This repo contains two experimental BPF programs that can be used for security monitoring.
The first enables passive decryption of TLS 1.3 traffic encrypted by OpenSSL. The other logs Firefox HTTPS web page requests.
To learn more about BPF, and about how these programs work, take a look at these technical docs.
If you're curious about writing your own BPF programs from scratch, check out the "hello world" example and the C code generator utility.
This BPF program logs ephemeral key pairs generated by OpenSSL v1.1.1. The private key can be used to derive TLS session secrets and decrypt network traffic.
Traditional enterprise security software often intercepts TLS at the network level. Traffic is hijacked, and legitimate certificates are replaced with inauthentic ones, which can cause problems for TLS clients.
Instead, this program operates entirely passively, decrypting only on the endpoint. This approach doesn't undermine security as much.
ubuntu@server:log-tls-keys$ ./build.sh
ubuntu@server:log-tls-keys$ sudo ./log_keys_user &
ubuntu@server:log-tls-keys$ sudo cat /sys/kernel/debug/tracing/trace_pipe &
ubuntu@server:log-tls-keys$ curl https://google.com -s -o /dev/null
curl-22632 [006] .... 504976.157205: X25519 pub 0: 8f597534 b342a4ec
curl-22632 [006] .... 504976.157223: X25519 pub 1: c8886f9f 9ee7a863
curl-22632 [006] .... 504976.157225: X25519 pub 2: eeadc020 581b51ad
curl-22632 [006] .... 504976.157226: X25519 pub 3: bef303c5 c39d0519
curl-22632 [006] .... 504976.157228: X25519 prv 0: d81ea096 a052ae23
curl-22632 [006] .... 504976.157230: X25519 prv 1: d0cb6e06 a1ee808e
curl-22632 [006] .... 504976.157231: X25519 prv 2: c2e90f6a 78fab21e
curl-22632 [006] .... 504976.157232: X25519 prv 3: 56d77e90 7b0c3458
Matching public key seen in Wireshark:
Source code: userspace and BPF program.
This BPF program logs Firefox 70.0.1 web page request data. It works for HTTP 1.1, with and without TLS.
To maximize the amount of logged traffic, set network.http.spdy.enabled.http2 to false in
about:config.
ubuntu@server:log-firefox-pages$ ./build.sh
ubuntu@server:log-firefox-pages$ sudo ./log_pages_user &
ubuntu@server:log-firefox-pages$ sudo cat /sys/kernel/debug/tracing/trace_pipe
Socket Thread-28347 [007] .... 504345.102285: Request path: /gb/images/i2_2ec824b0.png HTTP/1.1
Socket Thread-28347 [007] .... 504345.102295: Request host: ssl.gstatic.com
Socket Thread-28347 [002] .... 504345.106544: Request path: /images/branding/googlelogo/2x/googlelogo_color_272x92dp.png HT
Socket Thread-28347 [002] .... 504345.106557: Request host: www.google.com
Socket Thread-28347 [000] .... 504345.183873: Request path: /images/searchbox/desktop_searchbox_sprites302_hr.png HTTP/1.1
Socket Thread-28347 [000] .... 504345.183892: Request host: www.google.com
Socket Thread-28347 [007] .... 504345.371854: Request path: /images/nav_logo299.png HTTP/1.1
Socket Thread-28347 [007] .... 504345.371868: Request host: www.google.com
Socket Thread-28347 [000] .... 504348.287174: Request path: /complete/search?q=s&cp=1&client=psy-ab&xssi=t&gs_ri=gws-wiz&hl
Socket Thread-28347 [002] .... 504348.518446: Request path: /complete/search?q=san&cp=3&client=psy-ab&xssi=t&gs_ri=gws-wiz&
Socket Thread-28347 [004] .... 504348.708885: Request path: /complete/search?q=santa&cp=5&client=psy-ab&xssi=t&gs_ri=gws-wi
Socket Thread-28347 [000] .... 504348.955691: Request path: /complete/search?q=santa%20c&cp=7&client=psy-ab&xssi=t&gs_ri=gw
Socket Thread-28347 [000] .... 504349.157450: Request path: /complete/search?q=santa%20con&cp=9&client=psy-ab&xssi=t&gs_ri=
Socket Thread-28347 [000] .... 504349.463175: Request path: /images/experiments/wavy-underline.png HTTP/1.1
Socket Thread-28347 [000] .... 504349.463196: Request host: www.google.com
Socket Thread-28347 [000] .... 504349.479649: Request path: /complete/search?q=santa%20consp&cp=11&client=psy-ab&xssi=t&gs_
Socket Thread-28347 [000] .... 504349.712549: Request path: /complete/search?q=santa%20conspir&cp=13&client=psy-ab&xssi=t&g
Socket Thread-28347 [002] .... 504350.032477: Request path: /complete/search?q=santa%20conspirac&cp=15&client=psy-ab&xssi=t
Source code: userspace and BPF program.
This minimal "hello world" BPF program prints to the kernel debug log.
It is written in the subset of C supported by LLVM, and can be compiled to an ELF binary containing BPF bytecode using clang.
To see which Linux system calls required to instrument a userspace binary to run this BPF program, look at the source of the Firefox and OpenSSL examples. This code requires only clang and gcc at compile time, and has no runtime dependencies.
The Firefox and OpenSSL programs are heavily based on its source code.
This C code generator enables creating a single binary with an embedded BPF program. It's intended to be a lightweight, compile-time, alternative to BPF loader libraries.
To use it, reference your ELF binary and C code is printed to standard output. All *_generated.c files checked into
this repo were created using this utility.
Check out the technical details and source code.