Application-level Firewalling with eBPF Alexander Kurtz September - PowerPoint PPT Presentation

Application-level Firewalling with eBPF Alexander Kurtz September 18, 2017

Problem statement ◮ Server applications generally bind(2) to the wildcard address ◮ Most don’t actually need all packets from everywhere but ◮ Firewalling is a system-wide and root-only operation ◮ No plugin-mechanism to install application-specific rules ◮ Even if there where, we would still need root priviledges

Motivation What if we could install firewalling rules onto an application socket? ◮ Application developers could ship default rules with their program ◮ Users would have a generic way to control the network exposure of their applications ◮ Everything would be nicely isolated, no need for complex, system-wide rules

Solution (1/3): eBPF ◮ eBPF is a general purpose VM in the Linux kernel ◮ eBPF bytecode can be attached to a socket to filter incoming packets ◮ communication with user-space and local state possible with eBPF maps ◮ arbitrary code execution in kernel-space, yet secure™ ◮ many other applications, e.g. tracing, load-balancing, . . .

Solution (2/3): bcc ◮ eBPF is byte code (although very high level) ◮ eBPF maps are file descriptors ◮ byte code needs to embed the value of these file descriptors ◮ did I mention you’ll have to write assembly? bcc: ◮ LLVM/clang has a backend for eBPF ◮ bcc makes this available as an easy-to-use library

Solution (3/3): systemd socket activation Old inetd-style socket activation: ◮ inetd calls bind() , listen() , and accept() ◮ the connection socket gets passed to the application as stdin/stdout ◮ nice and simple, but also not very fast New systemd-style socket activation ◮ systemd calls bind() and listen() ◮ the listening socket gets passed to the application as FD 3 ◮ still have dynamic server startup, but no performance penalty

Summary 1. Write an eBPF filter in C 2. Create a server socket / (take server socket from systemd) 3. Load and attach filter to socket with bcc 4. Pass socket to application via systemd socket activation

Overview H o s t A p p l i c a t i o n - l e v e l s y s t e m d A p p l i c a t i o n F i r e w a l l S o c k e t P a s s i n g I n t e r n e t T C S y s t e m - l e v e l P A p p l i c a t i o n - l e v e l P s y s t e m d o / A p p l i c a t i o n r U F i r e w a l l F i r e w a l l S o c k e t P a s s i n g t s D P N e t w o r k - l e v e l A p p l i c a t i o n - l e v e l s y s t e m d F i r e w a l l A p p l i c a t i o n F i r e w a l l S o c k e t P a s s i n g A p p l i c a t i o n - l e v e l F i r e w a l l F o r w a r d p a c k e t t o a p p l i c a t i o n A p p l i c a t i o n - s p e c i f i c A t t a c h A p p l i c a t i o n L L V M / B C C e B P F B y t e c o d e K e r n e l V M r u l e s w r i t t e n i n C a s f i l t e r S o c k e t D r o p p a c k e t Figure 1: Overview

Demo A generic port-knocking filter

Questions Questions?