Bra podcast
Sveriges mest populära poddar
FLOSS-832
Jonathan: Hey folks. This week I talk with Alexander Dunloy and Quentin Jerome about Kuna, which is an open source Linux threat monitoring tool and circle, which is the Computer Incident response group out of Luxembourg. It's a really fascinating conversation about the tool and also what All Circle is up to, and some talk about where the threat landscape for Linux is these days.
It's a lot of fun. You don't wanna miss it. This is Floss Weekly episode 832, recorded Tuesday, may the sixth. Give yourself a medal. It's Time for Floss Weekly. That's the show about Free Libre and open source software. I'm your host, Jonathan Bennett, and we've got something very fun today. We're talking about, well, Linux.
Not to any great surprise for those that know me, but Linux security, again, not a great surprise. It's something I care a lot about. We're gonna be talking with Quentin Jerome and Alex Uhno about, well, a couple of things. The Kuna Project. And then circle C-I-R-C-L in general which is all about security, Linux security in particular, but lots of security things, trying to keep computers safe.
It's gonna be really interesting and I am gonna get to learn a lot about these projects as well, because I don't know a whole lot about them yet. We don't have a co-host today. That is fine. Again, it's on me. I just put putting things together at the last minute. I was, I was sometimes the do your homework on the bus, on the way to school type.
And it shows every once in a while, but that's all right. We're gonna have fun today. So we're gonna go ahead and bring them on. And so first off Quentin and Alex, welcome to the show. Thank you so much for being here. Welcome. Thank you. It's good. It's good to have you both. So who I, I know one of you is sort of representing Kunna and the other is sort of representing Circle, which, which is which.
Quentin: So I, I'm
Jonathan: representing Kuai
Alexandre: and I'm representing Circle. Yeah.
Jonathan: Okay.
Alexandre: Even if content is working at Circle,
Jonathan: that, that's how that tends to go sometimes. Yeah. And, and that's fine. So what is, what is Kuai? Why would somebody use it? And you know, what's the, what's the problem it's trying to solve?
Quentin: So, yeah, it's a problem that actually that showed up recently with the limitation that actually people are seeing with traditional antivirus for instance.
And basically the need to have security visibility on their, operating systems. So they're not like a, a lot of free tools for doing this on windows there was this project that has been kicked off by I don't remember Marinovich like a while ago. And basically they announced some time ago Linux version I don't remember exactly, maybe four years ago, something like this.
And I was basically waiting for this for very long time. And when the project like came out it was super weird because couple of weeks after, like the main developer left Microsoft, and I was also very disappointed by that project because they. It took like a lot of ideas from Sessman, which was really, really great.
But they, in my opinion, didn't adapt it properly to the UX world. And that's basically how I decided to start developing Koai. It is basically to have like the system one equivalent on Linux. And it brings a lot of visibility on the, on the Linux hosts and a bit more than what currently exists like ODD and and so on.
So probably you can do some stuff that could I does with ODD, but it's gonna be really, really hard to do it. And it, it's really focused on security visibility and basically threat hunting and yeah, threat monitoring. Basically on the, on the host, it's not for monitoring performance. It is not like for diagnosing C scores or thing like that.
It's really focused on threat hunting, threat monitoring, and all these let's say sphere.
Jonathan: Mm-hmm.
And, and Alexander what, what is circle and how does that fit into this?
Alexandre: Well, that's a long story, but Circle is like US cert. So we are the National C in Luxembourg. So we do incident response, but we have a small particularities compared to other C worldwide. We do open source from the early beginning of the CC, we decided to do open source.
We. Maintain and manage 17 open source project. Maybe the most well known one is misp which is a trade intelligence platform that you might know. And we do other open source project, but from the early beginning of setting up the third and giving services to cities and organizations and members in Luxembourg we decided from the early beginning to go open source and why?
The reason is very simple. We are funded by the state and it's public money, so we decided this must be public code. And for us it's, it's I would say kind of DNA of the third. So we do incident response, but next to that we do software engineering and software development, which are open source project.
And. Over the times, we did add additional tools and so on. And then we were missing EDA or ING platforms for Linux. And then content joined the team to work on this and to have a complete open source solutions for trailing on Linox Ker.
Jonathan: Hmm.
Interesting. So let's, let's let's dive into Kuna just a little bit first.
And I'm, I'm really, really curious, like what, so obviously it's for, it's for threat hunting, but there's a lot of things that could sort of fall under that sort of category. What, what are the, what are the tool, what are the techniques that Kuna uses to try to find something on a Linux system? So are we, you know, are we hashing binaries on the disc and comparing them to known good values?
Are we, you know, investigating what's running in memory? Is it all of the above? Is it trying to be sort of a, do all the things, all the bells and whistles, antivirus? What, where does it fit?
Quentin: So the idea is really to give actionable data to the, the, the person actually wanting to use Kuai. So it's, it's.
Really exposing the maximum of information we can so that people can actually customize their detection, they can create their own detection rule based on IOC. So IOCs indicator of compromised, this is usually something which is shared across. People who got infected maybe through mist, like the, the platform Alex just mentioned before.
Mm-hmm. Or from various sources open source intelligence for instance, or things like that. And basically people can let's say bend Kuna to their needs. So that, that's where it differs from all the, the other antivirus where basically you have a black box and you cannot do much with it.
And for what it does, of course it hashes, binaries not much memory investigation. But I mean, all this is a matter of implementing features. So Sure. If people are asking for these kind of features, maybe I can, I can implement those. Mm-hmm.
Jonathan: And, and so I, I've done some, I've done some research into this sort of thing.
I'm trying to remember the name of it. There was a, there was another sort of old school open source binary checker. And the main thing that it would do is it would hash binaries. It would store the binary hashes on the disc, and then it would come back later and do the same thing and compare the two.
Ah, I wish I could remember the name of that project, but it always seems with that one with what's that?
Alexandre: Or leads or Ed,
Jonathan: that might, might have been it.
Alexandre: There are many of them. There are several, yeah, several that we basically ask the Aries, keep that as a baseline, and if something deviate, then you have a new ashes and then you basically get a popup and think, eh,
Jonathan: the thing that always confused me about those was that it was hashing the binaries on the host, storing the hashes on the host, and then hashing the binaries again on the host and doing the comparison.
And you know, it's, it's, it's like one of those memes where you have a president of the United States giving himself the, you know, the Medal of Freedom. I did so great. It's like, yeah, of course this computer is clean. It, it always struck me as being a, a bit of a problem. Really it's a problem of establishing trust and it, doing something like Kuna, it's gotta have that same problem.
Is that an issue that you've thought through? Are there any solutions in Kuna or that, that you've thought of?
Quentin: So the goal of Kuna is okay, of course you can like run it on your host store, the logs on your host. Mm-hmm. But mainly the use case that people are going to, to implement is forwarding the logs directly mm-hmm.
To another log storage or something like this, where they can of course check later the logs. And what is also very important is depending on the log policy they have implemented in, they can. To do some sort of incident response because it gives like a lot of information and gives information about parent process, child process.
And basically you can reconstruct all the chain of execution happening on Host, which is very valuable. And yeah, basically that's, that's the use case. Most of the people using Kuai won't, won't just let it run on their laptop and not doing anything with it. They will very likely forward the logs.
Jonathan: Mm-hmm. Is, is, is Kuai also the piece that runs on the, the more trusted server and does the log checking? So like once we, once we get data from Kuai and I'm, I know I'm gonna ask about what other data sources you have, but I'm just curious about the whole, kinda the whole tool chain. Once you get Kuai, collects all this data and forwards it on somewhere, what do you do with it then?
Is that, is that part of the project as well?
Quentin: Not really. Why? Because, people tend to have, like, all this process that you're describing is kind of secret sauce of every organization. So it, it is very hard to provide one fit all solution for this. It's much more easier, like to say, okay, I give you the tool.
As I said earlier, this is something you can bend in a lot of ways. And that was the, the original goal of it. Probably it'll fit your use case and you can very likely adapt it to what happens in the, in the back in the backend. And yeah, I, I've got like several questions to talks and things like that.
Like why do you don't provide another format? Why do you don't provide yeah. A filtering format and so on. It's basically like everyone will come with another approach to store their logs and the information they want to keep. Mm-hmm. And yeah, this is not something I really want to go into because it's like endless and Yeah.
Basically doesn't bring much features to the tool. It's just like formatting. So,
Jonathan: yeah. Is this, is this actually something where circle fits in, where you've got sort of a database of known problems and you can do comparison with, this is the hash, you know, this is the hash that I found on my computer. Let me go, you know, give it to circle and say, is this a malicious binary that you're aware of?
Alexandre: Yeah, it, it is. And we have even a project and like Kan was mentioning a lot of projects are basically plug and plug and play and kind of of module base. So that means is fit in a complete framework where you'll do for example ING and so on. And for example, we have a project called Ash Lookup, which contain a huge database on all the, I would say, known binaries.
So that we, so if you know, the NSRL database from list is actually that extended with plenty of operating systems, especially Linux 'cause is, is really focusing on Linux. So that means when we have an incident and someone is providing an incident case with evidences like. Of Linux servers or some binaries and so on, we can automatically check, okay, do we know that binary is something that completely new?
Then we can even use Kuna because Kuna has this functionality that you can run in sandboxes. So Kuni can act as a kind of sandbox. Maybe a counter want to, to talk about it later on. But the idea is if you receive a binary that is suspicious and we receive it for a specific case, then we can go through the sandbox of koai, do the analysis, look at all the activities from the binary, so it's like dynamic malware reversing, and you just analyze the binary and then we can check if it, this one is known.
And we can even check if in the process of the binarys, if it's co comparable to, I would say one of the well-known binarys that we know and so on. And then the, the plan that we have too is to actually have rules that we can even share with the community to automatically detect I would say bad behaviors or things that are deviating from standard behaviors.
I would say.
Jonathan: Super interesting. What about, and this is, this is kind of a weird question, but it makes sense when you think about it. What about detecting known Windows, malware and that really, you know, it doesn't make sense in Linux until you start thinking about a, a Linux file server and then all suddenly maybe you do want to detect Windows malware.
Is that sort of in scope for, I guess with Kuna it's just a matter of your hashing files but with something like Circle, or is this where maybe we need a plugin to be able to connect Kuna to a virus total and do uploads there for new files?
Quentin: That could be possible. Look at that. He is like, oh, that's
Jonathan: an interesting idea.
Quentin: Yeah. Yeah. To be honest, I would instead of yeah, putting this on the hosts, I would maybe put this again on the, on the backend side where basically you can, again, do whatever you want with with your data. Mm-hmm. And why? Because, of course life checking hashes on vt. To be honest, would probably be the bottleneck of Kuna.
Yeah. Because like doing a lot of HTP requests while you are dealing with almost real, real, real time data, it's like super slow. Mm-hmm. So, yeah. This is something I would offload to, to a backend for instance, because there is no time criticality to this.
Alexandre: Mm-hmm. But it made me think of an idea. We, we talk about Windows, Linux, IES executions so maybe an execution with wine within Linux and wine is monitored to would work too.
So if you want to do active rehearsing, I remember some project. Back in the days where wine was used as a way to do windows monitoring of binary through Linux, maybe now we can have Kuna monitoring wine, which is basically executing a Windows binary.
Quentin: Yeah. Yeah. I don't know if it works.
Alexandre: Definitely an interesting idea after this, this, this stream, we can, we can just make a test, I think.
Jonathan: Yeah,
Alexandre: that's a good idea.
Jonathan: Yeah. So I, I am always fascinated by the way root kits work and a root kit for those that don't know, I think most, most of everybody does, but for those that don't, a root kit is basically malware that goes to some lengths to hide its existence.
So it, it's trying to hide from some anti-malware software. It's trying to hide from the cis admin and I have read about some crazy things that root kits will do. Where they're like live patching glib C to where when they find themselves in a list of processes, they just remove themselves from that list of processes.
And in some cases, these root kits are extremely difficult to find and root out. Does Kuna have any sort of anti root kit technology built into it? What is like, that's a difficult problem. What what, what is the solution to that look like?
Quentin: So I, I guess it depends on the type of root kit, because there is, which is called like user land root kits, which is basically a mm-hmm.
A malicious library that you manage to inject in all the processes. And that's probably what you were mentioning. Basically, they just redefined the CS calls or the function of the lips C and they filter when, when it's, related to the process the malicious process, for instance. So this is like completely caught by UNA because that's super easy.
Everything happens on new. Mm-hmm. And something we didn't mention is that una runs, I mean, all the interesting and all the events are coming from the kennel land using EBPF. So I don't know if you are comfortable with this, but it's basically the way the Linux kernel has found to allow developer to develop kernel components.
Mm-hmm. But basically without all the bugs we have good example of what happened to CrowdStrike, like one year ago. Yeah. How could we forget? Yeah. This would be hard to, to happen in EBPF because it comes with a nice code verification let's say step. So you cannot load any code in the, in the, in the kernel.
Everything gets verified and. Code is pretty safe let's say. And yeah, so this is how Kuai works thanks to BPF, and maybe there are ways where Kuai could be tricked, but I don't really see how. Mm-hmm. Because if, like the root kit is a kernel module kuai would see it and I'm not aware if it's like possible from another EBPF program to interfere on another.
So for sure this would be something really interesting to test. And yeah, if one of the guys in the community or one of the guys listening is. Would be happy to, to try this. I mean, let's go do it. Mm-hmm. And don't, don't hesitate to open issues after that.
Jonathan: Sounds like there's some, some really interesting sort of cases here where a, a security researcher that really is into Linux security could go heads down for a while and, and really explore all of this and see how that works.
I, you know, I've, I've read about some EBPF root kits where people are putting malicious code, running malicious code inside that, that extended Berkeley packet filter. I must admit, I've never actually messed with BPF at, at this point. I, I know what it does. I know it exists. I've never written any code and tried to make it work there.
So, you know, I'm, I'm not as familiar with it as I could be, but I, I, I know in a couple of places there was some, some real trepidation about the idea of malware running BPF code. But it's really interesting that, that it's a good place also to run anti-malware. Processes because it, I guess, I guess as BPF code, like you said, it's not going, if there's a problem, it's not going to crash the entire kernel.
Like someone, someone else's module did
Quentin: I know, to be honest. I'm like still wondering why, like, malware out. Yeah. Don't focus more on EBPF because Yeah. You can do like crazy stuff.
Alexandre: Yeah. Are you giving advice right now?
Quentin: It's just a matter of time, you know. Yeah. That's true. So what, but, but for sure it's not easy to develop, so Yeah.
Probably easier to develop a ker module.
Jonathan: True. Yeah. Right. Well, I. Probably what we're waiting for is for someone to, to release the first open source malicious EBPF example, and then all the script kitties will copy that into their own code and the floodgates will be open.
Quentin: I think
Jonathan: it already exists.
Yeah, it probably does. Something very basic. Mm-hmm. So what, what sorts of things you, you guys, obviously you have your pulse on sort of the, what's going on with malware in the Linux space. What, what are you seeing and what, what is sort of on the cutting edge? If it's not EBPF, what is, what's the things that people are actually doing?
Alexandre: I might disappoint you a bit, but a lot of of malware that we, we see are not so interesting. And the thing is, is quite interesting in the fact that what kind of things they target. We recently track botnet targeting only high performance computing infrastructures. So this one is well done.
We are tracking them for some months. We even exchange the C two server on a regular basis and so on. And we were wondering why they always target HPC server because it's a lot of investment, it's time and so on. And at the end it's only for doing crypto mining which is a bit disappointing. I was expecting things like that and you end up with that, it's like, oh, guys, I mean, do better.
But technically it's, it's, it's a, nevertheless we see some rare case which are, I would say more targeted or very targeted where it's more current modules or specific user and software that are well and used for one or two targets. Mm-hmm. Some of the. Blog is Wonder sometimes mention those one as mentioned, some of them on a regular basis.
Mm-hmm. So there are some Russian collectors, for example, that are very good at writing some exfiltration mechanism through ethernet frames, things like that, and that are running on Linux. And so there are some interesting case, unfortunately, I would say, compared to Windows. The malware space on Linux is really separated into like the one doing crypto mining.
The one that are doing kind of ransomware on Linux servers. Mm-hmm. So locking your servers and then you have to pay ransom, so classical ransomware and stuff. And then you have the espionage exfiltration cases, which are, I would say a minority. So that's three kind of space. And then you have all the tools for leaders.
So that's all those client for DDoS, DDoS management collaborative DDoS, because nowadays those DDoS activities are kind of collaborative. So you have to download the client for Linux, run on the VPS, and then you get points and those points give you back flip currencies. So it's kind of thing that we, we, we, we have seen.
So that's means the kind of malware for, for for line that, and, and content did an interesting repository which is available on the, on the gi, on the Git repository, which it takes some random samples of. Not always the same kind of malware, but different type of malware. Run it into the sandbox with Kuna.
And then we have we don't mention that, but with Kuna you can automatically generate with a QM setups pick up the Gson files with all the activities of the malware boundaries. A nice graph to an export for me and things like that. So if you want to. Investigate malware and so on, on Linux.
It's a perfect tool for doing that. And then you have a complete setup. You have a sandbox repository on, on the project explaining how it works. It's a blog post about it. Or to use it, it's super easy to do it. And if you have like suspicious banners or if you just want to reverse the Aries just for example, another thing that you can use it for, it's to create rule set.
So for example, you have Aries, you have to create rules for I know, something like that. Mm-hmm. Or you can use for doing the execution and so in the sandbox and see what are actually, the banner is doing that way of, of maybe another way of using ry.
Jonathan: Yeah. Interesting. I tend to play on the, the Red Hat side of the street.
For me, it's, so, it's all Sy Linux, not App Armor. But I could, I could definitely, I could definitely see that being useful because my, my usual workflow is try to run the program. Oh, it failed. Okay. Let's go see which thing failed first. Okay. Try to run the program again. It failed again. What's the next thing that failed?
It's a very tedious way of doing it. So this, this sounds like a definite upgrade. Now what about, what about, say if we had an arm binary and we wanted to try to use Kuna to look at that but, you know, maybe don't have an arm machine handy. Is there, is there some way to, to use Qai with cross-platform emulation?
Quentin: Yes. It is possible because QAI comes with, for the moment it can compile to two architectures. So it, it's 84 64 bits and a arch 64. Mm-hmm. Which is like a 64 bit arm. So yeah, if you have like tro binary, you can do it. Mm-hmm. I don't provide yet other binaries to test on let's say older, the arm architectures.
Yeah. Interesting.
Alexandre: You can even still run arm binaries on Intel one using QMU.
Quentin: Yeah. Yeah. Yeah. Makes sense. Yeah. But we would meet like the, the activity because we need to, to monitor the, the arm kernel and yeah. I, I, I need, I need like binary for this.
Jonathan: You need, you need QI to run inside the vm. No, not on the outside.
Would there be any way to, to do that? To, to run it? I, I don't even know if, if Linux and EDPF and the way virtual machines work right now I don't know if that's even possible, but would it be possible to monitor from outside the vm?
Quentin: Yes, this is probably possible. But I don't know exactly how it is done.
And basically many, sandbox platform are offering this approach, which is, which is called like hyper hypervisor based sandboxing. So there is no agent on the sandbox, and they just like monitor the, the instructions executed by the, the sandbox. Mm-hmm. And you, you can definitely do it. But yeah, that's a completely different topic.
It's more for, it's not the way Kuna is, is architected. Yeah. This is like for dynamic analysis or, and maybe like, yeah. Advanced dynamic analysis.
Jonathan: Mm-hmm. Have, have you discovered yet malware that looks for the presence of Kuna?
Quentin: Not yet.
Jonathan: Okay. It's, it's inevitably coming. Right. As the pro, as the tool gets more and more popular, it's inevitable that somebody's gonna write malware.
And one of the things it's gonna check for is can we see if there's a Kuna instance running anywhere? Yeah. It's properly, yeah.
Alexandre: It'll be a, a success factor I would say. Yes.
Jonathan: Yes. You really, there there's, depending upon what you're doing, there are different factors of success. So when you're running some sort of messaging platform, it's when people start using it to spin, to send spam, and I think maybe running an antivirus platform, it is you know, I say antivirus very, very broadly here, but it's when malware starts checking for the presence of your tool, that's when you know that you've really made it.
Yeah, I will be happy
Quentin: the day.
Jonathan: Happy and very grumpy, I'm sure.
So let's see. I'm curious more about what EBPF lets, lets you do again. I know, I know very little about it. Is it, does it basically give you all the same tools that you would get from writing a kernel module or is like a, is it a, a more limited set of things that you can do to the kernel?
Quentin: Yes.
It's more limited. It's more limited set because you have a limited number of instructions you can execute in each probe you are loading in the kernel.
Jonathan: Mm-hmm.
Quentin: So this is the first factor. And then you have, you don't have access to all the KL APIs. Mm-hmm. So you have to use one of the available APIs which is exposed by the EBPF framework.
And yeah, there are a lot of other limiting factors like the fact that you cannot allocate unlimited number of memory and so on, so that, yeah, sometime you really have to think a lot to write your EBPF programs. And that, what I was mentioning earlier with like malware author developing malware is that you really have to be motivated to write EBPF because I spend like countless hours debugging my BPF programs.
Jonathan: Mm-hmm.
Quentin: Because as I said, you have like the EBPF verifier which actually checks your program doesn't has doesn't have side effects. Mm-hmm. And yeah, this one sometime kicks in like for super strange reasons. And you definitely have to find it. And yeah, the additional difficulty I had, I guess is because I was I actually, I, I am using the IA project which is a compiling rust directly to EBPF Bytecode.
Oh,
Jonathan: interesting.
Quentin: And so this is of course very interesting because you can write both the user loan program and the EBPF program in the same language. Mm-hmm. But the other downside, let's say, is that it goes through an additional to the rest, compile, compiling, let's say chain. And sometimes it produce like weird stuff and you need to, to find, to find out, to find out why this happens and fix your code.
Compilers sometimes
Jonathan: are weird. Yes.
Quentin: Yeah. And I am was like kind of in early development when I first used it. And in the beginning was really, really hard to to make everything work. I mean, this was a combo of me being completely new to BPF IA, being like a new to and yeah, some features were not were not there.
And yeah, it was really, really hard in the beginning.
Jonathan: What is, what is debugging EBPF in particular with this kind of rust tool chain? What does debugging look like? You know, can you, can you run it in VS code and hit F five and single step through it to see what's going on or because it's running in kernel land, is that just not an option?
Quentin: No way. No. I mean, maybe there is something, something that exists. I guess I've seen some projects, some kind of emulating DBPF byte code and so on. Mm-hmm. But most of the time what you get is that you try to load your program in the kernel and then it like, provides you a huge it's not a stack trace.
It's basically the instructions that have been executed by the vm. Mm-hmm. And then you see where it fails. And then yeah, just you analyze this and you figure out where the issue is.
Jonathan: I, I imagine you, you do lots and lots of adding the, whatever the BPF equivalent of print fs do a lot of print f debugging with this.
You can, you can. That's what my debugging sessions tend to look like.
Quentin: Yeah. That's what that's what happens all the time. So it's called BP
Jonathan: fk?
Quentin: Yes.
Jonathan: Yes, I am. I am, I'm concluding that we need an EBPF debugger in the kernel. Let's get on that guys.
Fun stuff. Okay. So. What, what, one of the things that we've seen sort of in the security world that maybe ties into this that's interesting is security appliances being the target of, and this obviously is when we're talking more about nation state actors and not people just trying to mine for Bitcoin.
But you need actual security appliances being the target where someone will find a way to, you know, say a VPN box that's sitting on the edge of a network. Well, you know, there's an unauthenticated RCE and you can load code onto it. Do, do you guys kind of have insight into that and I'm also curious, is there anybody sort of in that space that's maybe looking at running Kuna as part of their security offering?
Alexandre: First I think they have really, really bad news for you. The kernel version used by those appliance are usually very, very old. I don't mention even t or Fortinet for some of the incident that we have on those devices we had kernel that are not actually supporting EBPF.
Jonathan: Mm.
Alexandre: So. Be, I would say for those kind of operators or vendors unrealistic to run even program.
Nevertheless, I would say, and if someone from the vendor space is listening to your stream, I would say it would be a good in advice because then you could stream the log back to a CM, for example, from the customer perspective, and they can have a better visibility of what's going on on those devices.
And I think it's a good point. We were always thinking as this says super hard appliance box, but if you look carefully, they are not super hard at all. They're running a pearl program somewhere or an open library from the, late nineties. So I think there's an opportunity there. No, the question is, are the vendors creative enough to, to do that?
I'm not sure.
Jonathan: Probably not yet. I, I very much enjoy reading the the watchtower writeups on the things that get found in those appliances. And to, to the vendor's credit. There are a few vendors in particular that have actually stepped up and are trying to fix things and turn on some hardening features and use code that was, you know, been, has been updated since the nineties.
But it is, it is quite hilarious to read the the things that, the cruft that they find in there. Sometimes the book post are incredibly
Alexandre: good. Yeah.
Jonathan: Yes, yes, it is. It is quite entertaining. So what, what is the oldest colonel that Kon I will run with then?
Quentin: Yeah, it's not very old. I'm sorry. It would be 5.4 for the moment.
Jonathan: Okay. Well, I mean, we're in the six dot, we're in the six dot series already, so it's not, it's not that big.
Quentin: LTSI guess is six point 12 something like this.
Jonathan: So nobody you know, you know what that means. Nobody should be running a kernel. Too old to run Kuna just shouldn't be doing it.
Quentin: You can do it, but you use ODD for doing such kind of monitoring. Hmm.
Jonathan: Are, are people taking the Kuna output and throwing it at LLMs to, to look for weirdness that, that you're aware of? Are you doing it? Are you doing it yourselves?
Quentin: I don't personally, I'm like super busy on the development, but I know like one friend of mine who is like throwing the logs into LLMs and generate detection rules for instance.
Mm-hmm. So, yeah, I guess it's something that people are doing.
Jonathan: Yeah. I always, I always found that to be an interesting idea of like, if you can get a baseline for a system and you know the normal things that are gonna be in the logs and the normal things the processes are gonna be doing. And if you have something just smart enough and we're at the point now where LLMs are just smart enough to do so, where they can look at it and say something is really different from the baseline.
I always thought that was a very interesting, like a useful thing. Even if it's not malware, it's still useful to know that my system is in a much different state than it's ever been before. Somebody might ought to take a look at this. Sounds like it's a service that somebody could offer. Maybe, and if they do it and it's not you, they should share some of their income with the Kuna project.
That's a good question. So you, do you get to do you get to work on Kuna professionally? Like is it your full-time job? Yes. How, how does, how did that come about?
Alexandre: Alex, do you want to Yeah, I can explain the Sure. Funding aspect. So as a search, we we basically develop open source tools, but the first reason why we develop the tool is for ourself.
So we develop open source tool. Will be used by us. And basically we use our own budget to develop those tools.
Jonathan: Mm-hmm.
Alexandre: The nice thing is more you develop tools more, you start to have users and those users want to contribute and form those projects. And for example, is funded through two different stream.
One is our own budget, but one is a project called T, which is an European project for soc for security operation center. Mm-hmm. To basically provide a complete tool set for operating a SOC with open source tooling. And we get funding from the European commission through the debt program to to work on it.
And it's a three year project and we. Circle. We do, we have three stream of of funding. We have those two streams, so that means internal national funding. We have European funding, and then we have private public partnership funding, which is basically customer. And for some of the open source project that we operate, we basically have organization that want to have extension, things like that, and we get funding out of it.
So that's how we found our project and we were quite successful on that because we're quite well known on the different tooling that we were doing. And people come to us and say, oh, by the way, we would like to have an extensions. Could we fund a part of it? Or sometimes even people provide in kind contributions.
So for some of the project that we have, we have even developers pay by companies. That are contributing to the open source project directly. So it's very common for the Linux kernel where you have, for example, people from, I know Intel, Google, whatever, working on the kernel, but it's the same for security space, for security open source tools.
We have organizations that are using our tools. One extensions. They sometimes are able to directly fund us, but sometimes they say, okay, we have good developers will you mind to join? Or this developer joining your core team for the next two years to work on the project. And so that's quite successful.
And for the past year that we were doing it, we get, I would say long term development and we get a different stream. So if one of the streams stop, we are able to continue to get funding from those different mechanism. Mm-hmm. And that's why we, for example K was working on this project because he joined for the European project, but at the same time he joined.
The group to develop all the tools too. So the team is quite smaller. So in we are, we are in, in my team we are 16 persons. So that means we do a lot of things, incident response and software engineering. Mm-hmm. But we are able to get funding through this different way of finding the project.
Jonathan: And so Circle is the incident response team based out of Luxembourg? Yes. Ah, very interesting. Okay. I'm, I'm curious how this, how, how, how part of this works and that is CVEs. Do you got how They're both laughing at me. Oh. How, how does it work now? There's some history here and that is that the, the, so the CVE system is sort of US-centric, at least it's based outta the us.
NIST works with it and MITRE works with it both. One is a part of the US government. The other is a weird entity that's halfway US government and halfway private. And you know, in the past couple of weeks there was, there was news that Mitre was going to lose its funding to do the CVEs. So I'm, I'm, I'm very curious, like, is, is Circle A, can you guys assign CVEs?
Do you do CVEs at all? Do you have your own system? Like, I don't, I honestly, I don't know very much about how that works outside of the us.
Alexandre: Okay. So, I dunno if you know the backstory, but so we develop a tool called Vulnerability look Cap. Mm-hmm. Which is an open source tool for vulnerability management and CVD process.
Jonathan: Mm-hmm.
Alexandre: According to vulnerability disclosure process. So we started at project one year ago, and this one is a backend software for the European vulnerability database. Mm-hmm. So the A UVD during that development process, we discovered that we were missing an autonomous way of assigning IDs. So we started a project called GCV, so it's Global cv.
So if you go to global cv.au it's a project where we basically assign id, so it's like e and r for assigning ID to organization that are able to get IDs. Why we did that, we did that some months ago. It was for the Vulnerability Luca project, but then with the recent news news, we had a lot of discussion at European level for it.
What should we do there? And then we say, okay, but the model that we developed is backward, compatible and, and forward compatible with the CV and CNA locations. Mm-hmm. So that's mean us as we can assign CV as CNA or we can as a GNA assign the cv, which is kind of global CVID and if later on the CVID are saying is fine.
So the GCV project that we started was just in the middle of this crisis from the CV program. So for us it was like, timing was like bit strange, but we was perfectly fine. Mm-hmm. And the European Union, and especially Anya, which is the agency, so you have to see Anya like Csar in in us which is the agency for the European Union regarding cybersecurity, did this European vulnerability database, which is no legal requirements for Europe networks.
And then we basically provide to them the software backend for that. So vulnerability lookup, which basically pluck to GCV. So something that we designed as an open source project, like more than one years ago. Like was like more for use case? No, is growing to a, I would say European use case. Mm-hmm. So if you're curious, it's vulnerability lookup.
It's vulnerability lookup.org. And you have, it's an open source project again. Again. And we have an online version. So you have all the vulnerability and then we can. Collide and correlate all the different together. Mm-hmm. So the timing was like, okay, and know the project is started. The UVD database was like announced just at the same time, just by accident, because technically it was foreseen to be released on February, but that's a long story.
So yeah no, the, we are circle, we basically operate that structure called GCV, where you can ask for an id and that's basically basically it. So even if it's CV continue to work as programming, that's great, but even if something is going crazy after the 11 months given to base C with the additional budget mm-hmm.
If something goes wrong, no, we are completely dependent and we can continue to operate as we wish.
Jonathan: Yeah. And that, that's only, I would, I would say that's only reasonable that the rest of the world would want to have a, a way to manage vulnerability to track vulnerabilities that's not quite so US centric.
And I don't say there's a political statement, but just as a general security statement I think certain news agencies made more out of the funding thing than probably should have been because apparently this is not the first time this has happened and not the first time. Exactly. Yeah. This guy, this guy wasn't falling the last time that Mitre had to figure out how to fund this.
But anyway, that's, that's sort of neither here nor there. Looking at the Circle website, I do also see something that really fascinates me, and that's the circle passive DNS What is, what is that I.
Alexandre: That's, that's, that's a long term project that we have. So the passive DNS is, is a way to build a directory of all the DNS response that you collect.
So the model is a following. You basically put sensors at various places. Could be internal sensors and so on. Mm-hmm. Or external sensors where you collect only the response, the DNS response. So when you query, I don't know, google.com, you get back a response. We see a records, CNA records, and so on.
What we do with the passive DNS, we basically have those sensor, we collect that in a ba in database, and then we have a historical database of all DNS record. What is useful for that? It's useful for threat intelligence. Mm-hmm. So we get an IP from a, I don't know, phishing website. We enter that IP and we can find back all domain associated that are related to that IP addresses.
We can find back the historical one, first time we see it. Last time we, we saw it. Mm-hmm. So it's giving a lot of, of meta information about the domains and so on. So we operate one for the past I think more than 10 years now. Our passive DNS is not commercial, so trusted partner can get access to it.
So if a soc a third want to have access, we can give you access. And, the passive d ns evolved a bit because as you know, for example, the TLS standard evolved. So the SNI record in the TLS start to disappear. DNS server note concentrate on, you know, main global DNS provider. So to start to do monitoring for DNS packet and so on is becoming more and more difficult for CODOing this, this kind of collections.
Nevertheless we found different way to do collections on, on passive DNS one, which is interesting. We operate different services online. Look Pandora and other things where people can test URLs and so on. But by doing that. This is doing the, the feeding of the passive DNS collections. Mm-hmm.
So if you have someone's looking for a phishing website and so on, they do automatically the the resolving and the resolving is going back into the passive DNS. So we have a pretty large database of that information. And for example, if we connect back to Kuna, if we have a malware binary running Kuna, doing a DNS request, then we can pivot from the DNS request from k.
Into the passive DNS finding back the infrastructure of the, maybe that is basically hosting different C two on the different domains. And the passive DNS is really an angular piece to be able to pivot from one place to the other place automatically. Yeah, absolutely. And no, nowadays, I think there's no, so many passive DNS database and passive D ns database are very localized because if you have a passive DNS collection in us, it'll be US centric.
If you have one in China, it'll be Chinese centric. So that's something to keep in mind when you do a passive DNS usage. Maybe you can call multiple one, and you have different, I would say, view of the world regarding a DNS request and so on.
Jonathan: Yeah. If a, if a security researcher decided that this would be something that would be useful to get access to and contact you guys, is that a possibility?
Alexandre: For sure. We, we give access to many research why we don't need put it public. It's, it's it's kind of per, per, per tool for even nce. Mm-hmm. And collector might use it for, for that. And that way we don't make it completely public.
Jonathan: Yeah. Yeah. That makes sense. There's been times that I've wished I had access to that, you know, you, you have a domain name and you're trying to figure out like, who are these guys and who did these guys used to be?
Well, I can, I can pull their IP address now and do a, who is on it. But I'm really curious on six months ago, what IP address did that resolve to? And let me do a, who is on that? And it's very, very useful. I've, I've literally wished for this service to exist before. Sure. So I'm glad that it does now, what, what is the SB Sanitizer? Yes, I'm, yes. I'm at Circle Do lu and I'm looking at the, your services. And I am, this is the other one that I'm not quite sure what is, what's a u SB sanitizer and how is it different from just running DD over A USB stick?
Alexandre: Whoa,
Jonathan: that's,
Alexandre: I can explain the background where, when it started.
So it's even a small story. So we had a representative from the government in Luxembourg going to some countries like China or whatever countries. Mm-hmm. And they receive USB key from partners and. When you are diplomat and you have a USB key, you somehow need to connect and see what's what there.
Well, at the same
Jonathan: time realizing that that thing is potentially nuclear radioactive waste that you don't want anywhere close to your computer. Exactly, yes.
Alexandre: And so what we did is it's a software, so we have two versions. One is a library, one is a, a software running on the Raspberry Pi. Although it works, you basically enter one USB key, which is a suspicious one.
You enter a second USB key and the software inside will start. So you have a little music running. When the music is stopping, the conversion is done. Super straightforward. That's great. Anyone can use it. So the, the idea is to convert content into some I would say payload disinfected content.
So for example, if you have a PDF, it's converted into images. You can quickly look into it. And so it's not running with antivirus and stuff like that. Can I, is not running on that one, for example, but could. But it's, it's actually converting the files into, I would say less risky files. And then people can have a look at it, plug, unplug the destination keys, and then start to to look and if.
This berry repair is compromised, then you can, you can trash it and that's it. But you basically don't use your computer for doing that. So that's the idea. Nevertheless, over the time, I would say the threat model change a bit. So it was, I think the USB key was usually a threat models, like I would say five or six years ago nowadays is not anymore a threat model.
So it's one of the open source project that we still have running. It's still operating, but we don't maintain it quite a lot, I would say because we have seen an evolution on the threat model regarding USB key and it's less and less common to actually use USB key in meetings and so on to exchange.
But it's still a trade, a trade model or trade vector mm-hmm. That you need to, to tackle in some way.
Jonathan: Yeah. If I find a USB key or get one from an untrusted source, I'm not plugging that into one of my computers. Not one connects you to the network. I do something like this, put it on a raspberry pie and, and spit it out as a text file or something, which is.
You guys basically just automated that idea. I, I imagine it's not so much a threat model anymore because it was, it became so well known as the threat model, particularly after things like stucks net and you have so solutions like this one, like the USB sanitizer that kind of chop the chop the real effectiveness out of it.
Yeah,
Alexandre: exactly. Yeah.
Jonathan: Yeah. Very. Yeah. Very interesting. Th this is this is some neat stuff that you guys are doing. Is there, is there anything, is there another one of these sort of projects that either you're doing that i, I haven't asked about? Or is there anything on the radar for circle?
Alexandre: Yeah, there are many.
So maybe one that would be interesting for you. It's, it's called a project, so it's a project.org. So this project is monitoring dark web. So it's basically a complete caller for tour. You have feeder for telegram channels and so on. We actively use it for monitoring tr it's automatically calling tour.
You can, for example, do correlations between websites so you can demise to and services. It's a project that we do a lot of work on. We do regular release and it's actually used by law enforcement c worldwide intelligence agencies, and it's completely open source. Then it's, it's, it could be a dangerous tool because you can actually extract credit card numbers cryptocurrency, stuff like that.
But if you have like good intentions like Security Operation Center is a very nice tool for getting insight about what actually trade actors are doing on, on forums and so on. It's, it's quite advanced tool, so I. I mean, Kuna is, is a recent tool into our different tool set. Mm-hmm. But El project is, is one of the project that we, we maintain and, and, and work on.
Then I will mention one, which is still not public, but will be released very soon. It's a rule set with a Z in between rule set do org. Mm-hmm. It's still not online. The idea behind is to basically publish rules from Tata Sigma Z and so on, and to basically use a green to get the existing one from the different repository, as you know.
They're on GitHub. Plenty of of repository with Sigma rules. Yeah. Rules. And sometimes it's very difficult to, to, to find does this one works well with this detection and so on. And the idea is to be able to have a called source version of all those different sources. And even author can claim the authorship ownership on the specific rules.
They can review it, they can update it, and then people can download from the website the rule set. And for example, the one that generating not that much false positive, the one that are efficient into this kind of stock operations and so on. And obviously one of the rules could be the one from obviously.
But that's the idea. And we, we want to do that because we have seen that in miss. A lot of people are sharing information about here are rules and so on. But we wanted to make it public. So the code base of the software will be, again, open source and web services will be online, but that's a.
Of something new that will be released in the next week. Very cool.
Jonathan: Yeah. That's neat. One more thing on the website I want to ask you about, and that is A BGP ranking. The, the, the entire idea of attacks against BGP is very fascinating to me, but also a little terrifying because there's not great solutions out there for it yet.
And what what, what, what is bgp, what is Circle trying to do to, to fix the BGP issue?
Alexandre: And first project of circle. So this one has more than 15 years. We still maintain it. So the project behind is very simple. So we actually get all the BGP announces. Mm-hmm. And we looked into the malicious list of ips from those different networks announce.
So that means we just collect all the A unknowns. Mm-hmm. And we collect all the malicious ip. Then what we do, we summarize to see how long those IP are still malicious in those subnets. And then we rank the ISN numbers. Based on the proportions of malicious ip, of the unknown ip. So for example, if you have like a small slash 24 and al for those ips, like 128, other ips are always having C two servers, phishing, and so on.
Mm-hmm. Your ranking will be very bad. Nevertheless, if you're very huge providers and you have like some ips that are malicious and so on, that makes sense. And then you clean up those one and so on and then you have a low ranking. And on a daily basis we can compute the ranking of all those license and see.
So if you go to BGP ranking, that's circle tell you, you get a top list of the most malicious one and obviously in the malicious list you get scanners. That makes sense. But you get a lot of, of bulletproof roster that are actually a thing thing that they should not host in various places. So it's a nice way to spot.
The malicious one.
Jonathan: Is anybody doing any automated work with this? Like one of these low ranked BGP numbers just announced that they're, they're, they're routing half the internet. Maybe we should ignore that.
Alexandre: That's, that's a good point. I've seen one or two papers that are actually using our dataset and they were looking at the outliers.
So there's some outliers that are interesting. Like they don't know that much. They're a bit like out of the radars. But why it's like that? Is it because they don't host anything? They're just giving access. For example, some obscure V provider tend to be like in the outliers.
Jonathan: Mm-hmm.
Alexandre: Because they just provide access.
But sometimes the visa provider should have like a lot, some malicious ips. You know, you have one compromised machines and so it makes sense. But you have visa provider with zero infections over like a period of five. Yes. Does it make sense? Hmm.
Jonathan: Yeah. That's interesting. Alright. And so, and then let's, let's turn back to Kuai.
I have a couple of questions about that before we wrap up. And one of the first ones is I run a Linux server. Let's say I want to deploy Kuai on it to keep track of things. What's, what's sort of the process to do that? Where, where can I go to figure out the steps to use Kuna on, on one of my servers?
Quentin: So there is a website which is why Kuna Rocks. So yeah, Y Koai Rock. And basically it it contains all the documentation for you to help you in the deployment of Koai Nice. In how you can use it for, yeah, doing really specific monitoring, how to design detection rules, how to load IOCs and so on.
So yeah, I try to keep this documentation up to date simple. And again this documentation is open source, so if anything is missing, just open an issue, I will fix it. And yeah, that's it. And yeah, I always try to do like the simplest things possible. So yeah. I hope, I hope the, I mean the, the setup is quite simple.
Jonathan: Yeah. Yeah. It looks really good. Is there, is there anything coming for Kuna that you want to let folks know about?
Quentin: Yes, there is something that we will put online soon, I guess, which is a platform where, where you can upload malware samples and it'll get directly analyzed with K nine virtual environment.
And why is this interesting? Is that because when you are doing most of the time incident response, you use some boxes to execute samples mm-hmm. Of any sort, but, the output of it is most of the time not directly compatible with your detect detection tool chain. So the idea was to have like directly nel logs out of malware monitoring so that you can directly create detection rules using Kuna.
So the platform will not aim at being an additional sandbox will not aim at defeating anti malware, sandboxing and so on. Mm-hmm. Will just be something where you throw your malware in and you get the Kuna logs. And yeah, that's, that's basically it. So it's using a, a project which is already on GitHub, which is Kuna Sandbox.
And basically it's front end on top of this. Mm-hmm. And yeah, I just like released the code past week, so it should be online,
Jonathan: Soon. Very cool. It save, saves me from having to stress about setting up an a, an absolutely secure sandbox to be able to do this testing. Very cool. Alright is there, is there anything that I didn't ask you guys about that you wanted to let folks know about?
I know this is a challenge. You've gotta think through all the things, all the things we talked about, and all the things you wanted to.
Alexandre: Just, just one thing that we have a conference in Luxembourg called ACT Tell You in October.
Jonathan: Oh, very cool.
Alexandre: And we are still have a CFP open for open source project. So if you go to act, tell you you can submit your paper there are still some day left before the closing of the CFP.
So and we welcome open source projects and especially open source security projects there.
Jonathan: Very cool. I, I'm curious, and again, this is, this is a question very much an American centric question. What about the language there? Is that gonna be a French conference or English? And if some, if it's in French and someone comes like me, that doesn't speak French, am I just gonna be completely lost?
Or is there helps? How, how does that work?
Alexandre: So Sandberg, we, we have like officially four languages. So Luxembourg is one French Germans. And one of the most spoken language in Luxembourg is Portuguese too. 'cause we have a huge Portuguese community. I believe it. But the conference, I don't tell you it's, it's obviously English or broken English depending of, of your origin.
But tech, technically it's, it's an English conference. So it's, we need to, to, to do a conference where everyone is welcome. So that's usually the universal language.
Jonathan: Yes. Yes. Very good. All right. Appreciate that answer. Okay. So, and I'm being reminded now in our chat room, I forgot this last week.
I want to ask each of you guys, and we'll start with Quentin. What, what is your favorite text editor in scripting language?
Quentin: A scripting language? Yeah. It's bash. It's bash and text editor. I would say VIM Bash and Vim
Jonathan: Makes sense. Alexander, I.
Alexandre: So obviously Veeam was a long time IMAX user, and then one day my had hit the toilets and then I changed back to Vim.
So, and then it's, I think it's, it's, and I think we are the only two Vim user at the office counter, I think. Really? That's funny. Yeah. I think the, the rest is more like more Id one scripting language. I'm a long term CA contributor, so I really like Pearl. Mm-hmm. For four years, even if I would say Pearl is not even a scripting language, it's much more than that philosophy.
But indeed for me, bash is still a great, great way to to do quick scripting and so on. But I would say. Favorite in skeptic language.
Jonathan: Yeah. Yep. Very good. Alright. Thank you guys so much for being here. It's been a blast learning about Kuna and all the things Circle is up to. I appreciate it. Once some of these things come to fruition after a while we'll have to have you guys back and talk about what's changed in the l landscape of Linux threats.
Alexandre: Thank you very much. Thank you.
Jonathan: Alright. That was a lot of fun diving in and talking about some of those things. You know, I cover a lot of these on the security column and it's neat to be able to talk to some of the people on the front line about things that are actually going on and very much enjoy that.
Alright, so I wanna let folks know, remind you that if you want more of me, there is of course, the security column goes live every Friday morning on Hack a Day. There's also the Untitled Linux Show over at twit. Make sure and check that out. We be, we will be back next week with another episode. I sure appreciate everybody that's here, those that listen, and those that watch both live and on the download, and we will see you next week on Floss Weekly.
00:00
-00:00