BSidesSF 2018 has ended
Back To Schedule
Monday, April 16 • 4:50pm - 5:20pm
Listen to your Engine: Unearthing Security Signals from the Modern Linux Kernel

Sign up or log in to save this to your schedule, view media, leave feedback and see who's attending!

Feedback form is now closed.
Observing all kernel events can be like descending into the steam-engine of an airship – the machinery of system calls can be arcane, complicated and very, very noisy. Buried in this cacophony, though, can be indicators of privilege escalation, resource abuse or side-channel attacks. In this talk, we revisit the well-trodden system call but with fresh eyes (goggles). In a cloud-native world, sandboxing and deployment tools like containerization enable us to gain context for system calls so that we can both understand intent and surface anomalies.

This session will outline the tools needed for “engine work”, ancient and new; from ptrace and kprobes to tracepoints and eBPF. We will walk through system call logs observed during recent attacks including: Shellshock, Apache Struts, and Meltdown. For each attack, I will highlight the system call events that are indicators of the exploit. Then, I’ll generalize a set of high-grade signals that serve as useful indicators for future attacks and propose needed work to improve system call analysis. Finally, using learnings from our deployment of system call logging and analysis at global financial institutions, I’ll share recommendations for applying these methods in your own environments.

avatar for Robby Cochran

Robby Cochran

Engineer, StackRox
Robby Cochran is an engineer at StackRox. He obtained his Ph.D. from University of North Carolina at Chapel Hill in 2016 and has co-authored security research that has been presented at the USENIX Symposium on Networked Systems Design and Implementation (NSDI) and the Network and... Read More →

Monday April 16, 2018 4:50pm - 5:20pm PDT
City View - Presidio