Skip to content

Execution Authentication #401

Description

@krisnova

Recently we discussed eBPF architecture in #394.

This conversation called out a potential need for the project to intercept syscall__execve functionality at runtime such that Aurae can instrument any new processes that might be created by a user's workload.

While the original discussion was intended to serve as a potential path to ensure there aren't rogue processes on an Aurae deployment, this begs a set of critical questions for the project.

Should Aurae authenticate all new spawned process to ensure they are anticipated by the runtime?

If it is possible to authenticate every process on a host at runtime, what are the security and supply chain implications of this feature?

I assumed I should kick off the discussion two fold.

  1. How exactly would we pull this off? What can we learn from packet level authentication in other parts of the kernel?
  2. Do we actually care about this? If so... why? Specifically? What specific security features does this unlock?

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions