Linux / Observability / Security

Sysdig Hands off eBPF Falco Core to the Cloud Native Computing Foundation

25 Feb 2021 8:29am, by

In 2018, cloud native security company Sysdig contributed the Falco runtime security project to the Cloud Native Computing Foundation (CNCF). Now, the company is following that up with the added contribution of the open source Sysdig kernel module, its extended Berkeley Packet Filter (eBPF) probe for the Linux kernel, and two Falco libraries, all of which will end up as part of the Falco project under the CNCF in the falcosecurity GitHub repository.

Both the kernel of the Sysdig open source project and the eBPF probe are core components that allow both Sysdig and Falco to gather system data by way of collecting system calls, while the libraries, libsinsp and libscap, are responsible for handling the data captured. More specifically, libsinsp is a kernel event enrichment library, and libscap is a system call capture library with full support for capture file abstraction.

While the libraries themselves were already open source, all of these will now be open source and their intellectual property rights will be handed over to the CNCF.

According to Sysdig Chief Technology Officer and founder Loris Degioanni, these tools and libraries may be originally designed with Sysdig’s and Falco’s implementations in mind, but they are able to be used for a variety of other purposes, and he hopes that this contribution will lead to that sort of innovation.

“This donation is the core stack that is used to collect information from the kernel of a Linux system, and deliver these in a meaningful and rich way to the applications. These can be used to build runtime security tools, like Falco, to build the forensics in intrusion analysis tools like open source Sysdig, but it can also be used to write a plethora of applications, both in the security and in the performance management space,” said Degioanni in an interview. “We’re looking forward for the community to embrace this really powerful intellectual property. We’re looking forward to seeing what the community is able to bring to the table in terms of interesting and creative applications.”

Degioanni explained in a blog post that both the Sysdig Kernel and eBPF probe provide the same functionality, but that “the kernel module is a tiny bit more efficient while the eBPF approach is safer and more modern.” eBPF, he further explained, allows for users to extend the Linux kernel by writing scripts that are then run by the kernel without altering the kernel itself, giving users access to kernel activity without putting system stability or security at risk.

The only catch is that eBPF can be difficult to use, and eBPF probe simplifies this, giving developers easier access to troubleshooting, performance analysis, forensics, and threat hunting functionalities.

“This is one of the most exciting things that is happening in Linux and operating systems in the in the last few years because it opens the door to essentially extending Linux and modularizing it in a way that everybody can do at any time, without having to recompile the kernel and then do stuff that is that is very technical,” said Degioanni.

Degioanni said that he sees the donation as part of a bigger strategy and movement, in which the industry is moving toward open source, rather than proprietary software, even in the usually closed-off world of security.

“We strongly believe in the fact that the future of security is going to be open,” said Degioanni. “We are witnessing the formation of the new stack for the cloud, based on Kubernetes and all of the other projects that are part of the Cloud Native Computing Foundation. We are absolutely witnessing the fact that people, especially in the new world of cloud computing, don’t want a legacy approach that is based on closed standards on proprietary vendors. This donation is specifically doubling down on that strategy.”

While Degioanni declined to say if they had been in communication with any specific projects within the CNCF for future potential implementations, he did say that they “are in broad communication with all the different projects in the CNCF” and that “this can benefit many CNCF projects, including the deep ones like Kubernetes.”

With this contribution, the entirety of the Falco stack is open source and held under the ownership and guidelines of the CNCF.

Feature image by L N on Unsplash.

The New Stack is a wholly owned subsidiary of Insight Partners, an investor in the following companies mentioned in this article: Sysdig.