►
From YouTube: Bypassing Falco: How to Compromise a Cluster without Tripping the SOC - Shay Berkovich, BlackBerry
Description
Don’t miss out! Join us at our upcoming hybrid event: KubeCon + CloudNativeCon North America 2022 from October 24-28 in Detroit (and online!). Learn more at https://kubecon.io. The conference features presentations from developers and end users of Kubernetes, Prometheus, Envoy, and all of the other CNCF-hosted projects.
Bypassing Falco: How to Compromise a Cluster without Tripping the SOC - Shay Berkovich, BlackBerry
The explosive growth of Kubernetes has left security professionals scrambling to deploy innovative tools to address the inherent security risks. One such tool is The Falco Project - an incubating CNCF tool for detecting malicious activity at run time. Falco, like many security tools, has some gaps. This talk highlights these gaps by introducing various techniques to silently bypass the default Falco ruleset (based on Falco v0.30.0 release). The attendees will learn 9 different classes of bypasses, 7 of which are novel and have never been presented. The bypasses allow for stealthy target enumeration, privilege escalation and lateral movement. To aid with the bypass automation, Shay will introduce a special container image and multiple code snippets built specifically for Falco bypasses. To wrap up, we will apply the bypass techniques on securekubernetes cluster (presented on KubeCon NA 2019) and demonstrate how an attacker can achieve full cluster compromise without tripping the SOC.
A
Hello,
everybody
welcome
to
valencia.
Thank
you
for
joining
this
talk.
My
name
is
shay
and
today
we're
going
to
talk
about
falcon
by
passing,
falco
default
rule
set
and
perhaps
even
how
to
compromise
a
cluster
without
tripping
the
sock.
Let's
start,
let's
start
with
the
background.
What
falco
is
for
and
what's
container
security
is
about,
and
this
is
my
view
of
container
security.
A
Pre-Deployment
is
about
building
the
base
images
in
an
efficient
and
secure
way
container
scanning,
although
some
people
call
it
a
little
bit
scanning,
but
I
like
to
be
more
precise,
scan
for
exposed
secrets,
static
compliance,
basically
everything
that
we
can
do
with
the
static
image
file
of
the
container
cluster
security,
it's
all
about
kubernetes,
config
and
then
there's
a
post
deployment
and
that's
where
falco
is
coming
into
the
picture.
Runtime
detection
there's
also
runtime
prevention,
dynamic
appliance
and
prevention
is
about
existing.
A
Mostly
about
existing
linux
security
kernel
security
mechanism
that
are
sometimes
given
for
free
in
the
container
context,
I've
recently
listened
to
the
cloud
what's
the
cloud
security
podcast
and
they
suggested
a
bit
different
division
into
areas
of
container
security.
So
they
were
talking
about
build
infrastructure
and
and
runtime,
and
that's
sort
of
the
way
this
this
maps
on
to
this
view,
intro,
is
cluster
security
and
how
security
built
is
pre-deployment
and
the
right
time
is
actually
post
deployment.
A
We're
going
to
use
std
out
today
for
the,
for
the
sake
of
simplicity
and
you'll,
see
that
in
the
demo,
typical
falca
rule
I
took
in
this
case
disallowed
the
ssh
connection.
There
is
a
concept
of
macro
in
falco
rule
set
in
this
case.
It's
called
inbound
outbound.
This
is
really
good
concept
because
because
it
prevents
the
rule
file
from
bloating,
otherwise,
if
otherwise,
it
would
be
way
bigger
than
this,
because
the
macro
can
be
used
by
different
rules.
A
A
Triggering
and
then
there's
a
priority,
a
mitral
attack
all
kinds,
metadata
description,
so
all
good
now
falcals
in
addition
to
behavioral
detections,
they
can
also
be
tailored
to
specific
to
detect
specific
exploitation
attempts
of
the
cvs
if
they
are
constructed
properly,
and
this.
This
is
the
example
to
those
those
four,
but
there
are
more
right
now,
there's
just
four
interesting
ones
that
I
thought
to
mention
now.
Let's
talk
about
previous
work
on
falco
bypasses.
A
This
is
not
the
first
talk
about
it
before
that
ncc
group
did
some
research
brett
gizman
as
well.
They
mostly
describe
the
bypasses
around
the
image.
Naming
leonardo
talked
about
this
in
one
of
his
talks
about
the
twin
cisco's,
and
I
think
he
also
mentioned
the
simulink
evasion
is
an
ongoing
issue
about
the
sister
calls
missing.
Sister
calls,
for
example,
open
opennet,
exec
fee,
execute,
add
duped
to
this
kind
of
stuff,
and
then
the
recent
work
by
go
and
zen
on
defcon.
A
They
were
talking
about
tacto
of
file
names,
mostly
so
classic
example
for
the
in
the
openness
is
called
the
time
of
the
check
of
the
file
name
and
the
time
of
actual
resolution.
Of
the
file
name
are
different
so
that
there's
that
keeps
the
possibility
of
the
evasion
and
then
there's
they
talked
quickly
about
the
similar
incubations
all
right.
A
The
this
is
the
typical
way.
The
fault
is
used.
We
spin
container,
we
do
something
malicious
within
the
container
and
falco
is
splitting
this
output
or
an
insensitive
file
is
open
because
we're
trying
to
read
the
it's
shadow.
How
can
we
prevent
falca
from
knowing
that
we
did
this?
Well,
let's
create
the
ceiling
to
see
shadow,
and
we
do
see
that
there's
notice
this
focus
still
saying
something,
but
it's
that's
a
different
rule
right,
because
the
previous
rule
was
warning
level
and
right
now
we're
notice.
A
So
that
means
that
it's
at
least
degradation
of
the
of
the
detection
and
this
by
the
way
this
rule
the
create
the
monitoring
of
the
creation
of
the
sensitive
of
the
symlinks
over
the
sensitive
files
was
one
of
the
protection
mechanism
against
the
tokto
attack.
We'll
see
why
this
is
not
enough,
because,
even
though
we
have
degradation
of
detection,
which
is
nice,
but
we
can
easier
get
rid
of
this
rule
as
well,
what
can
we
do?
We
can
create
the
same
link
to
the
unmonitored
directory
in
this
case.
It's
easy
to
secure.
A
It
then
we're
using
the
cat
to
cut
the
relative
path
based
on
the
it's,
the
security
link,
so
one
step
above
and
then
shadow,
and
we
see
the
output
of
the
shadow
and
fireplace
silent,
because
it's
confused
and
the
same
link
is
not
resolved
in
focus
context.
What
else
can
we
do?
Let's
take
a
look
at
right
below
it,
see
right
below
root
files?
A
In
this
case,
we
see
the
example
of
how
they
can
be
triggered,
so
we're
doing
we're
creating
the
symbolic
link
not
to
the
root
directory,
but
we
call
it
the
root
link
and
then
using
it
and,
of
course,
it's
that
easy
to
bypass
this
rule
as
well,
just
by
using
the
same
link
to
the
directory
and
then
using
it
for
the
relative
path.
Okay,
what
about
hard
links?
Yes
as
well,
we
can,
we
can
use
them.
A
Hard
link
is
a
direct
sort
of
pointer
to
the
inode
and
in
that
case
falco
until
version
0.31,
where
we
actually
committed
this
the
new
rule
for
the
hard
links
it
wasn't
able
to
detect
it
as
well.
Now
this
there's
a
special
case
of
pseudo-potential
privilege
escalation
rule
this
case
is
kind
of
reversed.
So
let's,
let's
see
what
we're
talking
about
here,
there's
a
the
last
year
there
was
a
infamous
cv
in
sudo
which
allowed
attacker
to
pretty
easily
escalate
the
privileges
from
the
regular
user
to
to
root.
A
So
what
the
rule?
The
way
it
was
constructed,
what
x
was
expecting?
The
rule
was
expecting
the
symlink
to
the
binary
and
it
was
getting
the
binary
and,
of
course
the
exploit
was
still
working
and
the
rule
wasn't
detected.
So
that
was
one
of
the
fixes
that
we
that
we
can
make
it
in
the
version
0.31
as
well,
but
this
this
is
interesting
kind
of
the
other
way
around
of
this
typical
simulink
evasion
that
showed
before
all
right
enough
of
the
simulinks.
Let's
talk
about
proclaims.
A
A
So
what
we
do
here,
we
we
write
a
very
simple
c
utility
the
treats
file
and
we
compile
it
into
system
d,
login
d
and
call
it
system
systemd,
login
d
and
using
it
to
dump
the
shadow.
And,
of
course
it's
fine,
because
falco
thinks
that
systemd
login
d
is
the
name
of
that
one
of
the
user
management
binaries
and
the
rule
doesn't
trigger.
What
else
can
we
do?
The
thing
is
that
this
approach
is
not
scalable.
A
We
can't
write
utility
for
for
every
every
utility
cli
command
that
we
want
to
use.
So,
oh,
but
we
can't
do
can't
create
the
symbolic
link
and
so
and
call
it
system
d,
login
d
like
like
in
this
case
and
use
that
symbol
and
click
to
downplay
its
shadow
and
again
focus
silent
in
this
case.
So
again,
symbolic
thing,
but
with
the
proc.name
perspective,
eventually
simpler,
renaming,
also
works.
If
we
can
rename
cat
into
the
systemd
login
d
there
we
go.
We
we
have
a.
We
have
a
perfect
invasion
here.
A
What
about
parent
and
ancestors
names
yeah?
So
that's
also
a
problem,
because
in
this
case,
for
example,
when
we're
looking
at
the
condition
where
proc
name
should
be
something
that
p
name
should
be
something
what
we
can
do,
we
can
come
up
with
the
script
and
call
it
password
one
of
the
accepted
binary
names
and
the
script.
The
parent
name
will
call
the
the
proc
name
and
that's
how
we
sort
of
build
this
condition,
and
once
that
works
we
can.
A
We
can
easily
dump
its
shadow
without
being
detected,
but
we
can
make
this
evasion
even
more
generic.
What
we
have
in
the
football
latest
image
and
you'll
see
this
image
a
lot.
This
is
the
publicly
available
image
that
they
can
that
they
created
with
various
goodies
to
bypass
the
the
bypass
falcon.
This
image
creates
one
of
the
faber's
fuber
fake
parents,
so
that
binary
that
small
utility-
it
knows
how
to
fork
a
series
of
processes
with
the
depth,
in
this
case
depth
of
three,
and
it
calls
the
ancestor.
A
The
first
initial
process
is
a
google
account
forks
all
the
rest
and
then
runs
this
command
and
what
it
does.
It
basically
tailors
specifically
this
condition,
because
the
proc
a
name
of
three
it
indeed
starts
and
equal
to
google
accounts,
and
that's
why
the
file
is
silent
in
this
case,
and
we
can
use
this
utility
to
build.
The
nesting
and
name
is
answer
our
ancestors,
as
as
we
want.
A
Reversal
detection:
this
is
also
very
interesting.
This
is
a
typical
reversal,
payload
that
creates
initiates
reversal,
and
indeed
it
it
has.
It
causes
for
three
detections
here.
So,
of
course,
the
typical
attacker
can't
can't
use
it.
What
can
we
do?
We
use?
We
can
try
to
use,
make
note
and
then
type
it
into
the
ansi.
This
is
also
very,
very
known
one
liner
for
initiating
the
reverse
shell
and,
however,
it's
still,
it
still
shows
the
detection.
A
However,
this
detection
is
way
very
easy
to
do
to
avoid,
because
to
evade
sorry,
because
we
can
use
either
sim
link
or
proc
name
evasion
that
we
already
talked
about,
but
we
can.
We
can
do
something
more
interesting.
How
about
we
use
the
msf
venom
and
for
people
who
know
msf
venom.
They
know
that
this
is
a
defect,
a
payload
generator.
It's
it's
a
part
of
metasploit
framework
right
and
it's
very
easy
to
generate
any
type
of
payload.
A
In
this
case,
I'm
generating
reverse
tcp
payload
for
linux,
base64
copying
it
into
the
container
marking
it
as
l
file
and
there
we
go.
We
see
the
connection
on
the
hostess
name
and
file
place
silence.
So
indeed,
this
is.
This
is
a
tough
problem
to
detect
payload
execution
as
an
elf,
where
it
doesn't
have
a
hash,
a
known
hash,
but
but
falco,
even
not
in
nothing
antivirus
right.
So
it's
it's
a
tough
problem
to
detect
this
type
of
behavior.
Perhaps
this
could
this
should
be
detected
on
a
network
level,
though?
A
A
So
for
ansi,
for
example,
there
are
two
execution
flags
dash
e
and
dash
c
that
allow
you
to
execute
bash,
for
example
or
other
program
upon
the
connection,
and
that's
what
this
rule
is
trying
to
avoid.
However,
we
know
that
linux,
old
and
bigly
big
linux
utilities-
they
have
so
many
flag
options
that
it's
really
easy,
really
really
hard
to
come
up
with
the
rule
that
will
will
block
all
the
potential
potential
flag
combination.
A
That's
indeed
the
case
in
this
case
when
we
we're
using
ansi
with
dash
e
with
classic
dash
ebin
bash,
it's
of
course
being
detected
by
that
not
get
runs
inside
container
rule.
However,
if
we
just
add
dash
v
as
in
verbosity
mode,
then
the
syntactical
comparison
fails
here,
because
the
the
proc
rx
doesn't
contain
stash
e
at
this
point
and
then-
and
there
there
we
go-
the
netcat
runs
inside
doesn't
trigger
anymore
all
right.
A
We
can
take
a
look
at
the
grab
private
keys
rule,
so
it
tries
to
block,
define
to
and
find
when
any
any
search
contains,
idrsa
or
id
dsa,
and
for
people
who
know
fine
know
how
much,
how
many
options
does
it
happen?
What
kind
of
rich
functionality
does
it
have
and,
of
course,
with
dash
regex?
It's
it's
very
trivial
to
bypass
we're
just
substituting
the
r
with
with
the
dot,
but
we
can
do
the
same
with
any
other
letter
and
there
we
and
there
we
go.
A
We
don't
have
syntactical
comparison
of
idea
reset
at
this
point
and
the
last
interesting
rule
that
I'm
going
to
show
bypass
is
the
sensitive
mount
bypass.
So
the
launch
container
with
sensitive
mount
rule
relies
on
this
condition,
and
I
don't
know
if
you
see
the
problem
here.
The
problem
here
is
that
this,
this
comparison
is
very
specific.
A
But
in
this
case
this
is
very
easy
to
show
we're
just
running
the
docker
with
dash
viva
run
run
and
there
we
go
and
we
do
have
a
shell
response
rule,
but
not
the
mounting
rule
that
should
have
been
triggered,
and
I
think,
for
the
sake
of
time,
we
I'm
going
to
skip
the
crypto
minor
detection
bypass.
You
can
in
the
privileged
container
detection
bypass.
A
You
can
see
that
it,
it
has
the
docker
client,
it
has
cube
catal
client
and
it
has
a
bunch
of
network
utilities,
g
bash
run
c
and
they
tweak
the
names
of
those
clients
and
bash
so
that
falco
won't
be
able
to
detect
them
with
the
static
with
the
traditional
rules.
And
then
I
have
the
cv
2021-3156
image
just
to
to
simulate
that
specific
rule
trigger
that.
A
Okay,
so
the
demo
setup
is.
I
was
running
it
within
the
gke
cluster
with
the
custom
nodes
and
silicon
load
cluster.
One
word
about
the
cluster
that
I
used
is.
It
was
presented
in
the
cubecon
2019
two
years
ago.
It
was
really
cool,
just
a
testing
cluster.
That
shows
how
to
just
show
some
attack,
techniques
and
defense
technique
and
highly
recommend
it
pretty
interesting
one,
and
that
works
perfectly
for
our
case.
A
So
it
has
two
attack
scenarios
scenario,
one
and
scenario,
two
in
scenario:
one
is
more
basic
with
the
more
basic
attacker
and
scenario.
Two
is
with
more
advanced
detectors,
so
let's
go
and
start
with
the
detection
of
detections
of
the
scenario,
one
just
just
we'll
see
what
what
we
expect
from
falco
to
detect
within
the
scenario.
So
the
all
scenarios
start
with
the
attacker.
Given
the
web.
Shell
assumes
that
pod
is
already
compromised
and,
and
then
the
attacker
starts
all
kind
of
reconnaissance
enumeration
from
within
the
pot.
A
It
runs
the
end,
it
runs
the
unnamed
r
and
then
it
says
sorry
they
see
that
the
the
pod,
the
hust
is
part
of
the
kubernetes
pods
and
there
we
go,
we
have
the
kubernetes
version,
etc.
We
have
all
the
environment
variables.
We
have
some
kind
of
service
account
mounted
here
and
then
at
this
point,
attacker
tries
to
go
to
the
typical
way
of
compromising
the
the
cluster,
so
the
they
download
the
cube
cattle.
A
They
try
to
use
it
to
get
all
the
resources
whatever
they
can,
and
there
is
a
bunch
of
resources.
So
it
takes
some
time
there
we
go.
We
have
the
attackers
can
see
the
pods
and
then
attacker
uses
auth.
Can
I
to
enumerate
the
the
permissions
that
the
current
part
has,
with
the
amounted
service
account
and
apparently
attacker
can't
even
create
pods
right
and
that's
what
the
attacker
does?
A
A
A
A
You
can
see
that
root
is
the
root
of
cost
at
this
point
so
skip
ahead,
because
this
right
and
the
attacker
has
access
to
the
docker
circuit
and
what
attacker
does
they
deploy?
The
bitcoin
error
this
time
on
the
docker
through
the
direct
docker
api
rather
than
the
kubernetes
api,
and
that's
a
bit
sneakier
because
then
the
defense
will
for
defense.
It
will
be
harder
to
find
that
bitcoin
error
and,
in
addition,
what
attacker
does
they
want
to?
A
A
Sorry,
that's
the
get
secrets
commands
so,
yes,
attacker
can
find
any
get
secrets,
and
this
is
the
amount
of
the,
and
this
is
the
creation
of
the
node
port
service
for
the
future
access.
So
attacker
at
this
point
is
able
to
open
the
port
on
the
node
and
in
the
future,
access
this.
This
part,
if
needed,
and
we
still
see
that
falco
is
very
active
at
the
detection.
A
So
what
we
do
here,
we're
still
copying
the
cube
cattle,
however,
we're
using
our
name
evasion
and
we
renaming
the
cube
catalyst,
k,
cattle
and,
from
now
on,
the
falco
rules
that
detects
the
cattle
inactivation
within
the
container
will
not
work
and
we
can
easily
use
the
k
kettle
from
that
point,
and
so
the
one
liner
that
I
am
using
it's
it's
a
bit
trickier
here.
It's
not
privileged
container
at
this
point.
We're
still
smashing
the
host
pid.
A
A
This
time,
I'm
looking
for
the
for
the
cubelet
through
the
cubelet
mounted
service
account
token,
I'm
looking
for
the
one
that
will
be
able
to
to
open
that
to
create
the
nosport
service
and
to
open
the
noteboard
by
using
this
token,
like
we
can
see,
is
that
it
finally
can
do
whatever
we
want
pretty
much.
So
now
we
have
confidence,
we
can
mount
the
we
can
create
the
node
part
service
and
that's
what
we
do
notebook
service.
A
The
name
is
istio
management,
which
is
a
sneaky
way
to
pretend
to
be
one
of
the
istio
services,
but
for
our
purpose,
what's
interesting
here
is
that
falco
is
still
only
detects.
The
node
is
unexpected
connection
to
kubernetes
api.
So
in
this
case,
if
the
socket
is
geared
towards
detection
of
the
warnings
or
errors
or
up,
then
they
will
not
see
the
notice
plus.
They
might
think
that
this
is
some
kind
of
false
positive,
that's
some
kind
of
rule
that
triggers
excessive
amounts
of
false
positives
and
decide
to
disable
this
rule.
A
A
A
A
A
I
want
to
list
my
permissions
whatever
I
can
do
from
within
the
nested
container,
I'm
using
the
insecure
skip
tls,
of
course,
I'm
using
the
g-cube
cattle
so
that
falco
will
not
detect
that
I'm
using
actual
couple,
I'm
using
this
server
from
the
kubernetes
server
host
from
the
current
container
and
I'm
using
the
cash
tier
and
cash
there
is
important
here.
I
I
want
to
set
it
a
stamp
because
otherwise
the
cube
cattle
will
save
the
cache
in
the
root,
slash
dot,
cube
directory
which
would
trigger
the
file.
Otherwise,.
A
A
A
We
can
discuss
it
more
in
depth
during
the
q,
a
sections
section,
I
would
say
that
hooking
points
are
very
important
because
we
do
want
the
same
links,
for
example,
to
get
resolved
as
close
as
possible
to
possible
to
the
what
kernel
c
to
get
that
the
kernel
picture
no
easy
way
to
prevent
attack
control
by
passing
the
rules
to
land
on
proc,
name
and
proc,
a
name
and
file
name.
Yes,
that
thing
needs
to
be
minimized.
Two
menu
rule
includes
construct
and
not
because
every
exception.
A
I
I
understand
that
that's
for
false
pos
to
minimize
false
positives,
but
that's
also
the
the
entrance
entry
for
the
attacker
and
possibility
for
the
attacker
to
avoid
that
evade
the
true
review
all
priorities
in
the
bypass
context
period.
The
check
of
public
exploits
for
the
cve
specific
rules.
On
the
example
of
that
through
the
privilege
exploit
that
I
showed
and
then
eventually
encourage
clients
to
develop
their
own
private
rules,
because
then
the
attacker
needs
to
know
the
rules
that
source
before
doing
any
action
to
understand.