach resulted to be inefficient compared with the performance shown by the introduction of the BSD classic Berkeley Packet Filter (cBPF). cBPF consists of an as- sembly language for a virtual machine which resides inside the kernel. The assembly language can be used to write filters that are loaded in to the ker- nel from the user-space allowing the filtering to happen in the kernel-space without copying each packet as before. cBPF use is not limited to just the networking domain but it is also applied as a mechanism to filter system calls through seccomp mode. Seccomp allows the programmer to arbitrary select which system calls to permit, representing an useful mechanism to implement sandboxing. In order to increase the number of use cases and to update the architecture accordingly to new advancements in modern processors, the virtual machine has been rewritten and new features have been added. The result is extended Berkeley Packet Filter (eBPF) which consists of a richer assembly, more pro- gram types, maps to store key/value pairs and more components. Currently eBPF (or just BPF) is under continuous development and its capacities are evolving, although the main uses are networking and tracing.
    [Show full text]