みなさんこんにちは。この最後のセッションのデブコンフにようこそ。私の名前はダイキーウェノーです。私はクリプトチームのレールを作りました。みなさんも見てください。タイトルのディストークは、クリプトグラフィーを使用するシステムです。今日はクリプトグラフィーを紹介します。この質問の答えは、クリプトグラフィーを使用するシステムです。彼は少しずつ話しています。オッケー。私は強い声を聞いたので、とても効果的です。でも、はい。ここはモチベーションです。クリプトグラフィーは毎回あります。でも、毎回、クリプトグラフィーを使用するシステムは、毎回、毎回、毎回、毎回、毎回、毎回、毎回、毎回、毎回、毎回、毎回、毎回、毎回、毎回、毎回、毎回、毎回、毎回、毎回、毎回、毎回、毎回、毎回、毎回、毎回、毎回、新しいクリプトアルゴリズムを使う必要がありますそれは簡単ではありませんなぜなら、サポートリングを止めることができます特にあるアルゴリズムを使う必要がありますそのため、サポートリングを使う必要がありますプロデューサービスによって、サポートリングを止める必要があります最初の必要がありますこのアルゴリズムを使う必要がありますクリプトアルゴリズムを使う必要があります簡単ではありませんクリプトアルゴリズムを使う必要がありますアルゴリズムを使う必要がありますそして、BPFプログラムを使う必要がありますそして、アルゴリズムを使う必要がありますそして、スタッティスティックを使う必要があります過去に多くの研究をしています2020年のデブコンフのプレゼンテーションはTLSサイファースウイズのスタッティスティックを用意しました次は、シャワー・シグ・トレーサーツールを使う必要がありますシャワー・アルゴリズムを使う必要がありますシャワー・アルゴリズムを使う必要があります私は、シャワー・アルゴリズムはÇALice Guin to beWell lakesこの新しいタイプのスタッティスティックが選ばれた瞬間のデブファースウイズを使う必要があります新しいタイプを使う必要があります英国の国 protected1はエフィセンシーですエヴィピエフプログラムは0コストではないかもしれませんしかし、エンティアシステムパフォーマンスはないかもしれませんそのため、使い方はないかもしれません実際にユーザースペースプログラムはないかもしれませんしかし、ユーザースプログラムはないかもしれませんユーザースプログラムのアクティビティを使いませんやはり、そのようなものです最後は、メンテナビルティでアップストリムのクリプトログラフィックラブラリーを変えますそのため、トレスポイントや、それを保留する必要がありますそのため、メニューマルコストを保留する必要がありますこの3つのチャレンジについてアキテクチャーとロギンメカニズムを設置していますここはアキテクチャーのダイアグラムです3つのコンポネンスがありますエージェントとエベントブローカーとクライアンが関係されていますエージェントは、BPFプログラムをカーネルに設置していますこのBPFプログラムは、タゲットプログラムについてアタッチしていますエージェントのクライアンをクライアンに設置していますエージェントは、アキテクチャーとクライアンに設置していますエヴェントブローカーのプロセスは、このプライマリーのクライアンで、クライアンのイベントをサブスクライブで設置しています最後に、クライアンで使われていることができますこのクライアンの説明は、この説明を説明しますログインのフォーマットを動かしてみましょう普通にクリフトグラフィックイベントはコンテクトをアタッチしています例えば、この場合、 sometimes signature algorithm, RSA-PSS is usedbut for what purpose is this used?is it unclear if we just record these events?So we make it structural like hierarchical manner basically there is a prior artwe just follow the pattern using distributed tracingso we categorize event types in twoone is context, context means a period of timewhere events or any other context can occurand the other is event, it's just an eventit represents the event itselfso context is, as I said, it's just a period of timeit's just a containerbut it can have some name associatedalso it is identified with 16 bytes identifierso it tends to be private informationso it is obfuscated by the agent when it is receivedSo for TLS, we define some set of context nameslike TLS Handshake for clientand TLS Handshake for serverand certificate signing for certificate-based authenticationand also key exchangeTLS Handshake consists of multiple phrasesso it corresponds to...event is just a key value pairthat represents a single event dataso for example, protocol version is encoded as a unit 16 valuethat means negotiated TLS versionand TLS ciphers is as well a signature algorithmkey exchange algorithm and groupso there are moreand conceptually these contexts and eventsbasically looks like a treebut we need to encode thembecause otherwise we can't write it in fileso we choose this representationusing the four primitivesone is new contextthat just introduce another contextfrom the parentand three event datathey have just key value pairso with different typesword and string and blockso for exampleif we encode these eventsso Handshake client with context ID 00001this event protocol version0304and also another contextwith 00002with two child eventsyeah, so this is kind of a treeand it can be encoded into this wayso context is openedand this string event is emittedthis is just assigning the name to the contextit is Handshake clientand we have protocol version eventand another context is openedand name is assignedyeah, and two other events are encodedso it's as you knowas you see it's two variablesso we implement some optimizationso 16 bytes is too muchit costs a lot of disk spaceso if we just savethe file in this formatit eat up your disk spaceso weapply some grouping mechanismthat is to makemultical event into a single evententryso it willmake it much smallerand also we implemented log rotation mechanismso if the primary log file reaches the limitwethe system already automaticallycreate a backup fileand open a new fileso that was the login formatand sowe need to modify the crypto libraryto instrumentthe same informationand we provide this helper macrosyeah, it's exactly matchesfor primitives we provideso yeah, I'm not sureif it meets the challengesbut we triedand for FSCit is addressed bysimple design of agentit simply justrights a fileit doesn't do anythingany other thingand events are groupedso written data will beenjoyed to be smalland for privacywe only added this mechanismthat is to encryptand obskete the context IDand maintainabilityso yeah, weas you seeevents are described withonly four geneticfull of interfaceso it should beeasy to usein both crypto libraryand also the agent sideso let me show some demoit works withnetwork, you seewell, okaysoas I saidthere are twodemons installedand runningthis is agentit's running on thesystemand this is alsoevent brokerit's workingclientand try to usetlsyou don't start itso yeahso more interestingexample isjust usingyour applicationfor example mapssoso I am living herearound herebut for exampleas you seethere are some interactionsthat isnewtls connection is createdand some information is also capturedyeahso let's serve itinto a binary fileit should have captured some eventslet's use the logPersonnewtdso the events are now renderedas a treeso context has eventsso it has some child spansnew contextand also it has child eventsso yeahit can be rendered like thisin a tree formatso we can generate a frame graphlikepowermatch toolsso with this scriptsodata is written to htlit's openso there are multipletls hand shakehappenedand all the informationyou can browsewith htland you can also import itto graphana or any othervisualization platformso I createddashboard for thissothis is the samesame frame graphand also you can countactual tls typeit's usedwith a simplesqlso you can just writesomething like thatok sothat's it for the demoso for the implementationso we recently startedreturb report storyit's all publicand core components are written in lastandmost of them are writtenin async stylefor performance reasonsandfor bpf accesswe use libvpfrsthere are multipleimplementation of bpfwe choose itand event broker usesterpc createfor binary based RPCand other scripts are written in Pythonand we also provideaccess logsand event brokerwe need to alsomodify thecrypt librarieswe have an experimental packagewith these instrumentationin mycorporeal propertycrement has already created open sslI created it with itthey can be safely installedbut be careful about itsofutureworksowe eventuallymove this instrumentationto upstreamfor the use casesandwe alsoafter thatwe also plan to implementsomething in thehigher level programming languageslike go and lastlastly we wantto support more protocolslike ssh, ipsec, dnssecpgpandother thingsfor other thingsthe grahona data sourceis currently justa batch analysisbut we can also createa plug-into support a real time analysisalsoand currently notsocket-activatableit's just a restrictionin thedependent platebut we can make itsocket-activatableso it is not alwaysrunning on the systemsoI don't knowit's ended earlierbut the conclusion is thatour new projectit aims to createinfrastructure neededto monitor the cryptousage on a systemso we are trying tomake it usableand genericand the architectureof the project has been presentedwhich comprisesagent and event broker and clientsalso log format waspresentedso that's itI sawthe topdepositoryfor this programwe have a planto createofficial rpm packagefor this programso the question iswe currently have only corporabut whether we have a planto create an official packagethat is the goalbut we probablycan make itupstream firstif the upstream acceptswe can make itofficialthat is the planyesI had numbersbut I forgotyesso the question washow muchpower must overheadit is enabledI think we hadsome numbers but I forgotbut it was I thinkaround 20% or somethingif we are actively monitoring everythingbutwe need torevaluate afterwardsyesthe requirement here is thatyou must be able toinstrument all the crypto librariesand all the copies of crypto librariesthat is correctand that is inparticular problemwith somego-lang or lastecosystem they are using staticlinkingso yesthat's trueandwe need toselect all the crypto librariesand also the copied codethat is correctandwe currently focus onshared librarymost frequently usedbut we will probablyfind some way toaddress staticlinking situationyessomeonemoleadif the systemis satisfied with140-2thennext in the futurethey want to monitorif the systemsatisfies with140-3in that case some otherministratorcan modify or updatesorry I mightnot understand your questionbut if wethe question is thatsorry but my question isifadministratorwants to monitorsome differentcriteriasin the systemthey need toupdate the coding filesof the applicationsothe question is thatsoif the existinguser isconfiguredwith 5th140-2they eventually migrateto 1-3andwhether it is neededto change the configurationbut it depends on thecomponentsor how the140-3 is enforcedsoyeahthat kind of enforcementis done by crypt policiessystem-wide crypt policiesin fedora in this casethis is just monitoringand give you a hinthow manyyeahyeahyeahthat's correctthanksyeahthanksthanksthanks