feat(events): create access_remote_vm event #3551

AlonZivony · 2023-10-04T12:32:34Z

1. Explain what the PR does

An event for accessing the memory of a process externally (can be the same process) by the mem file of the process in procfs.

789bd69 test(events): add e2e test to access_remote_vm
fd6e01a feat(events): create access_remote_vm event
0854a88 feat(ebpf): support 7 arguments saving for kretprobe
491ba04 feat(events): add probe relevance attribute

Fix #3518

2. Explain how to test it

3. Other comments

pkg/ebpf/c/tracee.bpf.c

pkg/ebpf/c/common/memory.h

pkg/ebpf/c/tracee.bpf.c

rafaeldtinoco · 2023-10-24T04:14:53Z

I loved the event! It LGTM, definitely.

There are just minor spell nits, some comments to be added to make it easier to understand your intents (if my interpretation is correct).

A small "point to clear" would be the VMA naming strategy/logic. I left a question for you there.

Also, If you could add a simple e2e-inst trigger for this type of event I would also appreciate (like we already spoke).

Nice work!

docs/docs/events/builtin/extra/access_remote_vm.md

rafaeldtinoco · 2023-11-19T14:59:41Z

I haven't seen a single test failing till now, so I am not sure to what you are referring. I can't really understand the problem without seeing it, so if you can reset the tests for me to see or send me a test suite that failed I will dig deeper.

Fix your pr.yaml file and force push. Wait for tests to finish and you will see. I dont need to reset anything on my side. Your pr.yaml is wrong.

rafaeldtinoco · 2023-11-19T15:01:44Z

However, I don't see why should we have a sleep in the test like in the process tree. There is no state here to initialize. If there is a timing issue here, it is an issue with all e2e tests and should be fixed by the tests environment. However, I can add for now a sleep if you think it will solve it.

Never said it was a definitive answer. My feedback was "it might be related", but it might be an entire different thing. When you fix pr.yaml and tests fail you will be able to see. Let me know if you need a VM with the same images that are failing (but it might be intermittent among all of them, without considering v6.5 which always fails due to other reasoning).

rafaeldtinoco · 2023-11-19T16:01:46Z

For the record:

https://gist.github.com/rafaeldtinoco/bb0bcf795fb2c821136db01417ca669a
https://gist.github.com/rafaeldtinoco/7042acfa78d3c7ca3f31ce8147d54255

Those files show the execution path in a 5.19 (event works) vs a 6.5 (event does not work).

rafaeldtinoco@rugged:mine$ gh gist create asyncio.perf.5.19.0-50-generic
- Creating gist asyncio.perf.5.19.0-50-generic
✓ Created secret gist asyncio.perf.5.19.0-50-generic
https://gist.github.com/rafaeldtinoco/bb0bcf795fb2c821136db01417ca669a

rafaeldtinoco@rugged:mine$ gh gist create asyncio.perf.6.5.9-arch2-1
- Creating gist asyncio.perf.6.5.9-arch2-1
✓ Created secret gist asyncio.perf.6.5.9-arch2-1
https://gist.github.com/rafaeldtinoco/7042acfa78d3c7ca3f31ce8147d54255

Im using https://gist.github.com/rafaeldtinoco/1e619d9d25a4a934b0ef577304125b87 to test.

AlonZivony · 2023-11-19T16:18:18Z

Alright, but be aware that there are many detections from this signature coming from regular processes (not sure your signature will filter for specific stuff, but systemd, dbus-daemon, etc are all being "detected").

Yea I am aware, but there is enough information in the event to filter regular stuff out.

Another thing, are you sure you want 1 event per VMA ? You may gets lots of events from the same action:

You are right that it might spam, but it is significant.
Each vma has its own name and own permissions, and you don't see operations on the file done frequently or in massive amount.
It might be a cause of malicious spam, but it is true for almost any event.

AlonZivony · 2023-11-20T10:58:50Z

Only pushed to see tests, still not fixed

rafaeldtinoco · 2023-11-29T02:28:13Z

Looks like the tests failed but when looking at the output the event (at least on 4.18) worked. Needs some fine tuning I believe.

AlonZivony · 2023-11-29T10:16:28Z

You can see that the problem is the version check, because the remote_pid value is 0.
I will try to find another type.

Add to each probe the option to determine its relevance according to the OS version. If a probe is irrelevant, an attempt to load it won't be initiated. This allows to have different probes for events according to OS version.

The first 6 arguments are passed to functions using registers. From the 7th forward, the arguments pass through the stack. For this reason, only saving the first 6 arguments was supported until now. This commit add the 7th argument also to the saved args between kprobe and kretprobe.

An event for accessing the memroy of a process externally (can be the same process) by the mem file of the process in procfs. Co-authored-by: OriGlassman <39296766+origlassman@users.noreply.github.com>

Add e2e test to check that the access_remote_vm works well.

geyslan · 2024-02-21T11:02:00Z

We have this update #3875

Please rebase your PR against main to make use of the new workflow setup.

github-actions bot assigned AlonZivony Oct 4, 2023

github-actions bot added area/ebpf kind/documentation area/events labels Oct 4, 2023

AlonZivony force-pushed the feature/proc-mem-operations branch 2 times, most recently from abeb60f to deb4ef0 Compare October 4, 2023 13:12

AlonZivony added milestone/v0.19.0 kind/feature and removed kind/documentation labels Oct 4, 2023

AlonZivony force-pushed the feature/proc-mem-operations branch from deb4ef0 to 93d376b Compare October 5, 2023 10:13

github-actions bot added the kind/documentation label Oct 5, 2023

AlonZivony force-pushed the feature/proc-mem-operations branch from 93d376b to 59f34a5 Compare October 5, 2023 10:20

AlonZivony requested a review from rafaeldtinoco October 13, 2023 12:46