Verifiable GitHub Actions with eBPF

The presentation discusses the use of Tracy, a tool for tracing and profiling software executions, to detect and prevent supply chain attacks in DevOps workflows.

• Tracy is a tool for tracing and profiling software executions in DevOps workflows
• The tool can be used to detect and prevent supply chain attacks
• Tracy uses denial and allow lists to identify good and bad activity
• The tool extends profiles to include user ID, arguments, and environment variables
• Tracy can ignore certain system and environment variables to ensure consistency
• The tool uses syscall to collect information on executed binaries
• An anecdote is provided to illustrate how Tracy can detect a supply chain attack

The presenter demonstrates how Tracy can detect a supply chain attack by hijacking a fake upload action and creating a new tag with malicious code. Tracy is able to identify the malicious activity through a signature event that shows an attempt to contact a crypto mind domain. The tool also creates a profile that shows changes to the file system and environment variables, which can be used to identify the attack. This illustrates how Tracy can be used to detect and prevent supply chain attacks in DevOps workflows.

GitHub actions have been one of the most popular ways to build and release software, with recent developments in supply chain security it became a major target for malicious attacks. A couple of years ago a widespread hack to codecov, a popular service prevalent in build pipelines, caught the industry’s attention. In response, a new solution to protect the build pipeline was created on top of Tracee, OSS Runtime Security solution, and introduced the concept of profiling with eBPF and verifying software builds. In this talk, we will present that solution and explore the lessons learned in the past two years since the initial release.