Hacker News new | ask | show | jobs
by tylerflint 401 days ago
We have Go support, but it is not open sourced yet. Go is a bit more complicated but we were able to get it after some cave diving in the ELF formats. To give you a little insight on how this works, because Go is statically linked, we need to pull several different offsets of the functions we are going to hook into.

We do this by scanning every version of Go that is released to find offsets in the standard library that won't change. Then when we detect a new Go process, we use an ELF scanner to find some function offsets and hook into those with uprobes. Using both of these, we have all the information we need to see Go pre-encryption content as well as attribute it to connections and processes.
3 comments
chatmasta 400 days ago
Great approach. I love the choice of practicality over generalization.

Are these offsets consistent across compilation targets, and they vary only by version of the Go binary? Or do you need to do this scan for every architecture?

link
tylerflint 400 days ago
The short answer is that we only have to calculate the offset per go version, no expensive runtime scanning is required.

The long answer is that the offsets are the byte alignment offsets for the go structs containing the pointers to the file descriptor and buffers. Fortunately we only have to calculate these for each version where the TLS structs within go actually change, so not even for every version. For instance, if a field is added, removed, or changes type then the location in memory where those pointers will be found changes. We can then calculate the actual offset at runtime where we know which architecture (amd64, arm64, etc) with a simple calculation. Within the eBPF probe, when the function is called, it uses pointer arithmetic to extract the location of the file descriptor and buffer directly.

link
opello 400 days ago
Is the precomputation sufficiently resilient to cross-compilation where the system may be composed of significantly different versions than something mainstream like Debian might ship? I'm thinking of embedded targets built using the Yocto Project tooling.
link
lelanthran 400 days ago
I think you only need to use the eBPF approach for statically linked programs.

ISTR, at some point in the far past, using LD_PRELOAD with my own shims to capture TLS traffic before encryption/after decryption. I might have it lying around somewhere here.

link
bbkane 401 days ago
Ok, that's exciting, and thanks for the insight!
link