Runtime enforcement of software supply chain capabilities in Go
Run a Go program invoking some denied capability, with goleash runtime enforcement attached.
cd examples/example_unrestrictFirst, generate the hashes for allowed invocations of capabilities, for the trusted initial version of the program.
make all-hashExecute the trusted version of the program.
make allThen, add a new denied capability invocation to the program.
sed -i '27,31s/^[[:space:]]*\/\/[[:space:]]*TestReadFile()/TestReadFile()/' dependencyC/dep.goExecute the compromised version of the program, with the same previously generated hashes.
make allThis tool allows you to track syscalls for a specified binary using eBPF.
- Navigate to the
track_syscallsfolder and build the tracer
cd track_syscalls
makeTo demonstrate the syscall tracking capabilities, we'll use CoreDNS as an example.
- Navigate to the CoreDNS folder. Compile and run CoreDNS using the provided script:
./build_and_run.shThis script will build CoreDNS and start it with a default configuration.
- In a new terminal window, navigate back to the
track_syscallsfolder. - Run the syscall tracker (with root privileges), pointing it to the CoreDNS binary:
sudo ./bpf_loader -binary /binary_path -allowlist /allowlist_pathReplace /binary_path with the actual path to the binary you want to monitor.
Replace /allowlist_path with the actual path to the allowlist.
-
The program will start tracking syscalls for the specified binary. You'll see output in the termi>
-
To stop the tracking, press Ctrl+C.
To generate some DNS activity and observe the syscalls:
-
Open another terminal window.
-
Execute the test request script:
./make_request.shThis script will send a DNS query to the running CoreDNS instance.
- Observe the syscall tracking output in the terminal where you ran
bpf_loader.
You should now see the syscalls triggered by CoreDNS in response to the DNS query, allowing you to analyze its behavior at the system call level.