FPVA plugin events

[Ethane98]

Exec calls:

• execve: captures path/argvs/envs arguments, does not record XML trace event
• execl, execlp, execle, execv, execvp: captures path argument, does not record XML trace event
• execvpe, fexecve, execveat, etc: not recorded by FPVA plugin

Process calls:

• fork: captures child pid, records XML trace event
• clone, clone2, clone3, : not recorded by FPVA plugin
• exit, exit_group: not recorded by FPVA plugin

File calls:

• open, fopen: captures path argument, records XML trace event
• openat, fdopen, freopen: not recorded by FPVA plugin
• chmod: captures file name and mode, records XML trace event
• close, fclose: not recorded by FPVA plugin
• setuid, seteuid: captures username and uid, records XML trace event

Connection calls:

• connect, accept: captures host ip and port, records XML trace event

Overall trace data:

• pid, exe_name, working_dir, host, parent pid, real_user name and id, effective_user name and id, real_group name and id, effective_group name and id captured in XML trace
• hostname, PID extracted directly from XML trace for python graph
• parent PID extracted directly from XML trace, parent_exe obtained using os.path.basename during python graphing
• init_exe and cur_exe extracted from XML trace exe_name using os.path.basename during python graphing, always the same
• init_euid and cur_euid extracted from XML trace effective_user during python graphing, always the same

Python graphing:

• fork, connect, accept, seteuid, execv, execve: events recorded in XML trace and parsed for python graphing
  • accept events are dropped in final graph visualization
• send, recv, clone, exit: not recorded in XML trace but they are parsed for python graphing
• Procedure improvements: Refactor python graph builder to ignore miscellaneous trace errors (missing fields, missing parent/child nodes). Render raw/dedup image sets separately in Javascript instead of failing if one or the other doesn't exist.

[Ethane98]

Currently in progress:

• Matching 127.0.0.1, 0.0.0.0, , etc. on all connect/accept and send/recv events
• Finish implementation of exec events in the SPI FPVA agent
• Capturing additional arguments for open and exec variants
• Picking up basic clone, exit, close events in the SPI FPVA agent
• Moving exe name resolution from python graph-building stage to the SPI FPVA agent

Current graph example: https://research.cs.wisc.edu/mist/spi/demo_latest/html/

Older graphs: https://research.cs.wisc.edu/mist/spi/

[Ethane98]

Updated list of FPVA plugin trace events:

Process calls:

• execve, execvpe, fexecve, execveat, execle, execl, execlp, execv, execvp captures args/env variables/flags, records trace, and are parsed for python graphing as 'exec' events
• fork is captured as a trace and parsed for python graphing
• clone, clone2, clone3 are captured and recorded in traces, and parsed for python graphing as 'clone' events
• exit is parsed for python graphing but not recorded in instrumentation traces
• setuid, seteuid are captured in traces, only seteuid is parsed in graphing
• chroot, chdir captured in traces, only chdir is shown in graphing
• Next steps: Find better ways to visualize working directory/root directory
• Next steps: Instrument setuid related calls (setreuid, setresgid, etc)

File calls:

• open, fopen, fdopen, freopen, openat are captured and recorded in traces, and parsed in python graphing as 'open' events
• chown, fchown, lchown, fchownat captured in traces and parsed as 'chown' events in graphing
• close not captured in instrumentation or parsed in graphing
• chmod is captured in traces and parsed in graphing
• Next steps: instrument other calls related to file permissions, chmod variants
• Next steps: Track open files between parent and child processes, check process user/group/permissions against open file user/group/permissions?

Connection calls:

• connect, accept capture host IP and port, records trace and parses in for python graphing
• send, recv are parsed for python graphing but not yet captured in instrumentation

Other information:

• pid, exe_name, working_dir, host, parent_pid, real_user name and id, effective_user name and id, real_group name and id are all captured in process trace
• pid, exe_name, host, real_user name/id are shown using different visual indicators in the graph
• parent_pid not used in graphing
• working_dir, parent_exe, and some real/effective user data only shown in tooltip text
• Next steps: Show working/root directory or permissions in a more visual way
• Next steps: Clarify name vs id for users and groups, parse group info out of traces, instrument more calls related to changing user/group IDs and permissions