feat(uprobes): add Go string parsing and inline modification#4817
Draft
dwindsor wants to merge 7 commits intocilium:mainfrom
Draft
feat(uprobes): add Go string parsing and inline modification#4817dwindsor wants to merge 7 commits intocilium:mainfrom
dwindsor wants to merge 7 commits intocilium:mainfrom
Conversation
dwindsor
force-pushed
the
dwindsor/clear-go-string-action
branch
4 times, most recently
from
b6e596e to
08528fe
Compare
✅ Deploy Preview for tetragon ready!
To edit notification comments on pull requests, go to your Netlify project configuration. |
dwindsor
force-pushed
the
dwindsor/clear-go-string-action
branch
2 times, most recently
from
9893e14 to
276ab1c
Compare
dwindsor
changed the title
dwindsor
force-pushed
the
dwindsor/clear-go-string-action
branch
6 times, most recently
from
dacb94e to
1ecce4f
Compare
Contributor
Author
|
vmtests CI failing due to a verifier error on < 6.12, will fix:
|
dwindsor
force-pushed
the
dwindsor/clear-go-string-action
branch
6 times, most recently
from
d3f7dfa to
39ff357
Compare
Contributor
Author
|
vmtests failing on kernels that don't have Gating |
dwindsor
force-pushed
the
dwindsor/clear-go-string-action
branch
5 times, most recently
from
f6985b1 to
f20dd45
Compare
dwindsor
force-pushed
the
dwindsor/clear-go-string-action
branch
from
f20dd45 to
435797e
Compare
dwindsor
force-pushed
the
dwindsor/clear-go-string-action
branch
from
435797e to
522ea58
Compare
dwindsor
force-pushed
the
dwindsor/clear-go-string-action
branch
3 times, most recently
from
82e20e4 to
4f2fe41
Compare
Map logical argument indices to physical register slots under Go's ABIInternal calling convention on amd64. Multi-slot types shift subsequent arguments into higher registers. This is needed to extract the correct argument from uprobes attached to Go functions. Signed-off-by: David Windsor <dwindsor@gmail.com>
Wire the go_string generic type through BPF preload and event config. Signed-off-by: David Windsor <dwindsor@gmail.com>
Expose go_string in the tracing API, generic types, and sensor path. Signed-off-by: David Windsor <dwindsor@gmail.com>
Bump CRD schema and docs for the new go_string type. Signed-off-by: David Windsor <dwindsor@gmail.com>
Add a small Go program and uprobe test that exercises go_string capture on net/http.ServeContent. Signed-off-by: David Windsor <dwindsor@gmail.com>
dwindsor
force-pushed
the
dwindsor/clear-go-string-action
branch
from
4f2fe41 to
1e7b5b7
Compare
Add a post action that clears only the Go string length register. Strings are stored as [ptr,len] tuples in Go. We only zero len here because it's possible to do atomically with a single aligned word-size write. Zeroing the ptr field would require another write which cannot be performed atomically with respect to the clearing of the len field. With len cleared to zero the header matches how the runtime treats empty results from []byte-to-string conversion: slicebytetostring returns "" when n==0 without reading ptr (https://github.com/golang/go/blob/go1.24.0/src/runtime/string.go#L132-L137). Signed-off-by: David Windsor <dwindsor@gmail.com>
Extend ActionSelector validation and generated CRD/docs for the ClearGoString action. Signed-off-by: David Windsor <dwindsor@gmail.com>
dwindsor
force-pushed
the
dwindsor/clear-go-string-action
branch
from
1e7b5b7 to
ae9e972
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Fixes #4827
Description
With the pclntab changes being merged, we now can write policies that target stripped Go binaries. The problem is, pclntab doesn't contain function signature metadata, only function location data (offset + size).
This series adds support for the
go_stringtype and theClearGoStringAction to TracingPolicy. It requires a fairly complicated descent into the Go ABI internals, but I think the ABI has been stable enough for a while (since 1.17) to make this safe. Basically, since we have the function start location from pclntab, we just need to be able to isolate go string parameters, which are stored as a ([word][u32]) tuple (data_ptr+len). The new Go ABI (ABIInternal) is register based, with predictable slot assignments for types that haven't changed since 1.17. We go:generate the ABI slot mapping at build time, so no hard-coding.With this, we can use 7384893
(bpf: Allow uprobe program to change context registers)to add theClearGoStringaction togo_stringparameters that contain suspicious (i.e. SQL injection, environment var leak, malicious AI prompt) strings. We don't return early here, we just make the string inert by clearing it, allowing the application to handle cleanup etc. It's difficult to return from non-LSM functions (lsm gives a lot of guarantees - locks held, refcounts guaranteed, etc).Changelog