bpf study

xdr sensor record.
- footprint -> CVE pattern.
- system call -> Capture the "system call".
event type : Check how many events need to send to "seleniumd"?








enum XDR_EVENT_TYPE
{
    XDR_EVENT_NONE              = 0;
    XDR_EVENT_PROCESS           = 1;
    XDR_EVENT_FILE              = 2;
    ...
}

Target
- Capture "system call" or "CVE pattern" in appilication.
- Decode the message with "protocol buffer" and then send it to "seleniumd"
First of all, i'd like to capture the "system call", e.g: "open file" event send it to daemon.

XDR type

typedef enum _XDR_EVENT_TYPE { 
    XDR_EVENT_TYPE_XDR_EVENT_NONE = 0, 
    XDR_EVENT_TYPE_XDR_EVENT_PROCESS = 1, 
    XDR_EVENT_TYPE_XDR_EVENT_FILE = 2, 
    XDR_EVENT_TYPE_XDR_EVENT_CONNECTION = 3, 
    XDR_EVENT_TYPE_XDR_EVENT_DNS = 4, 
    XDR_EVENT_TYPE_XDR_EVENT_ACCOUNT = 6, 
    XDR_EVENT_TYPE_XDR_EVENT_INTERNET = 7, 
    XDR_EVENT_TYPE_XDR_EVENT_MODIFIED_PROCESS = 8, /* The name may be confusing. We use it for access other processes either write or read (i.e. XDR_EVENT_ACCESS_PROCESS) */
    XDR_EVENT_TYPE_XDR_EVENT_MEMORY = 13, /* for memory specific operation events like modify memory, change memory permission and read memory, etc. */
    XDR_EVENT_TYPE_XDR_EVENT_BM = 14 
} XDR_EVENT_TYPE;

typedef enum _XDR_ACCESS_TYPE { 
    XDR_ACCESS_TYPE_XDR_NONE = 0, 
    XDR_ACCESS_TYPE_XDR_PROCESS_OPEN = 1, 
    XDR_ACCESS_TYPE_XDR_PROCESS_CREATE = 2, 
    XDR_ACCESS_TYPE_XDR_PROCESS_TERMINATE = 3, 
    XDR_ACCESS_TYPE_XDR_PROCESS_LOAD_IMAGE = 4, 
    XDR_ACCESS_TYPE_XDR_PROCESS_EXECUTE = 5, /* the subject process execute the target file (target_hash_id == file_meta) (i.e. Pre-XDR_PROCESS_CREATE) */
    XDR_ACCESS_TYPE_XDR_PROCESS_CONNECT = 6, /* the subject process connects to the target process via IPC, etc. (target_hash_id == process_meta) */
    XDR_ACCESS_TYPE_XDR_PROCESS_TRACME = 7, /* Linux specific - the subject process asks the target process to trace itself (target_hash_id == process_meta) */
    XDR_ACCESS_TYPE_XDR_FILE_CREATE = 101, 
    XDR_ACCESS_TYPE_XDR_FILE_OPEN = 102, 
    XDR_ACCESS_TYPE_XDR_FILE_DELETE = 103, 
    XDR_ACCESS_TYPE_XDR_FILE_SET_SECURITY = 104, 
    XDR_ACCESS_TYPE_XDR_FILE_COPY = 105, 
    XDR_ACCESS_TYPE_XDR_FILE_MOVE = 106, 
    XDR_ACCESS_TYPE_XDR_FILE_CLOSE = 107, 
    XDR_ACCESS_TYPE_XDR_FILE_MODIFY_TIMESTAMP = 108, 
    XDR_ACCESS_TYPE_XDR_FILE_MODIFY = 109, 
    XDR_ACCESS_TYPE_XDR_CONNECTION_CONNECT = 201, 
    XDR_ACCESS_TYPE_XDR_CONNECTION_LISTEN = 202, 
    XDR_ACCESS_TYPE_XDR_CONNECTION_CONNECT_INBOUND = 203, 
    XDR_ACCESS_TYPE_XDR_CONNECTION_CONNECT_OUTBOUND = 204, 
    XDR_ACCESS_TYPE_XDR_DNS_QUERY = 301, 
    XDR_ACCESS_TYPE_XDR_ACCOUNT_ADD = 501, 
    XDR_ACCESS_TYPE_XDR_ACCOUNT_DELETE = 502, 
    XDR_ACCESS_TYPE_XDR_ACCOUNT_IMPERSONATE = 503, 
    XDR_ACCESS_TYPE_XDR_ACCOUNT_MODIFY = 504, 
    XDR_ACCESS_TYPE_XDR_INTERNET_OPEN = 601, 
    XDR_ACCESS_TYPE_XDR_INTERNET_CONNECT = 602, 
    XDR_ACCESS_TYPE_XDR_INTERNET_DOWNLOAD = 603, 
    XDR_ACCESS_TYPE_XDR_MODIFIED_PROCESS_WRITE_MEMORY = 702, 
    XDR_ACCESS_TYPE_XDR_MODIFIED_PROCESS_WRITE_PROCESS = 703, /* Generic modification to a process (i.e. not limited to write memory) (target_hash_id == modified_process_meta) */
    XDR_ACCESS_TYPE_XDR_MODIFIED_PROCESS_READ_PROCESS = 704, /* Generic reading a process (target_hash_id == modified_process_meta) */
    XDR_ACCESS_TYPE_XDR_MODIFIED_PROCESS_WRITE_PROCESS_NAME = 705, /* Specific for modifying the name of a process (target_hash_id == modified_process_meta) */
    XDR_ACCESS_TYPE_XDR_MEMORY_MODIFY = 1001, 
    XDR_ACCESS_TYPE_XDR_MEMORY_MODIFY_PERMISSION = 1002, 
    XDR_ACCESS_TYPE_XDR_MEMORY_READ = 1003, 
    XDR_ACCESS_TYPE_XDR_BM_INVOKE = 1101, /* target_hash_id == bm_meta */
    XDR_ACCESS_TYPE_XDR_BM_INVOKE_API = 1102 /* target_hash_id == api_meta */
} XDR_ACCESS_TYPE;

typedef enum _XDR_CONNECTION_TYPE { 
    XDR_CONNECTION_TYPE_XDR_CONNECTION_NONE = 0, 
    XDR_CONNECTION_TYPE_XDR_CONNECTION_TCP = 1, 
    XDR_CONNECTION_TYPE_XDR_CONNECTION_UDP = 2 
} XDR_CONNECTION_TYPE;

Code references

Kernel space (selenium.ko driver module)
- Act event utilities: projs/lithium/kmod/selenium/src/act_event/...
- Event source (hooks): projs/lithium/kmod/selenium/src/hook/hooks.c
User space code
- Act event utilities:
  - Act event (activity object): lib/nanopb/xdr/act_event/ActEvent.h
  - Event IPC helpers: lib/nanopb/xdr/act_event/ActIPC.h
- Aggregation seleniumd
  - Daemon process: projs/lithium/src/selenium/seleniumd/seleniumd.cpp
  - Footprint generator: projs/lithium/src/selenium/seleniumd/FootprintGenerator.cpp
- Sender example libhe7.so (who send network event)
  - projs/helium/src/libhe7/He7Tracker.cpp

Note that we use PbUtils protobuf utility which wrapper nanppb 3rd party library. You would like to reference the test code in quark:

PbUtils: lib/quark/src/down/util/nanopb/PbUtils.h
unit test code: lib/quark/unit_test/ut_util/test_nanopb_Pb2Utils.cpp

Where we had already use libbpf:

projs/helium/src/libhhef/AFPService.cpp
atom document.
https://adc.github.trendmicro.com/Consumer-ATOM/atom-doc
internal wiki
https://wiki.jarvis.trendmicro.com/display/MSBD/Knowledge+Sharing
tmis agent.
https://adc.github.trendmicro.com/Consumer-ATOM/atom-doc/blob/master/design/soter/XDR_Sensor_Integration_-_TMIS_Agent.md
installation e.g.

./install.sh -y --agent-key /home/atom/agent_key --model my_name -nfq -ldp n

Setup alias or PATH

alias atom='sudo /opt/atom/bin/atom'

Start agent (currently just start it in offline mode)

atom start --offline+

Extract the .gpbz file with json format.

atom snr X stati.....gpbz -P

Check the full function in command line











atom@ubuntu:~/trendmicro_iot_security_0.0.00_ubuntu_20_04_x86_64_full$ atom status
Daemon status:
Independent mode
Features enabled:
aal         processing  offline
hips        ready       offline
svs         idle        offline
wrs         ready       independent
snr         ready       independent
bm          ready       offline

snr

footprint log

{
        "hash_id": 1418905967374183748,
        "first_seen": 1661794122,
        "last_seen": 1661794122,
        "size": 0,
        "create_time": 1661794112,
        "modify_time": 1661794112,
        "filename": "/proc/irq/1/smp_affinity",
        "signers": [],
        "owner_sid": "0",
        "owner_name": "root",
        "group_sid": "0",
        "group_name": "root",
        "telemetry_tags": []
    }

statistics log


















{
    "customer_guid": "762b48fd-15aa-4d0d-b553-060e1f9145e8",
    "agent_guid": "96fcbb52-64f6-2805-24d3-000c2986a502",
    "timestamp": 1661794651,
    "version": "1.0",
    "vehicle_id": "96fcbb52-64f6-2805-24d3-000c2986a502",
    "model_id": "my_name",
    "event_info": [
        {
            "component": "SNR",
            "event_type": 102,
            "event_stat_type": 1,
            "count": 9
        }
    ],
    "elapse_time": 10,
    "hit_critical_event": true
}

to do
- ebpf ring buff
- integrate the ebpf syscall hook to atom code base.
- Send unix socket to selenium daemon.
- compare the performance with kernel orca driver.
link
https://hackmd.io/@st9540808/HkvPfU7Tr
https://www.ebpf.top/post/bcc-to-libbpf-guid/
https://lore.kernel.org/bpf/
kernel bpf flow
-ebpf entry from syscall
Porting "atom sdk" to other platform.
- toolchain/
  - gcc version ?
- kernel-headers/
  - kernel headers include?
- In the submodule, git checkout -b branch, git add, git commit,
- merge request the modified file to master.
- In the "atom-socter/atom-sdk" reporitory, run "./update-repo.sh", run git status to check every submodule status, then update ".gitmodule" file
CPP:design pattern
Design document
- https://www.overleaf.com/
- https://sspai.com/post/64080
kernel syscall

tracepoint

 cat /sys/kernel/debug/tracing/available_events // get available trace event

TRACE_EVENT_FN(sys_enter,
TP_PROTO(struct pt_regs *regs, long id),
TP_ARGS(regs, id),
TP_STRUCT__entry(
    __field(    long,           id              )
    __array(    unsigned long,  args,   6       )
),
TP_fast_assign(
    __entry->id = id;
    syscall_get_arguments(current, regs, __entry->args);
),
TP_printk("NR %ld (%lx, %lx, %lx, %lx, %lx, %lx)",
      __entry->id,
      __entry->args[0], __entry->args[1], __entry->args[2],
      __entry->args[3], __entry->args[4], __entry->args[5]),
syscall_regfunc, syscall_unregfunc

);

- sched_process_exec
	- __data_loc char[] filename;
	- pid_t pid;
	- pid_t old_pid;

- sys_exit_execve
	- int __syscall_nr;
	- long ret;

- sys_enter_execve
	- int __syscall_nr;
	- const char* file_name;
	- const char *const* argv;
	- const char *const * envp;

bpf study

XDR type

Code references

Read more

可微邏輯門網絡（Differentiable Logic Gate Networks, DLGNs）

linux2023: https://github.com/Nigelwz

TPO1

Untitled