Beginner's Guide to Bypassing Falco Container Runtime Security in Kubernetes - Kubernetes Village at Bsides Bangalore 2024
anjaliinfosec
1,067 views
27 slides
Jul 01, 2024
Slide 1 of 27
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
About This Presentation
This presentation, crafted for the Kubernetes Village at BSides Bangalore 2024, delves into the essentials of bypassing Falco, a leading container runtime security solution in Kubernetes. Tailored for beginners, it covers fundamental concepts, practical techniques, and real-world examples to help yo...
Slide Content
Beginner's Guide to Bypassing Falco Container Runtime Security in K8s Anjali Shukla Senior Security Consultant 1
Anjali $ whoami Senior Security Consultant with 5+ years in Cloud Security, DevSecOps , IAC Security, K8s, Container, Big Data Trainer & Speaker @ BlackHat , Bsides , c0c0n, CSA AWS Community Builder Bangalore Chapter Lead of W3-CS. Crew Member @ Defcon Cloudvillage Blogs – https://infosecblo55om.medium.com/ Author – Linux Armour Ansible Role 2
Credit To Guru’s Blackberry Falco Bypass NCC Group image name manipulations. Weak Image Name Comparison by Brad Greesaman Bypass Falco by Leonardo Di Donato, Sysdig Falco team via github Toctou Bypass by R.Guo & J.Zeng Getting started with runtime security and Falco 3
Disclaimer The views expressed in this presentation and its content, as well as any accompanying resources, are solely the speaker's own and do not necessarily reflect the opinions or endorsements of the speaker's employer. Credits to the original author & the attacks reproduced here and the attempts to bypass uses similar new payloads, created from references to the original research. 4
What will get covered? Introduction to Falco and Container Runtime Security in K8s Architecture & Diving into eBPF What are Syscalls Working of Falco Falco Triggers Falco Bypass Payload’s in K8s Best Practices & Recommendations in K8s Conclusion & Q/A 5
Introduction to Falco and Container Runtime Security in Kubernetes What is Falco? Container runtime security in Kubernetes. Why it's crucial to be aware of bypass techniques? 6
Architecture of Falco 7 https://sysdig.com/opensource/falco/
Diving into eBPF : Foundations and Context 8 https://ebpf.io
What are Syscalls 9 Julia evans
What are Syscalls 10
Container Runtime Falco Working 11 https://sysdig.com/opensource/falco/
Falco Triggers Triggers when certain conditions are met. System calls: A process opens a file in a sensitive directory. File operations: A process creates a new file in a sensitive directory. Process events: A new process is created or when a process exits. Network traffic: A process sends a request to a known malicious IP address. 12
Falco Triggers 13 Falco Alert Triggered
Falco Rules 14 https://github.com/falcosecurity
Falco Bypass Techniques From Past Symlink TOCTOU Attack Relative Path Bypass Directory Name Comparison Bypass Hard Links vs. Soft Links Tricking By Process Name Exploiting Parent and Ancestor Process Names 15 Only for Reference
Failures In Character Class Manipulation Using character classes like [a-t] or [^0-9] to represent a range or exclude certain characters. This failed to bypass the default rule set. 16
Failures In Character Class Manipulation 17 Falco Alert Triggered
Failures In Path Obfuscation Obscuring file paths using wildcard characters (?, *), which might not be caught if the security rules are looking for explicit matches. This will also fail like previous payload. 18
Previous Bypass : Symbolic Links Exploitation Creating a symlink that points outside the current directory or to sensitive paths can be used to manipulate file paths and trick security mechanisms that rely on straightforward path matching. 19 Credit: https://github.com/blackberry/Falco-bypasses/
Symbolic Links Exploitation 20 Credit: https://github.com/blackberry/Falco-bypasses/
Symbolic Links Exploitation 21 Credit: https://github.com/blackberry/Falco-bypasses/ No Falco Alert
Bypass : Subshell Execution Running commands within a subshell to potentially bypass checks on the parent command. 22 Credits: https://book.hacktricks.xyz/linux-hardening/bypass-bash-restrictions
Subshell Execution 23 Credits: https://book.hacktricks.xyz/linux-hardening/bypass-bash-restrictions No Falco Alert
Best Practices & Recommendations Reflecting on lessons from advanced bypass methods. Ensure rules are prioritized accurately. Check for the public CVE specific exploits. Generate private set of rules based on infrastructure. Enable Guardduty for real time alerts on EKS attack Use multi-layer defence including logging & monitoring 24
Conclusion & Q/A 25
Connect Me: @peachycloudsecurity 26
27 👉[email protected]
Download
Download Slideshow Get the original presentation fileQuick Actions
Statistics
- Views 1,067
- Slides 27
- Age 517 days
Related Slideshows
11
8-top-ai-courses-for-customer-support-representatives-in-2025.pptx
JeroenErne2
44 views
10
7-essential-ai-courses-for-call-center-supervisors-in-2025.pptx
JeroenErne2
44 views
13
25-essential-ai-courses-for-user-support-specialists-in-2025.pptx
JeroenErne2
36 views
11
8-essential-ai-courses-for-insurance-customer-service-representatives-in-2025.pptx
JeroenErne2
33 views
21
Know for Certain
DaveSinNM
19 views
17
PPT OPD LES 3ertt4t4tqqqe23e3e3rq2qq232.pptx
novasedanayoga46
23 views