One of the ways to have broad visibility into our systems, when doing security analysis is to go and ask our questions directly to the Linux kernel. For this purpose, at a very foundational level, in every Linux system we find the syscalls interface. It’s certain that every user space process goes through this part of the kernel.

Starting with this assumption, the immediate conclusion is that we can just go and ask the syscalls “Yo syscalls! What’s happening in my system?”. While this reasoning might seem very simple, reading and processing every single syscall in userspace can result in a set of very unique challenges to this domain.

In this talk we are going to see exactly what those challenges are and how we solved them in the Falco project.

Part of the solution for Falco is to have two alternative drivers, a Kernel module and an eBPF driver talking to userspace using a Ring buffer but you have to come to this talk to hear the rest!