13–15 Nov 2023
America/New_York timezone

Sysarmor: Meta's eBPF Security Detection and Enforcement Tool

13 Nov 2023, 15:30
30m
"James River Salon C" (Omni Richmond Hotel)

"James River Salon C"

Omni Richmond Hotel

225
eBPF & Networking Track eBPF & Networking

Speakers

Liam Wisehart (Meta) Shankaran Gnanashanmugam (Meta)

Description

Sysarmor is a security daemon used to detect possible threats, and enforce security rules at Meta. Sysarmor is deployed to higher threat environments, such as: collocated hosts, Meta Network Appliances, development servers, Meta cloud gaming, and public cloud (AWS/GCP). Sysarmor has over 40 BPF based detections, including areas such as: networking, privilege escalation, hardware attacks, rootkits, unknown executables, container creation, and container escape.

The main differentiator between sysarmor and similar BPF based security tools is that sysarmor evaluates its rules inside the bpf program, instead of dispatching events to userspace logic. This allows sysarmor to use BPF-LSM to enforce these rules if desired. Sysarmor rules can make use of process information or container information, as well as hook-specific arguments to make a decision as to whether or not an action is allowed.

The talk will provide an overview Sysarmor, and some of the hooks used, then will discuss several challenging areas the Sysarmor team has worked on:

  1. Efficiently and accurately gathering process information such as executable filename and using it for filtering events.
  2. Gathering container information such as ids and image ids, and associating that information with kernel information such as namespace ids.
  3. Using uprobes in system executables effectively, and associating information from system logs with BPF events.
  4. Using BPF iterators to recreate context after a service restart.

Primary authors

Presentation materials

Diamond Sponsors
Platinum Sponsor
Gold Sponsors
Silver Sponsors
Catchbox Sponsor
Livestream Sponsors
T-Shirt Sponsor
Conference Services Provided by