Skip to content
/ HIDS-eBPF Public
forked from SimplycoderCC/HIDS-eBPF

Intrusion Detection System based on eBPF , use libbpf-bootstrip

License

BSD-3-Clause license
1 star 2 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

prodigy99/HIDS-eBPF

BranchesTags
 
 

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

59 Commits
.vscode
.vscode
 
 
bpftool
bpftool
 
 
demo
demo
 
 
doc
doc
 
 
hids
hids
 
 
images
images
 
 
libbpf
libbpf
 
 
no_file_attack
no_file_attack
 
 
tools
tools
 
 
vmlinux
vmlinux
 
 
.gitignore
.gitignore
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 
bootstrap.md
bootstrap.md
 
 
examples.md
examples.md
 
 

Repository files navigation

eBPF-HIDS

Intrusion Detection System based on eBPF

为什么是eBPF?

稳定:通过验证器,防止用户编写的程序导致内核崩溃。相比内核模块,eBPF更稳定

免安装:eBPF内置于Linux内核,无需安装额外依赖,开箱即用。

内核编程:支持开发者插入自定义的代码逻辑(包括数据采集、分析和过滤)到内核中运行

高效的信息交流机制:通过Map(本质上是一种共享内存的方式)进行数据传输,实现各个hook点、用户态与内核态的高效信息交互。

Branches

  • main ------主分支,仅实现入侵检测功能
  • lsm -------基于KRSI内核运行时检测,基于LSM hook点实现函数级的入侵阻断
  • send_signal ------基于bpf_send_signal()辅助函数发送信号,实现进程级的入侵阻断

eBPF-HIDS source code

# hids source code
./hids/config.h  
./hids/utils.h  
./hids/hids.h  
./hids/hids.bpf.c  
./hids/hids.c  
./hids/hids.h 
./hids/com_funaddr.c 
# bpftrace 跟踪各种系统调用序列的脚本
./demo/*.c #bpftrace跟踪脚本
./demo/*.txt #得到的系统调用序列

Install Dependencies

本项目使用到CORE特性。仓库自带vmlinux.h,所以直接支持本地编译。但若想在本地环境运行该项目,内核需开启CONFIG_DEBUG_INFO_BTF=y编译配置,内核相关的支持情况参见supported-distros。推荐在默认启用CONFIG_DEBUG_INFO_BTF的高版本内核运行

在低版本未开启CONFIG_DEBUG_INFO_BTF编译配置运行该项目有以下两种方式

On Ubuntu/Debian:

# 目前仅在Ubuntu20.04、22.04上进行测试
$ apt install -y git make gcc clang llvm libelf1 libelf-dev zlib1g-dev
# Getting the source code. Download the git repository 
$ git clone https://github.com/haozhuoD/HIDS-eBPF.git
# Enter the folder
$ cd HIDS-eBPF/hids 
$ make clean    # 清除仓库中旧编译的bpf相关内容
$ make          # 配置环境并编译

Usage正常开发时使用

# Compile
$ make hids   # 或者 make all  
# 运行hids
$ sudo ./hids

# clear
$ make clear  # 或者 make clean

Some-Examples

Documents

文档:判断进程是否运行在容器中

文档:Rootkit检测原理

文档:简单的KRSI

项目中期文档

项目中期slides

项目开题slides

内核信息提取hook点的研究

Other

容器加固学习文档

docker容器运行时安全早期学习文档

ebpf rootkit初步探索

Hook points

项目目前支持 19 种 Hook,足以实现本项目所需功能。这些hook点的选取主要基于本人的实践,存在优化空间

项目使用的 eBPF Hook point 详情

Hook Status & Description
tracepoint/module/module_load ON & 提取*.ko文件相关信息
tracepoint/syscalls/sys_exit_finit_module ON & 触发系统调用表检查
tracepoint/syscalls/sys_enter_mount ON
tracepoint/syscalls/sys_exit_mount ON
tracepoint/syscalls/sys_enter_open ON
tracepoint/syscalls/sys_exit_open ON
tracepoint/syscalls/sys_enter_openat ON
tracepoint/syscalls/sys_exit_openat ON
tracepoint/syscalls/sys_enter_execve ON
tracepoint/syscalls/sys_enter_execveat ON
tracepoint/syscalls/sys_enter_kill ON & 基于信号系统实现功能分发
tracepoint/syscalls/sys_enter_memfd_create ON & 无文件攻击相关
kprobe/kprobe_lookup_name ON & kprobe framework相关函数
kprobe/arm_kprobe ON & kprobe framework相关函数
kprobe/insn_init ON & 篡改内存代码行为相关函数
kprobe/insn_get_length ON & 篡改内存代码行为相关函数
kprobe/security_file_permission ON & file_operations checks
lsm/cred_prepare OFF(only ON in lsm branch) & 基于lsm阻断insmod
lsm/kernel_read_file OFF(only ON in lsm branch) & 基于lsm阻断无文件加载攻击

代码统计

dhz@ubuntu:~/workspace/HIDS-eBPF$ cloc ./hids/ --exclude-dir=.output,cjson
       7 text files.
       7 unique files.                              
       1 file ignored.

github.com/AlDanial/cloc v 1.82  T=0.02 s (367.2 files/s, 134567.3 lines/s)
-------------------------------------------------------------------------------
Language                     files          blank        comment           code
-------------------------------------------------------------------------------
C                                3            205            626           1240
C/C++ Header                     3             44              9            294
make                             1             28             26             93
-------------------------------------------------------------------------------
SUM:                             7            277            661           1627
-------------------------------------------------------------------------------
dhz@ubuntu:~/workspace/HIDS-eBPF$ cloc ./demo/
       8 text files.
       8 unique files.                              
       3 files ignored.

github.com/AlDanial/cloc v 1.82  T=0.01 s (490.1 files/s, 34206.0 lines/s)
-------------------------------------------------------------------------------
Language                     files          blank        comment           code
-------------------------------------------------------------------------------
C                                5             33            190            126
-------------------------------------------------------------------------------
SUM:                             5             33            190            126
-------------------------------------------------------------------------------
dhz@ubuntu:~/workspace/HIDS-eBPF$ cloc ./no_file_attack/
       2 text files.
       2 unique files.                              
       0 files ignored.

github.com/AlDanial/cloc v 1.82  T=0.01 s (158.8 files/s, 1190.8 lines/s)
-------------------------------------------------------------------------------
Language                     files          blank        comment           code
-------------------------------------------------------------------------------
Python                           1              0              0              8
C                                1              1              0              6
-------------------------------------------------------------------------------
SUM:                             2              1              0             14
-------------------------------------------------------------------------------

Reference

使用的库与参考的代码实现

libbpf-bootstrap

cJSON lib

todo

Complete documentation...

About

Intrusion Detection System based on eBPF , use libbpf-bootstrip

Resources

Readme

License

BSD-3-Clause license
Activity

Stars

1 star

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages

  • C 98.4%
  • Shell 1.1%
  • Makefile 0.4%
  • CMake 0.1%
  • Gherkin 0.0%
  • Dockerfile 0.0%