Challenge 2: Protected File¶
You downloaded an executable named “scanner” from the internet. You suspect that it might be malicious, but you’re not sure. You have heard very bad things about ransomware and you want to make sure that the executable can’t corrupt any of your files. Therefore, you decide to develop an eBPF program that prevents the “scanner” executable from writing to any file.
Description¶
The executable “scanner” reads and writes to files. It takes a file as an argument, reads its content and replaces it with the string “You have been pwned!”, before reading the file again to check if the content has been modified.
Your objective is to develop an eBPF program that prevents any process whose name is “scanner” from writing to any file.
This does not seem very hard at first, but preventing a process from opening a file is actually not something that can be done with eBPF by default. To achieve this, you will have to use the eBPF Linux Security Modules (LSM) mechanism.
This challenge requires you to research by yourself how to use the eBPF LSM mechanism to prevent a process from writing to a file.
Important
BPF LSM is not enabled by default on your VM, you will have to enable it yourself. The VM on which your code will be tested will of course have BPF LSM enabled.
Setup¶
Download the files for this challenge using:
$ wget --no-check-certificate https://people.montefiore.uliege.be/~gain/courses/info0940/asset/protected_file.tar.gz
$ tar -xzvf protected_file.tar.gz
The malicious program is located in protected_file/scanner.
You can pass any file as an argument to the “scanner” program, but it will always try to write to it. We advise you to create a test file and pass it as an argument to the “scanner” program, or to use the “very_important_file.txt” that is provided in the archive. For example:
$ echo "Cool Recipe: I love cake" > recipe.txt
$ ./scanner recipe.txt
Inside protected_file/src, you will find the same template as in tutorial
3. Use it to implement the eBPF program that prevents the “scanner”
program from writing to any file.
What you need to do¶
You are expected to implement an eBPF program that detects when a process named “scanner” attempts to write to a file. If detected, the eBPF program should block the operation, preventing the file from being modified by the process.
Be careful: you must not kill the process, but simply prevent it from modifying the file. The process should be able to continue running, but it must not be able to modify any file. This is what it will look like when you run the “scanner” program with your eBPF program loaded:
$ ./scanner recipe.txt
Using provided file: recipe.txt
Read: Cool Recipe: I love cake
Error when trying to write: Operation not permitted
Read after write: Cool Recipe: I love cake
Tip
Check the source code of the “scanner” program to see how it writes to files. There are two possible ways to trigger the “Error when trying to write: Operation not permitted” message, you can choose to trigger either of them.
The solution to this challenge should be quite small as well, but with the added difficulty of using the eBPF LSM mechanism, which is not covered in the tutorial.