Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

FPVA plugin events #27

Open
Ethane98 opened this issue Feb 21, 2022 · 2 comments
Open

FPVA plugin events #27

Ethane98 opened this issue Feb 21, 2022 · 2 comments

Comments

@Ethane98
Copy link
Contributor

Ethane98 commented Feb 21, 2022
edited
Loading

Exec calls:

  • execve: captures path/argvs/envs arguments, does not record XML trace event
  • execl, execlp, execle, execv, execvp: captures path argument, does not record XML trace event
  • execvpe, fexecve, execveat, etc: not recorded by FPVA plugin

Process calls:

  • fork: captures child pid, records XML trace event
  • clone, clone2, clone3, : not recorded by FPVA plugin
  • exit, exit_group: not recorded by FPVA plugin

File calls:

  • open, fopen: captures path argument, records XML trace event
  • openat, fdopen, freopen: not recorded by FPVA plugin
  • chmod: captures file name and mode, records XML trace event
  • close, fclose: not recorded by FPVA plugin
  • setuid, seteuid: captures username and uid, records XML trace event

Connection calls:

  • connect, accept: captures host ip and port, records XML trace event

Overall trace data:

  • pid, exe_name, working_dir, host, parent pid, real_user name and id, effective_user name and id, real_group name and id, effective_group name and id captured in XML trace
  • hostname, PID extracted directly from XML trace for python graph
  • parent PID extracted directly from XML trace, parent_exe obtained using os.path.basename during python graphing
  • init_exe and cur_exe extracted from XML trace exe_name using os.path.basename during python graphing, always the same
  • init_euid and cur_euid extracted from XML trace effective_user during python graphing, always the same

Python graphing:

  • fork, connect, accept, seteuid, execv, execve: events recorded in XML trace and parsed for python graphing
    • accept events are dropped in final graph visualization
  • send, recv, clone, exit: not recorded in XML trace but they are parsed for python graphing
  • Procedure improvements: Refactor python graph builder to ignore miscellaneous trace errors (missing fields, missing parent/child nodes). Render raw/dedup image sets separately in Javascript instead of failing if one or the other doesn't exist.
@Ethane98
Copy link
Contributor Author

Currently in progress:

  • Matching 127.0.0.1, 0.0.0.0, , etc. on all connect/accept and send/recv events
  • Finish implementation of exec events in the SPI FPVA agent
  • Capturing additional arguments for open and exec variants
  • Picking up basic clone, exit, close events in the SPI FPVA agent
  • Moving exe name resolution from python graph-building stage to the SPI FPVA agent

Current graph example: https://research.cs.wisc.edu/mist/spi/demo_latest/html/

Older graphs: https://research.cs.wisc.edu/mist/spi/

@Ethane98
Copy link
Contributor Author

Ethane98 commented Jun 2, 2022
edited
Loading

Updated list of FPVA plugin trace events:

Process calls:

  • execve, execvpe, fexecve, execveat, execle, execl, execlp, execv, execvp captures args/env variables/flags, records trace, and are parsed for python graphing as 'exec' events
  • fork is captured as a trace and parsed for python graphing
  • clone, clone2, clone3 are captured and recorded in traces, and parsed for python graphing as 'clone' events
  • exit is parsed for python graphing but not recorded in instrumentation traces
  • setuid, seteuid are captured in traces, only seteuid is parsed in graphing
  • chroot, chdir captured in traces, only chdir is shown in graphing
  • Next steps: Find better ways to visualize working directory/root directory
  • Next steps: Instrument setuid related calls (setreuid, setresgid, etc)

File calls:

  • open, fopen, fdopen, freopen, openat are captured and recorded in traces, and parsed in python graphing as 'open' events
  • chown, fchown, lchown, fchownat captured in traces and parsed as 'chown' events in graphing
  • close not captured in instrumentation or parsed in graphing
  • chmod is captured in traces and parsed in graphing
  • Next steps: instrument other calls related to file permissions, chmod variants
  • Next steps: Track open files between parent and child processes, check process user/group/permissions against open file user/group/permissions?

Connection calls:

  • connect, accept capture host IP and port, records trace and parses in for python graphing
  • send, recv are parsed for python graphing but not yet captured in instrumentation

Other information:

  • pid, exe_name, working_dir, host, parent_pid, real_user name and id, effective_user name and id, real_group name and id are all captured in process trace
  • pid, exe_name, host, real_user name/id are shown using different visual indicators in the graph
  • parent_pid not used in graphing
  • working_dir, parent_exe, and some real/effective user data only shown in tooltip text
  • Next steps: Show working/root directory or permissions in a more visual way
  • Next steps: Clarify name vs id for users and groups, parse group info out of traces, instrument more calls related to changing user/group IDs and permissions

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@Ethane98