Runtime Detection of use of Vulnerable Code with a Fine-Grained Resolution

Sammanfattning: We as a society are becoming increasingly dependent on software-based solutions for critical infrastructure. As this dependence grows, so does the opportunities for malicious actors to exploit vulnerabilities which now pose real risks to society and human life. An while the number of vulnerabilities reported seem to be decreasing, the percentage of critical vulnerabilities have increased. This can be seen in attacks on a mental health startup in Finland which leaked patient journals, or an attack on a Florida based IT company which caused a supermarket chain to temporarily close around 500 stores in Sweden. The extended Berkeley Packet Filter (eBPF) is a new technology in the Linux kernel which allows for an unprecedented view of the runtime behaviour of applications.         This thesis examined the possibilities of using eBPF for runtime detection of vulnerable function calls in a Python application to answer questions regarding functionality, accuracy, performance and ease-of-use. Experimental results show that while eBPF is functional and 100% accurate for tracing in Python, it does degrade performance of the traced application by an approximate 50%. Results also show that while initial setup and installation of the proposed tracing solution is complicated, it can be packaged using Docker and Kubernetes in a way that becomes essentially invisible to the developer. This thesis finally showed that this approach can be used in a CI/CD pipeline, where new code changes will not be approved if the use of a vulnerable function is detected.