We can't find the internet
Attempting to reconnect
Something went wrong!
Hang in there while we get back on track
Trace Me if You Can: Bypassing Linux Syscall Tracing
Discover how to bypass Linux syscall tracing using user space attacks, including two approaches: blocking condition and delay-based, and explore the limitations of syscall tracing and its vulnerabilities.
- The talk is about bypassing Linux syscall tracing using user space attacks.
- Syscall tracing relies on system calls to tracing programs, which can be bypassed using user space attacks.
- The vulnerability allows an attacker to change the syscall arguments after tracing, making it undetectable.
- The talk describes two approaches to bypassing syscall tracing: blocking condition and delay-based.
- Blocking condition involves using seccomp to delay the system call until after the tracing program has read the arguments.
- Delay-based involves using a delayed system call to allow the tracing program to detect the arguments after they have been modified.
- The talk also discusses the limitations of syscall tracing and the need for advanced threat detection.
- Falco, a system call tracing tool, is vulnerable to the attack due to its reliance on tracepoints and ptrace.
- The talk concludes with recommendations for mitigating the vulnerability, such as comparing syscall enter and exit arguments.
- The attack is demonstrated on an example of an SSH connection being established.
- The talk also discusses the use of FUSE for remote storage and the potential for attacks on this feature.
-
The attack can be used to access sensitive data, such as the
/etc/shadowfile. - The talk concludes by highlighting the importance of advanced threat detection and the need for ongoing research into syscall tracing vulnerabilities.