►
From YouTube: Bypass Falco - Leonardo Di Donato, Sysdig
Description
Don’t miss out! Join us at our upcoming event: KubeCon + CloudNativeCon Europe 2021 Virtual from May 4–7, 2021. Learn more at https://kubecon.io. The conference features presentations from developers and end users of Kubernetes, Prometheus, Envoy, and all of the other CNCF-hosted projects.
Bypass Falco - Leonardo Di Donato, Sysdig
The main goal of Falco is to detect malicious behaviors at runtime and alert you about anything undesirable happening inside your machines. Maybe you trust it as your last line of defense in today’s cloud-native environments, and as a consequence, you sleep like a log. Well, I’m a Falco maintainer, and I definitely wouldn’t. Ok, I generally don’t trust anything and still manage to sleep soundly, but that’s a topic for another conversation. You shouldn’t trust Falco. You shouldn’t trust any tool by default. During this session, we’re gonna explore how to bypass Falco and leave us like sitting ducks, defenseless. How? By circumventing the ability of the Falco kernel module or its eBPF probe to trace the syscalls happening into your Linux kernels. Join this talk to get to know the details, and participate in this next-level collective drama.
https://sched.co/ekE4
A
A
Finding
new
ways
to
bypass
a
cncf
cool
tool
called
falco
falco
is
a
runtime
security
project
and
I
shoot
that
I'm
one
of
its
outdoors,
my
name
is
leonardo,
but
people
usually
shorten
my
name
so
feel
free
to
just
call
me
leo.
Here's
a
photo
of
me
moving
ends
like
a
real
italian
usual
promise,
falco's
one
to
the
first
one,
guessing
the
exact
meaning.
I'm
writing
it
to
my
twitter
direct
messages.
A
What
I
do
daily
well,
I'm
an
open
source
software
engineer
at
sysdig,
where
my
daily
job
is
to
guess
what
write
code
for
falco
and
maintain
it-
maybe
you're
confused
at
this
point,
what
a
maintainer
falco
talking
on
how
to
bypass
it.
I
know
crazy
times
to
be
alive.
I
firmly
believe
that
challenging
your
software
really
hard
is
the
only
way
to
actually
improve
it,
but
just
give
me
some
minutes
and
I'll
completely
explain
to
you
the
reasoning
behind
this
approach.
A
In
the
meantime,
you
can
find
me
on
twitter,
where
I
tweeted
these
slides
with
the
nickname,
leodido
feel
free
to
drop
me.
A
line.
Follow
me:
ask
questions
about
falco
bpf
kernel,
whatever
no
problem
at
all.
First
things:
first,
where
does
falco
come
from
falco
is
a
runtime
security
project
originally
created
in
2016
by
sysdig
the
company
that
pays
me
a
salary.
I
don't
know
why,
then
in
2018
it
was
donated
to
the
cncf,
a
branch
of
the
linux
foundation,
thus
becoming
the
fourth
cncf
sandbox
runtime
security
project.
A
It
started
to
gain
some
serious
traction
to
the
point
that
the
other
maintainers
and
I
had
to
even
start
weekly
community
calls
to
which,
by
the
way,
I
invite
anyone
to
participate
every
wednesday
at
5
p.m.
Italian
time
this
past
january,
falco
was
the
first
ever
runtime
security
project
to
be
promoted
to
the
cncf
incubation
level.
A
A
Stressing
our
software
challenging
its
limits
so
to
be
able
to
improve
them
is
the
fourth
step
and
invite
anyone
here
to
try
falco
challenge
it
and
report
back
to
us
and
to
the
falco
community,
the
findings,
so
we
can
gain
more
and
more
awareness
in
the
end.
Breaking
things
is
the
best
way
to
understand
how
to
fix
them.
Isn't
it
anyways?
A
The
plan
for
the
next
20
minutes
is
to
look
up
photos
of
my
beautiful
homeland
in
southern
italy
that
I
miss
so
much
remembering
the
good
old
times
when
we
were
all
free
to
travel
around
and
pandemics
were
only
a
movie
thing
in
the
meanwhile
I'll
approach.
The
reasons
behind
the
choice
to
stress
falcon.
Why?
I
think
this
is
the
best
possible
approach
to
make
a
runtime
security
software
more
and
more
solid
day
after
day.
A
In
order
to
do
so,
we
also
need
to
briefly
get
skinny
on
our
farco
solves
the
runtime
security
problem,
even
for
the
cloud
native
environments
based
on
kubernetes
and
the
way
to
do
this
is
by
looking
at
how
it
actually
works
under
the
olds.
I
mean
that's
the
way
to
go
when
you
really
want
to
understand
things
not
to
mention
when
you
want
to
bypass
them.
A
We'll
also
reflect
a
bit
on
the
security
landscape
in
general,
shortly
after
this
page
I'll
demo,
some
of
the
possible
ways
to
bypass
falco
developing
them,
as
accounted
for
the
most
of
the
work
that
went
into
preparing
this
talk.
So
please
be
kind
with
me.
I'll
also
present
some
mitigation
and
even
fixes
that
we
put
in
place
to
prevent
you
from
using
my
ideas
to
bypass
my
blood
falco
in
the
future.
A
Consider
it
an
encouragement
to
find
and
develop
your
own
as
soon
as
this
tool
got
accepted,
I
told
my
dad
look:
paw,
I'm
gonna
teach
people
how
to
bypass
the
software,
rebuild
I'll
spare
you
the
details,
but
what
ensued
was
a
fairly
predictable
and
stereotypical
italian
family
drama.
He
started
yelling
at
me
and
shouted
that
to
do
such
a
thing
was
a
grave
and
unforgivable
mistake
that,
since
they
could
have
should
have
fired
me
for
even
conceiving
something
as
twisted
as
this.
A
A
I
tried
in
vain,
as
he
was
still
shouting,
to
explain
that
a
constructive
attitude
begins
with
a
quest
for
our
weaknesses.
It's
the
first
unnecessary
step
in
gaining
self-awareness.
It's
only
by
getting
to
really
know
our
limits
that
we
can
hope
to
overcome
them.
It's
only
after
having
looked
into
the
ravines
long
enough
that
we
can
imagine
ways
of
feeling
them
it's
a
matter
of
epistemic
hunger
of
knowing
that
the
path
to
real
improvement
is
almost
inevitably
convoluted.
A
A
A
This
is
the
case
in
every
subfield
of
computer
science,
but
even
more
so
in
a
real
mess
dynamic
as
security
in
which
every
day
carries
the
possibility
that
our
solutions
suddenly
become
obsolete
and
in
a
need
of
a
fix,
a
patch
or
generally
an
improvement.
When
I
think
about
this
often
kitsuji
pops.
To
my
mind,
kitsuji
is
an
ancient
japanese
art,
consisting
of
repairing
broken
pottery
by
maintaining
the
iris,
with
powered
gold,
silver
or
platinum.
A
It
threats,
breakage
and
repair
as
part
of
the
history
of
an
object,
rather
than
something
to
disguise
in
a
very
real
sense.
This
japanese
practice
that
fascinates
me
captures
the
core
of
what
I
said
so
far.
Indeed,
developing
software
is
a
therapeutic
process
that
inscribes
the
way
we
deal
with
imperfections
glitches
fisheries
into
the
essence
of
our
software,
making
it
more
precious
and
more
solid
as
a
result.
But
let's
come
back
to
real
world
now,
okay,
so
what
does
security
mean
to
me
how
to
characterize
the
security
problem?
A
I
don't
know
about
you,
but
I
personally
wouldn't
want
anything
to
happen
to
my
system
without
me
even
noticing
it,
at
least.
In
this
context,
I
want
to
be
able
to
determine
what
things
can
happen
and
what
cannot,
since
preempting
control,
is
not
always
possible.
I
also
want
to
possess
deep
visibility
so
as
to
be
able
to
know
what
just
happened
as
soon
as
possible.
A
A
The
main
differences
is
this:
the
first
world
prevention
is
connected
to
the
concept
of
enforcement,
in
other
words,
do
not
allow
some
actions
to
take
place
to
open
a
tone
because
of
some
policies.
Tools
in
these
categories,
such
as
second,
second
bpfc,
linux,
app
armor
or
even
authorization
mechanism
like
kubernetes
or
back
or
the
kubernetes
policy-based
transmission,
plugins
change,
the
behavior
of
a
process
by
preventing
actions,
sometimes
cisco's
from
succeeding
or,
in
some
cases,
also
killing
the
process
trying
to
perform
those
actions.
A
On
the
other
end,
the
second
approach
to
security
is
to
use
the
policy
to
monitor
the
behavior
of
a
process
and
notify
when
it
steps
outside
the
policy.
Falco
belongs
to
this
second
group,
a
topic
that,
especially
in
cloud
native
environments,
has
not
been
solved
yet.
Maybe
you're
wondering
now
can
falco
solve
all
our
security
concerns
honestly,
not
at
all.
Software
is
made
of
layers,
so
is
security.
A
This
is
even
more
true
in
the
current
cloud
native
environments,
as
you
can
see,
the
scheme
on
the
slide,
pod
services,
ingress
containers
and
so
on.
Up
and
down.
These
are
environments
that
embrace
change
as
their
fundamental
component
constantly
opening
the
doors
to
the
unknown,
so
falco
exists
to
enable
us
to
detect
intrusions
malicious
behaviors
security
threats
in
general
at
runtime.
A
Let
me
also
be
clear
that
since
security
is
made
of
layers,
my
suggestion
is
to
combine
falco
with
prevention
tools,
thus
applying
a
defense
in-depth
strategy.
The
idea
is
to
defend
a
system
against
any
particular
attack
using
several
independent
methods.
The
first
specific
example
that
comes
to
my
mind,
is
using
falco
to
identify
malicious
attempts
to
assess
sensitive
resources
by
observing
the
word
behavior
of
your
environments
and
then
write
appropriate
enforcement
policies,
for
example
up
armor
profiles
for
your
containers.
A
That
will
prevent
the
episode
to
happen
again
in
the
future,
basically
implementing
a
sort
of
feedback,
loop
continuously,
improving
the
security
posture
of
our
environments.
So
what's
runtime
security
with
this
tour,
I
refer
to
the
practice
of
using
detection
tooling
to
detect
unwanted
behavior
such
that
it
can
then
be
prevented
using
prevention
techniques
so
to
continuously
improve
your
threat
model,
its
last
line
of
defense.
This
means
that
in
case,
it
is
not
able
to
promptly
detect
and
alert
you
of
malicious
attempts.
You
will
end
up
like
sitting
ducks
defenseless.
A
A
Think
of
him
like
a
compromised
insider
or
if
there's
something
suspicious
happening
outside
or
nearby
a
normally
or
zero
day.
She
detects
runtime
anomalies
in
my
life
at
home
and
she
was
may
she
rest
in
peace
very,
very
serious
about
her
job,
as
you
can
see
the
picture
so
why
prevention
is
about
locking
the
doors
detection
is
about
continuously
monitoring
the
inside
and
the
perimeter.
A
Still
bad
people
were
able
to
enter
my
house
and
put
her
to
sleep.
I
think
I
made
myself
a
bit
more
clear
now,
sadly,
in
case
you're
still
not
convinced
that
there's
no
such
thing
as
perfectly
safe
and
perfectly
secure
software
and
the
layered
approach
is
the
best
possible
strategy
for
software
security.
Just
allow
me
to
emphasize
a
few
points:
how
to
trust
cloud
providers
and
their
ability
to
detect
malicious
or
compromised
insiders,
how
to
prevent
an
undisclosed,
vulnerability
or
a
zero-day
bug
that
allows
someone
to
brag
into
your
system.
A
A
Good
computer
security
is
hard.
It
requires
a
lot
of
technical
knowledge
and
takes
a
lot
of
time
and
effort
and
at
the
end
of
the
day
there
will
always
still
be
weaknesses
in
your
system.
This
means
that
you
should
never
below
the
intel
false
sense
of
security.
Thinking
that
you're
working
on
a
secure
system,
your
system
can
be
more
or
less
secure,
but
a
perfect
one
doesn't
exist.
This
does
not
mean
that
you
should
do
nothing.
A
It's
just
about
awareness
and
surely
there
are
ways
to
harden
your
runtime,
for
example,
dropping
capabilities
so
preventing
things
to
happen
when
a
container
starts
in
a
way
to
harden
it,
but
that's
just
one
side
of
the
coin.
When
you
have
a
goal
of
reinforcing
the
isolation
between
the
container
and
the
asteroids,
using
a
container
more
like
a
sandbox,
the
main
option
you
have
is
cisco
monitoring
right.
A
Surely
somebody
could
still
argue,
but
why
tracing
the
ciscos,
because
in
the
end,
whatever
program
you
run,
it
will
end
up
making
a
lot
of
c
schools.
Cisco's
are
the
way
programs
ask
the
kernel
where
everything
really
happens
to
perform
some
tasks,
whether
the
task
regards
networking,
io
processes
and
so
on.
This
does
matter
here.
Falco
enters
the
game.
A
At
the
moment,
falco
can
receive
those
events
in
three
alternative
ways
that
we
call
drivers
through
a
kernel
module
or
within
a
bpf
probe
or
with
a
ptrace
based
driver
called
pdig.
That's
really
helpful
in
environments
where
you
can't
install
the
other
two
drivers
just
mentioned:
anyways
falco
can
also
use
other
input
sources.
At
the
same
time,
I'm
referring
to
the
kubernetes
audit
logs,
in
particular
that
proven
to
be
very
useful
when
leveraged
by
far
code
improved
visibility
into
your
kubernetes
clusters.
A
A
The
falco
rules
are
very
simple
to
write,
since
they
are
basically
yaml,
and
this
makes
them
very
easy
to
write,
to
learn
and
very,
very
hard
to
indent
correctly.
But
that's
yammer
fault,
not
ours,
don't
blame
me.
Falco
rules
proven
to
be
very
straightforward
to
adopt,
unlike
the
policy
languages
of
other
tools
in
the
security
space
we
mentioned
earlier,
I
mean
have
you
ever
tried
writing
c
linux
policies
and
things
like
that
in
a
falcon
rule
set
you
can
write
conditions.
A
A
Finally,
focus
ships
with
the
default
huge
rule
set
for
reasons
we
are
gonna
explore,
understand
better
in
a
bit
in
case.
You
want
to
jump
into
reading
thousands
of
lines
of
yaml.
I
put
a
link
in
the
slide,
footnote
you're
welcome.
For
example,
here
we
have
a
rule
to
detect
untrusted
shell
being
spawned
below
an
onshore
application.
A
By
looking
at
its
condition,
we
can
see
that,
aside
from
specific
applications
that
are
allowed
to
spawn
shell,
this
rule
emits
an
output
dollar.
In
case
the
macros
pawn
underscore
process
evaluates
to
true,
which
means
an
exact
vsc
score
was
detected,
which
in
turn
means
a
program
has
been
executed.
A
A
The
first
thing
that
catches
my
eye
here
is
the
spawned
underscore
process
macro
that
only
checks
for
exact
va
event.
This
cisco
is
part
of
the
exact
family.
It
executes
a
program
referred
to
by
the
path
name
given
to
it
as
the
first
argument,
but
exactly
as
siblings
in
this
family.
Let's
see
if
we
can
circumvent
this
rule
by
using
a
brother
or
sister
of
the
exec
via
cisco.
A
A
I
have
also
other
ideas
like
changing
the
name
of
the
process,
pointing
a
shell
to
one
of
the
names
treated
as
exception
by
this
rule
or
sim
linking
the
shell
to
an
unlisted
name.
But
I
leave
this
as
exercises
at
all.
In
this
little
demo,
we're
gonna
use
the
current
development
release
of
falcon.
Basically,
it's
master
branch
from
the
tub.
In
particular,
we
have
falco
version
0261-43,
43,
comets,
ahead
of
the
latest
release
driver
version,
2a8.
A
A
Let's
verify
now
the
target
rule
works
as
intended
to
do
so.
We'll
use
the
event
generator
project.
It's
a
nice
go
tool
in
the
focal
security
organization
that
helps
you
easily
generate
a
variety
of
suspect
actions
detected
by
the
default
falco
rule
sets.
I
quickly
change
this
comma
to
make
the
shelled
spawns,
create
a
chow
file
inside
the
temp
test
directory.
A
Let's
check
the
show
file
is
here:
let's
remove
it
to
make
things
more
clear.
We
can
easily
trigger
this
falco
rule
again
ow
this
way,
let's
create
a
sim
link
to
given
the
generator
name.
Httpd,
let's
create
a
pizza
file,
which
is
a
simple
script
that
basically
calls
the
event
generator
run
shell
command.
Let's
make
it
executable.
A
A
A
A
A
As
you
can
see,
there
is
no
rule
launched
by
farco,
but
do
we
have
the
show
file?
Yes,
we
have
so
it
worked
but
got
and
noticed
by
falco,
so
we
discovered
together.
Our
ciscos
are
the
joy
and
torment
at
the
same
time,
for
falco
they
are
a
very
powerful
mechanism
that
acts
as
the
kernel
api
that
abstracts
all
the
artwork
for
us.
Falco
magic
is
based
upon
them
and
will
not
be
possible.
A
Otherwise,
but
aside
from
the
fact
that
tracing
all
the
sea
from
a
user
space
perspective
often
is
not
that
comfortable
the
issue,
the
real
issue
is
that
there
are
a
lot
of
ciscos
and
with
every
kernel
release
they
can
change
gain
a
new
parameter.
New
ciscos
can
be
introduced,
old
ones
got
deprecated,
and
things
like
that,
so
it
can
be
really
really
painful
for
us
as
maintainers
to
keep
on
track.
For
example,
we
still
miss
the
copy
file
range
cisco.
A
This
can
be
used
to
bypass
falco
rules.
Looking
for
sensitive
fire
renames,
a
malicious
actor
could
use
it
to
copy
all
the
bytes
of
a
sensitive
file
and
falco
will
not
be
able
to
detect
it,
because
it
only
looks
for
a
name
rene,
matt
renamed
two
c
schools
in
the
renamed
macro
also
renamed
two
was
missing
until
two
months
ago.
We
had
the
support
for
it
in
falco
025,
so
we're
putting
an
effort
to
support
more
and
more
c-schools
before
releasing
falcod
1.0,
especially
the
ones
that
could
impact
the
detection
abilities
of
falco.
A
A
I
think
it's
useful
now
to
quickly
show
you
how
how
to
determine
which
schools
are
not
supported
yet
by
falco
drivers.
Otherwise,
you
won't
know
where
to
start
right.
I
provide
you
this
little
best.
Script,
don't
forget
to
clone
this
degree
procedure
where
the
falcon
drivers
live.
Since
leaves
gap
still
reside
but
expect
to
find
them
soon
in
the
falco
security
organization,
as
you
can
see
on
the
right,
falco
026,
the
one
used
in
the
previous
demo
does
support.
Yet
exactly
at
cisco
has
said
needed
support
copy
file
range,
but
it
supports
rename
at
2..
A
Then
we
surely
should
talk
a
bit
just
a
bit
about
the
idea
to
extend
falco
to
something
more
than
cisco's.
Yes,
there's
more
in
the
linux
kernel.
New
very
cool
apis
like
io
ring,
are
landing.
The
io
ring
is
a
new
asynchronous
api,
with
very
very
little
hover
ad
that
times
to
overcome
the
limitations
of
the
current
select,
paul
e,
paul
or
aio
family
of
system
codes.
But
I
suppose
this
is
a
topic
for
a
next
tool
right.
A
I
imagine
it's
way
more
useful
now
to
show
you
how
to
add
support
for
a
new
cisco
right
when
you
hit
the
manual
page
for
name
syscalls,
you
got
no
surprises.
In
fact,
as
name
suggests,
they
allow
us
to
rename
a
file
moving
it
between
directories
in
this
family.
We
also
have
the
rename,
add
and
rename
at
two
ciscos
the
rename
at
cisco
operates
in
exactly
the
same
way
as
renamed
as,
except
for
some
differences
in
how
the
file
paths,
the
old
ones
and
the
new
ones
are
handled.
A
The
rename
map
to
cisco
is
equivalent
to
during
math.
It
only
has
an
additional
flags
argument
used
to
specify
whether
the
name
should
be
atomic
or
not
whether
you
want
to
allow
the
override
of
a
file
and
so
on.
Let's
briefly,
take
a
look
at
how
support
for
renemachu
was
added
in
pull
request
1654,
so
that
maybe
you
can
easily
contribute
your
additions
to.
A
Let's
look
at
how
we
added
support
for
the
cisco
rene
mac
2.
The
first
thing
to
do
is
modifying
the
dryer's
ppm
events,
public
heater
by
adding
constants
to
the
ppm
event
type
in
a
table
for
the
entry
and
exit
fillers
of
the
renamer
to
cisco
and
adding
an
item
for
the
relay
match
to
school
to
the
ppm,
cisco
code
inum
table
here.
We
also
need
to
define
their
name
at
two
flags
and
the
struct
for
holding
them.
A
At
this
point
in
the
driver
filler
stable
c
file,
we
need
to
match
the
filler
constants
with
their
actual
implementations,
so
that
falco
drivers
know
which
code
to
execute
at
the
entry
and
the
exit
when
the
target
syscall
is
detected,
we
also
need
to
represent
the
name
up
to
cisco
into
the
driver,
even
table
c5
now
by
editing
the
g
event
info
array,
adding
to
it
two
items,
one
for
the
entrance
of
the
c
school
and
one
for
the
exit.
Each
line
should
represent
the
signature
of
the
cisco.
A
We
are
adding
so
its
arguments
and
its
return
value.
For
example,
here
we
are
telling
the
falco
driver
to
look
for
their
name
at
two
flags
tracked
instance.
We
declared
before
when
it
looks
for
the
renamer
to
flags
bitmask
argument
now
go
into
the
cisco
table
c
file
and
edit
the
reference
table
for
32
and
64
bit.
Architectures
first
add
the
name
at
2
item
to
the
cisco
table,
populating
its
value
with
references
to
the
syscall
entry
and
exit
fillers.
A
Then
we
also
need
to
edit
the
cisco
code
routing
table,
adding
an
item
for
renamer
to
cisco
and
pointing
it
to
the
cisco
code
we
are
seeing
to
it.
Last
but
not
least,
we
need
to
define
our
fillers
buff
for
the
4kb
pf
driver
and
for
the
kernel
module
1.
for
brady
we're
going
to
look
only
at
the
filler
for
the
camera
module.
The
one
for
the
bpf
drive
is
very,
very
similar,
just
uses
some
different
apis
for
collecting
the
data
and
pushing
them
to
the
user
space.
A
In
this
case,
we
only
define
the
exit
filter
because
we
grab
the
rename
to
parameters
only
when
it
completes.
As
you
can
see
here,
we
get
the
value
of
all
the
for
the
old
path,
new
d
file,
descriptor
new
path
and
flags,
and
we
put
them
into
the
ring
buffer
with
val
touring
method,
so
populating
a
new
event
that
falco
will
use
to
detect
renames
made
with
renamed
to
cisco.
A
A
A
So
this
is
the
falco
rule
that
triggers
when
someone
is
launching
a
package
manager
inside
your
containers.
As
you
can
see,
there's
the
spawn
process
macro,
but
this
time
we'll
target
the
package
management
prox
macro
that
monitors.
If
the
process
name
is
one
of
the
element
in
the
package
management
binaries
list.
A
A
A
A
Falco
alerts
us
that
someone
somehow
modified
a
file
below
a
binary
directory,
but
it
does
not
tell
us
that
someone
used
the
package
management
tool
of
alpine.
In
my
opinion,
the
role
we
targeted
as
flows,
and
it
should
be
more
precise,
as
we've
just
seen.
Maybe
we
need
to
make
falco
rules
also
monitor
the
sim
links,
we're
thinking
to
build
something
inside
it
that
automatically
does
it.
This
way
we
don't
have
to
edit
all
the
rules,
and
we
don't
have
to
remember
to
also
monitor
the
sim
link.
A
Every
time
a
rule
looks
for
a
binary
or
a
file
etc,
but
we
need
to
make
a
bigger
conversation
and
we'd
love
your
feedback
too.
So
please
join
the
falco
community
codes.
We
proved
that
falcalone
is
not
enough,
but
this
is
something
we
all
already
knew.
Furthermore,
its
rule
set
or
the
one
you
using
can
be
incomplete
or
ineffective.
A
A
A
very
malicious
actor
could
pipe
from
the
outside
a
base64,
encoded,
binary
and
regulate
it
line
by
line
inside
the
container
and
how
to
monitor
batch
scripts
with
dersha
banks
better
prevent
too,
in
that
case,
like
removing
bash
from
the
container
reducing
the
attack
surface
by
creating
the
container
image
from
scratch,
not
from
alpine.
Even
if
we
love
it
then
put
inside
them
the
read-only
binary
that
has
to
act
as
the
entry
point
of
the
container
make
only
one
specific
path,
writable
and
also
restrict
it
to
contain
non-executable
files
with
flag
netseq.
A
Finally,
you
can
create
a
falcon
rule
that
monitors
the
only
binary
executing
in
that
container.
Is
the
entry
point
you
intended
this
way,
you
should
have
reduced
a
lot,
the
odds
of
an
attacker
now
another
little
bypass
demo,
very
different
from
the
others.
We've
just
seen
it's
last
one.
I
promise
for
this
demo.
We
don't
mind,
selecting
a
particular
falco
rule
since
we're
ambitious
and
we
intend
to
be
able
to
bypass
all
of
them
anyways
for
the
sake
of
this
demo.
We're
gonna
select
this
rule.
A
Rather,
I
already
installed
the
falcon
from
its
deb
repositories
on
bin
tray.
Let's
now
trigger
the
rule,
I
create
a
leo
file
in
the
temp
directory.
I
start
falco
and
then
I
set
the
group
id
on
temp
leo5.
As
you
can
see,
falco
alerts-
us-
maybe
you
don't
know,
but
when
falco
get
installed,
it
puts
the
default.
Yaml
rule
sets
in
the
atc
directory,
but
also
it
puts
some
very
important.
Lua
files
inside
user
share,
falco
lua.
A
A
No
output,
I
know
to
bring
on
this
attack.
The
malicious
user
should
already
have
a
lot
of
privileges
on
the
target
task.
It
should
already
be
able
to
manually,
kill
the
falco
process,
for
example,
but
that's
not
the
point.
The
point
is
that
it's
way
more
likely
that
malicious
attacker
will
do
more
selective
things
in
the
output
lua
files
that
we
edited
like
excluding
only
some
rule
alerts
or
even
modifying
the
output
messages.
A
This
way,
your
attention
will
not
be
drawn
because
you'll
probably
continue
to
think
falco
is
still
operating
perfectly
as
intended
and
anyways
focus
should
at
least
alert
us.
It
has
been
restarted
from
who
and
how?
Don't
you
think
so
how
to
solve
the
problem
of
blue
outputs?
We
already
did
it
no
worries.
We
have
wrote
the
complete
outputs
module
of
falco
inc,
plus,
starting
with
the
next
release
of
falco.
The
gate
of
the
outputs
will
be
built
inside
the
falcon
binary.
We
plan
to
also
write
the
parser
and
the
engine
completely
in
c
plus.
A
This
will
enable
us
to
reduce
the
dependency
surface
of
falco,
removing
lua
related
dependencies
too
so
stay
in
touch,
and
in
case
you
want
to
take
a
look
at
how
we
did
it.
I
put
a
link
to
the
pull
request
in
the
slide
as
usual.
So
thanks
anyone
for
being
here.
This
talk
was
really
tough
even
to
prepare
and
to
listen
admit,
but
I
hope
you
enjoyed
my
approach.
My
findings
and
my
considerations
see
you
soon.
Let's
hope
in
person
in
the
meantime,
follow
me
on
twitter
join
the
falco
calls
and
let's
keep
in
touch.