Deep Dive - Runtime Security With Falco in Userspace

Explore runtime security with Falco in userspace in this conference talk by Loris Degioanni from Sysdig. Dive deep into the tradeoffs of using different backend drivers to access system call information for cloud-native security. Learn about eBPF, kernel modules, and ptrace(2), and understand the performance impacts of various solutions like LD_PRELOAD. Gain insights from Loris' extensive experience contributing to Wireshark and creating Sysdig and Falco. Discover Falco's architecture, rule examples, data collection methods, and the importance of kernel-based instrumentation. Examine LD Preload limitations, Ptrace, Amazon Fargate integration, and Falco Trace SSH. Understand system binary changes and performance considerations in this comprehensive exploration of Falco's userspace implementation.

Introduction
Who is Loris
What is Falco
Falco Architecture
Rule Examples
How Falco collects data
Why Falco uses kernelbased instrumentation
Falco needs access to the kernel
LD Preload
LD Limitations
Ptrace
Amazon Fargate
Falco Trace SSH
Change System Binary
Performance
Links
QA