Scaling Runtime Security: How eBPF is Solving Decade-Long Challenges
May 7, 2023
Despite being around for over a decade, Runtime Application Self Protection (RASP) has seen minimal adoption and is barely present in production environments. This is due to significant obstacles and pitfalls, which we will delve into in this article. RASP’s implementation is complicated, and its architecture causes considerable performance overhead. Additionally, it presents stability concerns that could cause the running application to crash and go into downtime. Moreover, its attack coverage is limited and depends on developers' efforts and awareness of a breach to prevent it. Therefore, RASP is deemed unsuitable for large-scale production environments.
This article will cover the concept of RASP, its implementation techniques, its security approach, what eBPF is, and how this technology is revolutionizing runtime security.
Over the past year, we have witnessed the world grappling with attempts to mitigate well-known breaches such as Log4Shell, Spring4Shell, and Text4Shell. No hero could help organizations handle these complex incidents and tackle them in the runtime environment. Despite the existence of runtime security products in the market for over a decade, they were not able to provide the necessary support and aid in these critical situations. Wondering why?
The market demands a profound runtime security product, and that's been true for more than a decade. RASP was the first solution that emerged in the market and attempted to fulfill this demand. First introduced by Gartner in 2012, RASP, which stands for Runtime Application Self Protection, is a runtime application security solution that uses application-level software instrumentation methods to wrap the application’s code to enhance its security. RASP was designed to provide personalized protection to applications. It utilizes runtime instrumentation to detect and block attacks by taking advantage of information from inside the running software.
RASP operates by utilizing software engineering strategies such as instrumentation of an application's code, dynamic hooks, and secure SDKs. By integrating with the application and its libraries, RASP is able to secure the underlying logic at the source code level. However, it requires the developer to identify particular application functions that are susceptible to attacks and manually apply RASP mitigation for those functions. During execution, RASP evaluates inputs and outputs within the context of the application's logic.
It is essential to acknowledge that RASP necessitates distinct deployment and customization for each individual application. Moreover, RASP offers security coverage solely for the code that has been specifically wrapped by the user, thus leaving third-party components with no protection. Furthermore, the technology methods utilized by RASP often create significant friction, resulting in potential performance degradation and stability issues.
As a security solution designed and implemented in the past decade, RASP suffers from some major pitfalls, which have led security experts to consider it 'an added layer of protection' rather than a must-have security solution. Friction, maintenance requirements, and unpredictable impacts on performance and stability are just a few of its deficiencies.
RASP failed to scale and wasn’t widely adopted, due to the following main disadvantages:
Integrating into the application's code level is a nontrivial and expensive undertaking that can potentially lead to stability and performance issues. While RASP products utilize application-level integration techniques, these methods may introduce performance overhead and stability issues that organizations cannot afford in production environments. The resulting high overhead increases resource consumption and cloud costs, and of course, you cannot take a bet on the production servers' stability. Any resulting downtime can have adverse impacts on service level agreements, causing revenue losses and damaging the company's reputation and market position.
In some cases, RASP requires recompilation of the application, specific compilation flags, or specific configurations of the programming language engine, which mostly disable performance improvement features. Every time a new feature is added to the RASP engine, which means that a new vulnerability was discovered and the developer added code for mitigation, it requires rebuilding and redeploying the application to take action.
RASP mitigates only specific vulnerabilities, and only in the particular application that it has been integrated with. It attempts to create manually tailored mitigations for specific CVEs and to cover generic attacks such as the OWASP top 10. It is worth noting that as we mentioned before, in critical incidents RASP has not proven effective and has failed to provide timely mitigation.
RASP requires high maintenance from developers, as specific deployment and customization are necessary for each application. Furthermore, RASP secures only the application itself, leaving blind spots in production where any adjacent third-party components or services remain defenseless. Needless to say, this approach is unsuitable for microservices architecture, which is the state-of-the-art model for implementing modern software nowadays. The costs and efforts of integrating a RASP solution are too high, and its coverage is inadequate.
The RASP detection mechanism is powered by a rules engine that development teams are responsible for maintaining. The creation of these rule lists is a significant waste of time and is definitely not scalable. Additionally, this security approach also suffers from insufficient accuracy, as it is sensitive to both false positives and false negatives. By design, its detection mechanism is limited only to known threats that the team is familiar with and has chosen to mitigate.
To address these pitfalls, there is a need for an approach that offers the following:
Extended Berkeley Packet Filter (eBPF) is a groundbreaking Linux kernel technology that allows developers to execute custom code within the Linux kernel. It accomplishes this by introducing dynamic, secure, low-overhead, and efficient programs that run directly in the context of your live Linux kernel. eBPF programs are loaded at runtime and can be attached to various kernel events to inspect or modify data passing through the kernel, without the need to recompile the kernel or load kernel modules.
The eBPF framework is remarkable due to its ability to efficiently run sandboxed programs in a privileged context such as the operating system kernel - this has changed the game. eBPF has enabled kernel superpowers that can be used in enterprise-grade production environments and has been adopted extensively for a wide variety of use cases: observability, security, tracing and debugging, networking and load-balancing, performance troubleshooting, and more. eBPF is a proven and battle-tested technology that is currently being utilized by some of the world's leading technology companies, such as Netflix, Facebook, Google, and Cloudflare.
Although eBPF has been available for some time, its development and adoption have significantly increased in recent years. The framework's widespread adoption is due to its enormous design advantages, which include stability, safety, and minimal performance impact. eBPF was initially released in a limited capacity in 2014 with Linux kernel 3.18, but making full use of eBPF requires at least Linux kernel 4.4, which was released in 2016.
Open-source software constitutes most of modern software nowadays and poses crucial security risks, which serve as attack vectors for malicious actors. Most of the severe security breaches that organizations suffered in the past year were caused by vulnerabilities in open-source libraries. One great example that is hard to forget is Log4Shell, which even more than a year after its publication still exists in the wild. Open-source security breaches have an extremely wide impact and linger for long periods, thus deserving more attention.
Oligo takes a whole new security approach that goes beyond the traditional technique of monitoring the application as a whole. Rather than simply identifying CVEs and known threats, Oligo employs a granular security approach by breaking down the application into its individual library components and monitoring their behavior at runtime. By inspecting each library's behavior, Oligo can detect any deviations from normal or expected actions, thus providing a more comprehensive security solution.
Oligo utilizes eBPF technology to enable kernel-level tracing that covers the entire host, rather than being limited to a single application for which it was configured. As a result, Oligo automatically provides comprehensive security coverage for all the components that exist within the system.
Therefore, Oligo automatically covers a broad attack surface, of known and unknown threats, that exist within the application or in any other component on the host system, without the need for maintenance or applying specific configurations. Oligo is deployed frictionlessly, with a smooth installation process, and shows immediate value with zero development or security team efforts required.
Over the past decade, the goal of RASP has been to tackle runtime security challenges. However, its technical difficulties compromise the stability and performance of the application. Additionally, the traditional security approach employed by RASP has left blind spots in the production server, leaving it defenseless against potential threats. Due to factors such as its high costs, challenging deployment and maintenance requirements, inefficiency, incomplete attack coverage, and the friction it creates, RASP was unable to become a widely adopted and scalable product.
eBPF changed the game by creating the possibility to address the challenges and obstacles that RASP suffers from. eBPF provides a sufficient and effective technology approach by design. Using eBPF it’s feasible to implement kernel-level tracing that applies to the whole host operating system, without interfering with the running application or the operating system. Furthermore, eBPF makes it practicable to implement a comprehensive runtime security solution that oversees the whole system, and not only a specific application, without notable overhead or performance impacts. By using eBPF, Oligo cuts the need to integrate an agent into the running application, which is one of RASP’s main disadvantages.
The time has come to remove the friction associated with runtime application security and bring a scalable product to market. Oligo combines cutting-edge technology and a unique security approach that delivers a revolutionary runtime security solution that overcomes the challenges mentioned above and supports scaled cloud environments.
Oligo helps organizations focus on true exploitability, streamlining security processes without hindering developer productivity.
