Runtime enforcement of software supply chain capabilities in Go
Run a Go program invoking some denied capability, with goleash runtime enforcement attached.
cd examples/example_unrestrictFirst, generate the hashes for allowed invocations of capabilities, for the trusted initial version of the program.
make all-hashExecute the trusted version of the program.
make allThen, add a new denied capability invocation to the program.
sed -i '27,31s/^[[:space:]]*\/\/[[:space:]]*TestReadFile()/TestReadFile()/' dependencyC/dep.goExecute the compromised version of the program, with the same previously generated hashes.
make allThis tool allows you to track syscalls for a specified binary using eBPF.
- Navigate to the
track_syscallsfolder and build the tracer
cd track_syscalls
makeTo demonstrate the syscall tracking capabilities, we'll use CoreDNS as an example.
- Navigate to the CoreDNS folder and compile CoreDNS using the provided script:
./build.shThis will generate the coreDNS binary to run later.
- Navigate back to the
track_syscallsfolder and run the syscall tracker (with root privileges), pointing it to the CoreDNS binary:
sudo ./bpf_loader -binary /binary_path -mod-manifest /go.mod -mode buildReplace /binary_path and /go.mod with the actual path to the binary and go manifest of the application you want to monitor.
- In a new terminal window run coreDNS
./coredns/run.shCoreDNS will start with a default configuration.
- To trigger some operations to track, you can send a request to coreDNS
./make_request.shThis script will send a DNS query to the running CoreDNS instance.
- Observe the syscall tracking output in the terminal where you ran
bpf_loader.
You should now see the syscalls triggered by CoreDNS in response to the DNS query. Closing the tracker with CTRL+C, the allowlist will be saved.