Stratoshark analyzes cloud applications at a syscall level

Securing cloud applications is both easy and hard. Easy because hyperscale providers such as Microsoft Azure are focused on ensuring that tenant compute environments are locked down and isolated from each other. Hard because those same provider policies make it difficult to deploy and use many of the tools we use to protect our applications.

Running code in containers and virtual machines hides the underlying hardware from our inspections so we can’t use diagnostic tools to capture packets and inspect them for unwanted operations. Although monitoring tools are built into most providers’ platforms, they don’t offer the features of the dedicated tools commonly used by security teams.

From packet capture to syscall capture

One key technique is packet capture, capturing and then analyzing the traffic through a network adapter. Probably the most familiar tool in this space is Wireshark, which captures sequences of IP packets and then decodes them. You can extract signal from noise, spot calls to specific addresses, and analyze the contents of relevant packets.

Using Wireshark, an experienced security team can spot attacks and data exfiltration, for example, tracking the contents of DNS request packets sent to an unknown DNS server and finding the signs of a DNS tunneling attack by an advanced persistent threat inside the network. But if we can’t get at the underlying packets in a cloud application, how can we find the traces of complex attacks that aren’t detected by conventional means?

There are ways to discover some of the information we need by using tools like eBPF to probe system calls at an OS level. Azure Kubernetes Service (AKS) offers eBPF support for your own and third-party tools, adding support for cloud-native security tools such as Cilium in the Azure Container Networking Interface. There’s a lot of information in a syscall capture, but we need analysis tools to get the results we need.

Tools are good, but there’s still a need for a more ad hoc approach to security, sampling traffic and operations to get a picture of how your application is behaving. Sysdig is already using some of these services with its Falco tool in Azure Kubernetes Service and has recently launched a new tool that aims to bring Wireshark-like operations to cloud services, building on the same low-level syscall capture agents that ship with its Falco tools.

Introducing Stratoshark: Wireshark for the kernel

Designed for cloud platforms, Stratoshark is a new tool that works with Sysdig’s tools to build a time-based capture of the syscalls used by an application, categorizing them by event type and showing the direction of the resulting call, in or out.

If you’ve used Wireshark, you’ll find Stratoshark familiar. It has the same three-pane view of a capture. At the top of the screen is a timeline of the calls made during a capture. Click into a call and it populates the lower two frames, one with an analysis of the event and one with the contents of the call, as hex and as ASCII. This lets you explore what is happening on a system and see the effects of specific processes and containers. This last point is an important one: You can filter by process name, by PID, or by the host container. Filtering by container will help you understand what’s happening inside Kubernetes or similar platform, letting you track specific operations to specific containers. This helps you see if issues are the results of a bug or a compromised asset.

Building Stratoshark

Stratoshark isn’t a tool for beginners. For one thing, although there are macOS and Windows capture analysis clients, you still need to build tools to capture the necessary data. If you’re capturing data, the initial release is a Linux tool that needs to be compiled to run on your choice of Linux VMs.

Building Stratoshark requires the Wireshark sources and tools, as it’s a compile-time option. That shouldn’t be a surprise; the two tools share a user interface and a common search framework. The key difference is how data is captured. A Stratoshark install requires several Falco components. You can download them from GitLab and GitHub.

It took some time to get a build working, as my first choice of building in WSL (Windows Subsystem for Linux) failed when I was trying to compile the Falco libraries. WSL2’s Ubuntu release does not come with the required Linux headers and tools, and they’re not available without compiling your own custom kernel. The same is true for the custom kernel needed to run Linux on a Surface, though here a different set of tools is missing.

In the end, I set up a fresh Ubuntu virtual machine and ran the make and build process on that. With both Wireshark and Falco compiled successfully, I could then set the compiler flags to build the Stratoshark release candidate. This was relatively quick, and I was able to launch and run the tool. As Azure supports several different Linux distributions, you’re likely to need to compile your own versions of both the capture tools and Stratoshark—including eBPF drivers for the Falco probes.

Being able to get kernel-level access without needing kernel modules or privileged access is key to tools like this. That’s why it’s important that Azure is providing access for eBPF probes in services such as AKS, letting you get the information you need about your code without compromising platform security.

Using Stratoshark to analyze Azure syscalls

Once you’ve got Stratoshark up and running, you’ll see the familiar Wireshark user interface, though now with new options. Like Wireshark, Stratoshark is designed to give you what Wireshark creator Gerald Combs calls “a ground-level truth.” By capturing syscalls you can see when your code opens files, makes network connections, uses key system libraries, and much more.

For now, the capture tool requires Linux, but as the community starts to develop around Stratoshark, it’s likely to gain support for other OSes, including Windows. Windows’ support for eBPF should help here, though with a considerable number of Azure workloads running on Linux, it will be useful anyway.

Captures are made using Falco’s libscap and libsinsp tools, as well as the command-line sysdig tools via SSH. Libscap captures and stores the syscalls from monitored systems, with libsinsp providing tools for parsing events, filtering, and formatting outputs for use in applications like Stratoshark. Underneath the libraries are kernel modules (where you can install them) and eBPF probes. Cloud services like Azure don’t let you install your own kernel modules—unless, of course, you’re hosting services in your own custom VM builds.

Combs expects Stratoshark to build on Wireshark’s existing community to deliver code to analyze more calls as well as a wider range of filters to help you track down exactly what’s happening in your cloud-native code and how your containers and hosts are interacting with cloud platform services and the wider network.

Tracing operations across cloud-native platforms

The initial release will be Version 0.9, with further releases following before a planned jump in version number to synchronize with Wireshark’s builds. For now, however, the first releases are well worth trying out. Be warned: Even a simple capture can hold a lot of data, so it’s worth learning how to use both filters and post-capture Lua scripts to quickly narrow down points of interest in a capture.

Applications like Stratoshark will be essential diagnostic and security analysis tools for cloud-native platforms. The ability to access low-level operations in a familiar and effective way will help us both secure and get the most from platforms like Azure. With an existing community and an open extensibility model, it won’t be long before developers get the Azure-specific captures, detections, and filters they need.

Combs notes that Stratoshark is a separate product from Wireshark because “if you look at Wireshark right now, it’s this very mature, capable application. It’s kind of accumulated interest, as far as features go, because people have just been contributing to it for a little over 25 years now.” Instead of squeezing in syscall analysis and filters alongside the networking and telephony features of Wireshark, separating them into Stratoshark creates a green field for new development.

That green field is important as it allows us to build a tool for the services we’re using today. With some tweaks for Azure, Stratoshark could easily be part of your toolkit, especially if you’re already familiar with Wireshark. Tools like Falco provide production monitoring for your cloud-native code, and Stratoshark is ideal for development, test, and security.