Securing CI/CD Systems Through eBPF (recap)

4FDVSJOH$*$%4ZTUFNT 5ISPVHIF#1' ,VCFSOFUFT.FFUVQ5PLZP ,VCF$PO/"3FDBQ $ZCFS"HFOU *ODத੢ ݐొ XIZXBJUB

த੢ ݐొ XIZXBJUB $MPVE.BLFSBU$ZCFS"HFOU *OD ϓϥΠϕʔτΫϥ΢υ *BB4
ϚωʔδυαʔϏε։ൃ TFMGIPTUFESVOOFSJO(JU)VC"DUJPOT XIZXBJUBNZTIPFT044EFWFMPQFS झຯࣗ୐αʔό ,T!IPNF ϙʔΧʔ ,VCF$POॳࢀઓ ॳւ֎ ೖࠃΠϯλϏϡʔͰҰഊ 5IBOLZPVBNTZ😭

4FDVSJOH$*$%4ZTUFNT5ISPVHIF#1'

4FDVSJOH$*$%4ZTUFNT5ISPVHIF#1' • CZ"MFY*MHBZFW $ZDPEF ◦ IUUQTDZDPEFDPN • IUUQTTDIFEDP"V[ • IUUQTXXXZPVUVCFDPNXBUDI
WQD#(3'W4SW : • $*$%ΛηΩϡΞʹߦ͏ͨΊʹF#1'Λར༻͢ΔࢼΈ

• &YUFOEFE#FSLFMFZ1BDLFU'JMUFS • -JOVY,FSOFMͷ4BOECPYͰίʔυΛ࣮ߦ͢Δ࢓૊ ◦ ϦίϯύΠϧෆཁ Ͱ ҆શ ͔ͭ ߴ଎
• /FUXPSL 0CTFSWBCJMJUZͷར༻ࣄྫ͕ଟΊ ◦ ,VCFSOFUFT$/* .POJUPSJOH"HFOU લఏ஌ࣝF#1'

• &YUFOEFE#FSLFMFZ1BDLFU'JMUFS • -JOVY,FSOFMͷ4BOECPYͰίʔυΛ࣮ߦ͢Δ࢓૊ ◦ ϦίϯύΠϧෆཁ Ͱ ҆શ ͔ͭ ߴ଎
• /FUXPSL 0CTFSWBCJMJUZͷར༻ࣄྫ͕ଟΊ ◦ ,VCFSOFUFT$/*$JMJVN ◦ .POJUPSJOH"HFOUEBUBEPHBHFOU FCQG@FYQPSUFS લఏ஌ࣝF#1'

IUUQTUXJUUFSDPNHSBGBOBTUBUVT લఏ஌ࣝF#1'

IUUQTHSBGBOBDPNCMPHHSBGBOBBOEDJMJVNEFFQFCQGQPXFSFEPCTFSWBCJMJUZGPSLVCFSOFUFTBOEDMPVE OBUJWFJOGSBTUSVDUVSF લఏ஌ࣝF#1'

ຊ୊

4FDVSJOH$*$%4ZTUFNT5ISPVHIF#1' • $*$%ʹ͓͚ΔηΩϡϦςΟࣄҊ ◦ 4PMBS8JOETॺ໊෇͖ϑΝΠϧͷॻ׵ ◦ $PEF$PWCBTIJOTUBMMFSͷॻ׵ ◦ /1. 1Z1*αϓϥΠνΣʔϯΞλοΫ
• $*$%πʔϧ ͷηΩϡϦςΟରࡦ͸೉͍͠ ◦ ڧݖݶ شൃ͢Δ؀ڥ ௿Մ؍ଌੑ

4FDVSJOH$*$%4ZTUFNT5ISPVHIF#1' • ఏҊ$*$%΁F#1'ϕʔεͳ"HFOUͷಋೖ • XIZF#1' ◦ ؆୯ʹՄ؍ଌੑͱηΩϡϦςΟχʔζΛߴΊΒΕΔ ◦ ࠷৽ΧʔωϧͰಈ࡞͢Δ ◦
ڧྗͳίϛϡχςΟͱπʔϧ • $JMJVN5FUSBHPOͷ࠾༻

• F#1'CBTFE 4FDVSJUZ0CTFSWBCJMJUZ ηΩϡϦςΟͷՄ؍ଌੑ BOE 3VOUJNF&OGPSDFNFOU ϦΞϧλΠϜ࣮ߦ੍ޚ • ੨ࢁ͞ΜʹΑΔ೔ຊޠهࣄ $JMJVN1SPKFDU͔Βެ։ʂ
F#1'Λ༻͍ͯηΩϡϦςΟͷՄ؍ଌੑΛ΋ͨΒ͢5FUSBHPOcHJIZPKQ $JMJVN5FUSBHPO IUUQTHJUIVCDPNDJMJVNUFUSBHPO ͔Θ͍͍ˠ

$JMJVN5FUSBHPO

4FDVSJOH$*$%4ZTUFNT5ISPVHIF#1' • $*$%γεςϜʹ$JMJVN5FUSBHPOΛಋೖ ◦ $*$%γεςϜʹ͓͚Δzಈ࡞Λ؍ଌ͢Δ ◦ ϓϩηε ίωΫγϣϯ ϑΝΠϧ *0৘ใ
• 5FUSBHPO࠾༻ཧ༝ ◦ LQSPCFΛ࢝Ίͱͯ͠ଟ͘ͷσʔλ͕औಘՄೳ ◦ LTҎ֎ͷ؀ڥͰ΋ಈ࡞͢Δ

1P$ͷ࣮૷಺༰ʹ͍ͭͯ • Ϗϧυ؀ڥͷ0CTFSWBMJCJUZ ◦ ϓϩηε ઀ଓઌυϝΠϯ *1 • ιʔείʔυͷ׬શੑ֬อ ◦
HPϑΝΠϧͷॻ׵Λ؂ࢹ • ௨৴ઌͷ੍ޚ ◦ ڐՄͯ͠ͳ͍*1υϝΠϯ΁ͷ઀ଓՄ൱ • (JU)VC"DUJPOT্Ͱಈ࡞͢ΔΑ͏ߏஙࡁ

1P$ͷ࣮૷಺༰ʹ͍ͭͯ

4FDVSJOH$*$%4ZTUFNT5ISPVHIF#1' HJUDMPOF࣌ͷ HJUIVCDPN΁ͷ઀ଓ UDQ@DPOOFDU ΛUSBDJOH͢Δ͜ͱͰ؍ଌ੒ޭ

4FDVSJOH$*$%4ZTUFNT5ISPVHIF#1' TFUVQHP಺Ͱ࣮ߦ͞Ε͍ͯΔ ϓϩηε৘ใͷ؍ଌ੒ޭ

4FDVSJOH$*$%4ZTUFNT5ISPVHIF#1' • σϞ ◦ Ϗϧυதͷ HPϑΝΠϧͷॻ׵ 4*(,*-- ◦ ڐՄ͍ͯ͠ͳ͍*1΁ͷ௨৴ 4*(,*--
◦ ڐՄ͍ͯ͠ͳ͍ϓϩηεͷੜ੒ 4*(,*--

4FDVSJOH$*$%4ZTUFNT5ISPVHIF#1' (JU)VC"DUJPOT্ͷઃఆϑΝΠϧ͔Β $JMJVN5FUSBHPOͷઃఆΛੜ੒

·ͱΊ • F#1' $JMJVN5FUSBHPO͸ύϫϑϧͳςΫϊϩδʔ • $*$%͸F#1'ʹΑͬͯ͞ΒʹηΩϡΞʹͳΔ • ࠓޙ͸1P$Ͱ࢖ͬͨ"HFOUΛ044Խ༧ఆ ◦ ͞Εͯ·ͨ͠
IUUQTHJUIVCDPN$ZDPEF-BCTFCQGBHFOUBDUJPO • $POUSJCVUF଴ͬͯΔΑʂ

ײ૝ • 5FUSBHPOͷڧྗ͞Λेೋ෼ʹ׆͔͢ൃද ◦ 0CTFSWBCJMJUZ 3VOUJNF&OGPSDFNFOU ◦ ϕετϑΟοτ • ʮؾΛ͚ͭΔʯҎ্ͷ͜ͱ͕ग़དྷΔΑ͏ʹ
◦ $*$%ͷΑ͏ʹʮॏཁ͚ͩͲ޻਺ׂ͕͔Εʹ͍͘ʯ෺͸ ಛʹ͜ͷΑ͏ͳऔΓ૊Έ͕ඞཁʹͳΓͦ͏

αΠόʔΤʔδΣϯτͰͷऔΓ૊Έ ϓϥΠϕʔτΫϥ΢υͰͷ(JU)VC"DUJPOTج൫Λ ։ൃɾӡ༻த IUUQTXXXTMJEFTIBSFOFUXIZXBJUBEFWFMPQNFOUNZTIPFTBOEQSPWJEFDZDMPVEIPTUFESVOOFSHJUIVCBDUJPOT XJUIZPVSTIPFT

αΠόʔΤʔδΣϯτͰͷऔΓ૊Έ IUUQTXXXTMJEFTIBSFOFUXIZXBJUBEFWFMPQNFOUNZTIPFTBOEQSPWJEFDZDMPVEIPTUFESVOOFSHJUIVCBDUJPOT XJUIZPVSTIPFT ಈతͳTFMGIPTUFESVOOFS XIZXBJUBNZTIPFT

αΠόʔΤʔδΣϯτͰͷऔΓ૊Έ IUUQTXXXTMJEFTIBSFOFUXIZXBJUBEFWFMPQNFOUNZTIPFTBOEQSPWJEFDZDMPVEIPTUFESVOOFSHJUIVCBDUJPOT XJUIZPVSTIPFT ಈతͳ TFMGIPTUFESVOOFS XIZXBJUBNZTIPFT .BOBHFE 1P$"HFOU4FSWFS

Securing CI/CD Systems Through eBPF (recap)

Securing CI/CD Systems Through eBPF (recap)

whywaita PRO

More Decks by whywaita

Other Decks in Technology

Featured

Transcript

4FDVSJOH$$%4ZTUFNT 5ISPVHIF#1' ,VCFSOFUFT.FFUVQ5PLZP ,VCF$PO/"3FDBQ $ZCFS"HFOU ODத੢ ݐొ XIZXBJUB

த੢ ݐొ XIZXBJUB $MPVE.BLFSBU$ZCFS"HFOU OD ϓϥΠϕʔτΫϥ΢υ BB4

4FDVSJOH$*$%4ZTUFNT5ISPVHIF#1'

4FDVSJOH$$%4ZTUFNT5ISPVHIF#1' • CZ"MFYMHBZFW $ZDPEF ◦ IUUQTDZDPEFDPN • IUUQTTDIFEDP"V[ • IUUQTXXXZPVUVCFDPNXBUDI

• &YUFOEFE#FSLFMFZ1BDLFU'JMUFS • -JOVY,FSOFMͷ4BOECPYͰίʔυΛ࣮ߦ͢Δ࢓૊ ◦ ϦίϯύΠϧෆཁ Ͱ ҆શ ͔ͭ ߴ଎

• &YUFOEFE#FSLFMFZ1BDLFU'JMUFS • -JOVY,FSOFMͷ4BOECPYͰίʔυΛ࣮ߦ͢Δ࢓૊ ◦ ϦίϯύΠϧෆཁ Ͱ ҆શ ͔ͭ ߴ଎

IUUQTUXJUUFSDPNHSBGBOBTUBUVT લఏ஌ࣝF#1'

IUUQTHSBGBOBDPNCMPHHSBGBOBBOEDJMJVNEFFQFCQGQPXFSFEPCTFSWBCJMJUZGPSLVCFSOFUFTBOEDMPVE OBUJWFJOGSBTUSVDUVSF લఏ஌ࣝF#1'

ຊ୊

4FDVSJOH$$%4ZTUFNT5ISPVHIF#1' • $$%ʹ͓͚ΔηΩϡϦςΟࣄҊ ◦ 4PMBS8JOETॺ໊෇͖ϑΝΠϧͷॻ׵ ◦ $PEF$PWCBTIJOTUBMMFSͷॻ׵ ◦ /1. 1Z1*αϓϥΠνΣʔϯΞλοΫ

4FDVSJOH$$%4ZTUFNT5ISPVHIF#1' • ఏҊ$$%΁F#1'ϕʔεͳ"HFOUͷಋೖ • XIZF#1' ◦ ؆୯ʹՄ؍ଌੑͱηΩϡϦςΟχʔζΛߴΊΒΕΔ ◦ ࠷৽ΧʔωϧͰಈ࡞͢Δ ◦

• F#1'CBTFE 4FDVSJUZ0CTFSWBCJMJUZ ηΩϡϦςΟͷՄ؍ଌੑ BOE 3VOUJNF&OGPSDFNFOU ϦΞϧλΠϜ࣮ߦ੍ޚ • ੨ࢁ͞ΜʹΑΔ೔ຊޠهࣄ $JMJVN1SPKFDU͔Βެ։ʂ

$JMJVN5FUSBHPO

4FDVSJOH$$%4ZTUFNT5ISPVHIF#1' • $$%γεςϜʹ$JMJVN5FUSBHPOΛಋೖ ◦ $$%γεςϜʹ͓͚Δzಈ࡞Λ؍ଌ͢Δ ◦ ϓϩηε ίωΫγϣϯ ϑΝΠϧ 0৘ใ

4FDVSJOH$*$%4ZTUFNT5ISPVHIF#1'

1P$ͷ࣮૷಺༰ʹ͍ͭͯ • Ϗϧυ؀ڥͷ0CTFSWBMJCJUZ ◦ ϓϩηε ઀ଓઌυϝΠϯ *1 • ιʔείʔυͷ׬શੑ֬อ ◦

1P$ͷ࣮૷಺༰ʹ͍ͭͯ

4FDVSJOH$*$%4ZTUFNT5ISPVHIF#1' HJUDMPOF࣌ͷ HJUIVCDPN΁ͷ઀ଓ UDQ@DPOOFDU ΛUSBDJOH͢Δ͜ͱͰ؍ଌ੒ޭ

4FDVSJOH$*$%4ZTUFNT5ISPVHIF#1' TFUVQHP಺Ͱ࣮ߦ͞Ε͍ͯΔ ϓϩηε৘ใͷ؍ଌ੒ޭ

4FDVSJOH$$%4ZTUFNT5ISPVHIF#1' • σϞ ◦ Ϗϧυதͷ HPϑΝΠϧͷॻ׵ 4(,-- ◦ ڐՄ͍ͯ͠ͳ͍1΁ͷ௨৴ 4(,--

4FDVSJOH$$%4ZTUFNT5ISPVHIF#1' • σϞ ◦ Ϗϧυதͷ HPϑΝΠϧͷॻ׵ 4(,-- ◦ ڐՄ͍ͯ͠ͳ͍1΁ͷ௨৴ 4(,--

4FDVSJOH$*$%4ZTUFNT5ISPVHIF#1'

4FDVSJOH$$%4ZTUFNT5ISPVHIF#1' • σϞ ◦ Ϗϧυதͷ HPϑΝΠϧͷॻ׵ 4(,-- ◦ ڐՄ͍ͯ͠ͳ͍1΁ͷ௨৴ 4(,--

4FDVSJOH$*$%4ZTUFNT5ISPVHIF#1' (JU)VC"DUJPOT্ͷઃఆϑΝΠϧ͔Β $JMJVN5FUSBHPOͷઃఆΛੜ੒

·ͱΊ • F#1' $JMJVN5FUSBHPO͸ύϫϑϧͳςΫϊϩδʔ • $*$%͸F#1'ʹΑͬͯ͞ΒʹηΩϡΞʹͳΔ • ࠓޙ͸1P$Ͱ࢖ͬͨ"HFOUΛ044Խ༧ఆ ◦ ͞Εͯ·ͨ͠

ײ૝ • 5FUSBHPOͷڧྗ͞Λेೋ෼ʹ׆͔͢ൃද ◦ 0CTFSWBCJMJUZ 3VOUJNF&OGPSDFNFOU ◦ ϕετϑΟοτ • ʮؾΛ͚ͭΔʯҎ্ͷ͜ͱ͕ग़དྷΔΑ͏ʹ

αΠόʔΤʔδΣϯτͰͷऔΓ૊Έ ϓϥΠϕʔτΫϥ΢υͰͷ(JU)VC"DUJPOTج൫Λ ։ൃɾӡ༻த IUUQTXXXTMJEFTIBSFOFUXIZXBJUBEFWFMPQNFOUNZTIPFTBOEQSPWJEFDZDMPVEIPTUFESVOOFSHJUIVCBDUJPOT XJUIZPVSTIPFT

αΠόʔΤʔδΣϯτͰͷऔΓ૊Έ IUUQTXXXTMJEFTIBSFOFUXIZXBJUBEFWFMPQNFOUNZTIPFTBOEQSPWJEFDZDMPVEIPTUFESVOOFSHJUIVCBDUJPOT XJUIZPVSTIPFT ಈతͳTFMGIPTUFESVOOFS XIZXBJUBNZTIPFT

4FDVSJOH$*$%4ZTUFNT5ISPVHIF#1'

αΠόʔΤʔδΣϯτͰͷऔΓ૊Έ IUUQTXXXTMJEFTIBSFOFUXIZXBJUBEFWFMPQNFOUNZTIPFTBOEQSPWJEFDZDMPVEIPTUFESVOOFSHJUIVCBDUJPOT XJUIZPVSTIPFT ಈతͳ TFMGIPTUFESVOOFS XIZXBJUBNZTIPFT .BOBHFE 1P$"HFOU4FSWFS

Q?