The Next Log4jshell?! Preparing for CVEs with eBPF!

The presentation discusses the implementation of encryption policies and observability in real-time with limited CPU and memory usage using the Tetragon framework.

• The speaker wants to implement encryption policies and ensure observability in real-time with limited CPU and memory usage.
• The Tetragon framework provides a way to hook into the kernel and filter data before aggregating it for export.
• The framework allows for tracing of every process that runs in the system and provides a unique ID for each executable.
• The unique ID and timestamp can be used to build a time series database for analysis.
• Policies can be packaged with images and applied automatically upon deployment.

The speaker mentions that Java applications are interesting to trace due to their execution of many children and the workings of the JVM. The Tetragon framework can provide a JSON output with useful information such as the container, runtime, and namespace.

Log4jshell, which has been considered the biggest 0 day vulnerability of this decade, is still affecting thousands of servers worldwide. If you were affected, would it have been any different if you had used eBPF? Could you observe the malicious external connection, the JNDI lookup, the Java class download, or the remote code execution? Or even better, could you prevent it? Since eBPF provides us with a unique visibility directly into any Kubernetes workload on a single shared kernel - the answer is yes. This talk will take Log4jshell as a learning lesson and show you how it could have been detected and blocked in real time inside the kernel using eBPF. We will walk you through how open source eBPF based tools can give full network and process-level visibility to detect and prevent Log4jshell and your next CVE. We’ll finish by showcasing how Security Teams can easily put these tools in place to protect their critical Kubernetes environment and by giving Security best practices on how to prepare for their next CVE with eBPF.