BSidesSF 2018

Observing all kernel events can be like descending into the steam-engine of an airship – the machinery of system calls can be arcane, complicated and very, very noisy. Buried in this cacophony, though, can be indicators of privilege escalation, resource abuse or side-channel attacks. In this talk, we revisit the well-trodden system call but with fresh eyes (goggles). In a cloud-native world, sandboxing and deployment tools like containerization enable us to gain context for system calls so that we can both understand intent and surface anomalies.

This session will outline the tools needed for “engine work”, ancient and new; from ptrace and kprobes to tracepoints and eBPF. We will walk through system call logs observed during recent attacks including: Shellshock, Apache Struts, and Meltdown. For each attack, I will highlight the system call events that are indicators of the exploit. Then, I’ll generalize a set of high-grade signals that serve as useful indicators for future attacks and propose needed work to improve system call analysis. Finally, using learnings from our deployment of system call logging and analysis at global financial institutions, I’ll share recommendations for applying these methods in your own environments.