Introducing kntrl: Enhancing CI/CD Security with eBPF

Cenk Kalpakoğlu14 Mar 2024
DevSecOpsSupply Chain Securitykntrl

CI/CD pipelines are formed by a series of steps that automate the process of software delivery. They integrate the practices of Continuous Integration (CI) and Continuous Delivery (CD) along with the tools, platforms, and repositories that enable them. Their goal is to simplify, streamline and automate large parts of the software development process.

Compromised CI/CD pipelines have become a huge security risk. They can be used to install malicious components in an application that is then pushed out to large numbers of users. For example, during the SolarWinds incident in 2020, bad actors were able to install backdoors in the company’s Orion network monitoring software. The software was being used by Fortune 500 companies, the U.S. government and the military.

Another example is the GitHub attack in 2022 resulted in the theft of 100,000 npm accounts and large-scale data exfiltration.

Gartner 2023 Supply Chain Risk Management Survey Report states that "supply chain attacks are on the rise, with 63% of respondents reporting that their organization has experienced a supply chain attack in the past year.

  • Gartner, Inc. (2023)

We* have consistently encountered this concern regarding CI/CD pipeline security in engagements with customers and during events in the cybersecurity community. This was the motivation for us to improve the state of CI/CD security and develop an open-source tool that helps you to protect vulnerable CI/CD pipelines.

To this end, we are excited to announce kntrl

What the heck is kntrl ?

kntrl is an open-source runtime agent, based on eBPF, that monitors and prevents anomalies in the CI/CD runners. It achieves this by monitoring kernel syscalls and denying suspicious ones in real-time, based on your predefined rules.

kntrl provides enhanced visibility and control over CI/CD pipelines, helps to mitigate and identify potential security risks, and ensures the integrity of the software delivery process.

This initial release of kntrl focuses on the network layer. All the TCP and UDP communication can be monitored and blocked.

How does it work?

kntrl is a single binary that can be effortlessly installed and executed on nearly any Linux runner or host. Upon installation, it seamlessly loads its sensors into the Linux kernel, enabling it to actively monitor and manipulate system behaviour.

Using the powerful eBPF technology, kntrl establishes "event channels" between user space and kernel space, and effectively evaluates whether detected activities should be blocked or allowed.

The screenshot below shows how kntrl can be used in GitHub Actions to monitor and prevent secrets leaking to untrusted hosts.

a screenshot of the GitHub Actions interface on that shows how the eBPF-based kntrl tool can be integrated with GitHub Actions.Using a "Compile Once, Run Everywhere" approach (BPF CO-RE), kntrl is capable of running seamlessly across various kernel versions and configurations without requiring you to make modifications or compile from source on the target machine.

You have the option to integrate this binary into your pipeline or to use it as a standalone tool (see screenshot below).

Screenshot of a terminal window that shows how kntrl can be used a standalone binary.Supply chain security is anticipated to become one of the most prominent attack vectors for organisations of all sizes, including small teams and individual developers. That's why we've chosen to keep this project open-source and want to work with the community on solving this problem.

We passionately believe in open-source security tools. Open-source is the best way to address critical concerns regarding code quality, compliance and privacy in a truly transparent way. By giving you full access to the source code, you can examine the inner workings of kntrl, ensuring that it is up to your security and privacy standards.

Let's collaborate on building an open-source solution to make our supply chains more secure. Join our Slack channel and feel free to check out the codebase.

(*) kntrl is the brainchild of Cenk Kalpakoglu and Mert Can Coskuner.

Cenk is the Co-founder & CEO of Kondukto Inc, the leading ASPM solution for AppSec teams, and a notorious breaker of presumably secure things and longtime Linux aficionado

Mert Can Coskuner is an experienced security engineer who has worked for numerous well known tech companies. He is a veteran pen-tester, red-teamer, security researcher and malware & cryptography nerd.

Get A Demo