
Using BPF to Transform SSH Sessions into Structured Events - twakefield
https://gravitational.com/blog/enhanced-session-recording/
======
russjones
Author of the post here, happy to answer any questions.

~~~
thedance
What's the threat model being addressed here? If someone is trying to act
maliciously there must be a thousand ways around calling exec (for example
just mapping a program and jumping to its main function accomplishes the same
thing).

~~~
ghostpepper
Those two are functionally equivalent but they aren't really the same level of
difficulty, are they?

~~~
saagarjha
Here's how you'd exec:

    
    
      execv("/path/to/binary", (char *[]){"binary", NULL});
    

And here's a way to do that without exec:

    
    
      (((int (*)(int, char **))dlsym(dlopen("/path/to/binary", RTLD_LAZY), "main")))(1, (char *[]){"binary", NULL});
    

A bit uglier, but not all that much harder.

~~~
Rapzid
> dlopen

Doesn't that just end up calling open() and mmap()? Might not have access to
the args passed through at that point, but that's going to leave a trail and
of course anything interesting the mapped program does will end up going
through syscalls(opening other "files").

~~~
saagarjha
Trying to get stuff into your memory that wasn't there before is going to
require at least one syscall.

------
kalium_xyz
BPF is extremely awesome. I cant wait to see more projects using it.

------
justlexi93
It's just that Linux's eBPF system has been extended far, far beyond packet
filtering.

------
cptwunderlich
Since the author, russjones, seems to be here, I'd like to ask a question
regarding writing the actual BPF programs. I've been writing a term paper
about BPF verification, the in-kernel verifier and research like PREVAIL [1],
so I'm curious.

Is writing valid BPF programs really that "hard"? E.g., does one often have to
rewrite programs bc. the verifier wouldn't accept them? Do you see a need to
extend BPF with more capabilities? (bounded loops have been added in Kernel
5.3, but maybe something else)

Thank you.

[1] [https://vbpf.github.io/](https://vbpf.github.io/)

------
saber6
I never thought about needing streams of information like this, but now that I
am, this is a great way to provide general trace-tooling for containers and
other things!

Very interesting post. Thanks for sharing.

~~~
lstamour
Sure thing, but just to clarify a point you might not be making, don't put
shells and SSH in your containers:
[https://github.com/GoogleContainerTools/distroless#why-
shoul...](https://github.com/GoogleContainerTools/distroless#why-should-i-use-
distroless-images)

