Image
Introducing kflow

A new open sourced eBPF derived tool for security ops enthusiasts who thrive on log data.

Image

Kernel-based Process Monitoring on Linux Endpoints via eBPF

kflow creates a new type of streaming security data using eBPF to capture a wide array of system and network events, offering visibility into organizations’ pre-encrypted workloads. It can be used in a wide range of applications from malware detection to tracing data movement. Its open-source collaboration fosters innovation and rapid adoption in security data management technologies from the global community.

Scalable Architecture

Easily scale to handle large volumes of data

Enhanced Security

Malicious actors will be unable to remove all traces of a system takeover

Real-Time Data Collection

Capture live endpoint events for immediate analysis

Pre-encrypted Visibility

kflow creates a new type of streaming security data using eBPF to capture a wide array of system and network events

Broad Compatibility

Supports VMs, Containers, and Kubernetes

Lightweight and Efficient

Minimal system overhead with high performance

Use Cases

Kflow on its own doesn't detect or take any action; it simply creates a stable stream of kflow messages. These messages can be received, decoded, and analyzed using third-party utilities or comprehensive enterprise threat hunting and detection services. Our modules utilize various kprobes and uprobes for tracing purposes.

Malware Detection

Identify and prevent malicious activities

Ransomware Tracking

Monitor and mitigate ransomware threats

Threat Hunting

Enhance threat detection and investigation capabilities

Change Management

Verify software versions and manage configuration changes

Syslog Forwarding

Forward unstructured syslog data via S3 or Webhook.

Technical Details and Information

Why would we do this?

Bottom line: We love security data. At Tarsal we are constantly trying to improve how security data is handled and there’s a missing gap: Freely obtained end point data. The old world of tapping the network doesn’t work and getting to the data before it’s encrypted and placed on the wire is crucial. Think of this as sniffing the kernel of the computer rather than the network interface. We wanted to gift this technology to the security community to foster the next generation threat hunting and detection.

ELK Compatibility

For the open source community we have created an ELK showcase that works out of the box. Please reference https://github.com/tarsal-oss/showcase

Links:

Data Endpoint Use Cases:

  • Tripwire replacement
  • EDR replacement
  • Tracking and preventing ransomware
  • Deeper and more intelligent threat hunting
  • Antiviral system replacement
  • Data tracking system: File went from here to there via this network flow
  • Change management conformation
  • Instant software version confirmation
  • Parent and Child Process correlation
  • Parent Process to Child File correlation (what process is accessing/creating what file)
  • Process to network communication correlation
  • File to network communication correlation

Future Decoder Modules

Our modules utilize various kprobes and uprobes for tracing purposes. Currently, kflow employs only eBPF probes at the kernel level (kprobe, kretprobe) but is expected to extend to userspace probes (uprobe, uretprobe) soon.

Kprobes provide dynamic instrumentation in the kernel, allowing trace events at runtime by hitting the beginning of a kernel function and calling a custom event handler to extract function arguments for system monitoring. For instance, a kprobe in the vfs_read function can monitor file access by extracting inode information.

Kretprobes, hitting at the end of a function, can extract return values, such as monitoring file creation through do_filp_open.

Uprobes and uretprobes offer similar dynamic instrumentation but in userspace, applicable to functions in application binaries or shared libraries, tracing events system-wide for all processes using the library.

While they may face stability issues due to function changes across software versions, applications such as Nginx (ngx_http_process_request), Apache (HTTP request processing), MySQL (query__start), Elastic Search (query areas), Bind and PowerDNS (request/response processing), OpenSSL (SSL_read), and Node.js (http__server__request), along with raw sockets (function_acq_pkts on "eth0"), can benefit from such probes.

License Constraints

eBPF is a classic BSD license except some items are part of Linux and are GPLv2. Further, some BPF program types - Linux Security Modules (LSM) and TCP Congestion, etc are covered under GPLv2. kflowd is licensed under GPLv2 and the decoder modules are under a private software license.

Technology Innovation Program 

Tarsal is looking for special companies to help join this effort to create this technology. The code will be published soon and we are working on a new collection and stats package for logstash and Kabana to help illustrate how this can work with ElasticSearch.