#4720 added the ability to target Go functions in stripped Go binaries by discerning their offset and size from pclntab.
pclntab does not contain function signature metadata, so there's currently no way to write policy targeting individual Go function parameters.
For instance, we'd like to be able to write a policy that searches Go function string parameters for suspicious payloads and then clears the string that contains the weaponized payload:
apiVersion: cilium.io/v1alpha1
kind: TracingPolicy
metadata:
name: block-ssti-cve-2024-55660
spec:
uprobes:
- path: /usr/local/bin/vuln-app
symbols:
- "text/template.(*Template).Parse"
args:
- index: 1
type: "go_string"
selectors:
- matchArgs:
- index: 1
operator: "SubString"
values:
- ".Env"
- "exec"
- "os/"
- "Getenv"
matchActions:
- action: ClearGoString
argIndex: 1
- action: Post
#4720 added the ability to target Go functions in stripped Go binaries by discerning their offset and size from pclntab.
pclntab does not contain function signature metadata, so there's currently no way to write policy targeting individual Go function parameters.
For instance, we'd like to be able to write a policy that searches Go function string parameters for suspicious payloads and then clears the string that contains the weaponized payload: