Leaksignal Proxy-Wasm Filter Module

Related tags

Network programming leaksignal
Overview

Website | Docs | Blog | Slack

License

🔍 There are all kinds of sensitive data flowing through my services, but I don’t know which ones or what data. 🤷

LeakSignal provides observability metrics (or statistics) for sensitive data contained in request/response content. LeakSignal metrics can be consumed by Prometheus, pushed as OpenTelemetry, or collected in a centralized dashboard - giving operations engineers (SRE, DevOps, Platform Eng. etc) a new security tool to help combat API exploits, unknown misconfigurations and sensitive data leakage.

Features

  • Fast, inline Layer 7 request/response analysis.
  • Easy to configure rules ("L7 policy") for detecting and analyzing sensitive data (e.g. PII) leakage.
    • Detect part numbers, account numbers, patient info, grades, dates, email addresses, large arrays, etc. You can write your own or use our constantly evolving ruleset library (contributions welcome).
  • Cloud dashboard with policy editor, monitoring, and alerting.
  • Analysis metrics can be exposed via Envoy and thus reflected wherever Envoy metrics are configured to land (OpenTelemetry, Prometheus, etc.)

Installation

LeakSignal installs in moments as a WASM filter for Envoy, Istio, or any proxy/API gateway that supports Proxy-WASM. No CRD, no additional containers or sidecars, no other dependencies, just a WASM binary. See Getting Started below.

Table of Contents

Overview

LeakSignal detects sensitive data within mesh traffic. Analysis and processing of traffic is handled inline, allowing engineers to understand sensitive data emission without sending, storing or viewing the sensitive data.

LeakSignal SENTRY

LeakSignal establishes a framework and delivery mechanism for composable traffic analysis functions within a WASM VM. Sentry is the bytecode that allows for sensitive data analysis across request and response traffic in real-time.

The following functionality can be enabled through the Layer7 Policy:
  • Sensitive Data Observability
  • Data Access by IP or Token
  • Exfiltration Mitigation
  • Data Access Auditing
  • Prometheus and OTEL metrics
  • Dashboard visualization (histogram, heatmap) and alerting via SMS or email

LeakSignal COMMAND

LeakSignal Command (the cloud dashboard) provides visibility of data types and sends you SMS or email alerts when abnormal or unauthorized data access occurs.

Implementation

Built with Rust and deployed as WebAssembly, LeakSignal natively runs on proxies and API Gateways supporting Proxy-WASM. The current implementation is tested with Envoy, which is the underlying data management plane in most service mesh offerings.

LeakSignal analysis can be setup in the following modes:

  • All metrics and configuration stay local in your environment
  • All metrics and configuration go to LeakSignal COMMAND.
    • Sensitive data are sent to COMMAND by default.
    • Specific endpoints, match rules, or the entire policy can opt-in to send raw sensitive data, low-bit subsets of SHA-256 hashes for low-entropy data (i.e. credit cards, phone numbers), or no representation of the matched data at all.

Getting Started

Getting Started with a Demo application

If you're looking to kick the tires with a demo setup, you have 2 options:

  1. Simple Envoy Ingress controller for K8s cluster.
    • LeakSignal is preinstalled with policy and test applications/services.
  2. Google's Online Boutique microservices demo for Istio.
    • Follow along with the Istio install and then add LeakSignal.

Getting Started with Existing Setup

If you already have an environment up and running (Standalone Envoy, K8s, or Istio) where you'd like to install LeakSignal, use the following quick starts.

Quickstarts

Raw Configs
  1. Register for an account (Note: you don't need an account if you plan on only sending metrics to prometheus)
  2. Diff your Envoy or Istio configs against the examples.
  3. Add your API key and Deployment name to your new config.
Envoy Docker Quickstart

Docker commands to run an Envoy proxy with LeakSignal installed.

  1. Register for an account
  2. Get your API key by clicking "Deployments" in the left hand navigation.
  3. Create a simple barebones deployment by clicking "Create Deployment" on the Deployments page.
  4. Replace YOUR-API-KEY and YOUR-DEPLOYMENT-NAME below with the values in LeakSignal Command.
FROM envoyproxy/envoy-dev:0b1c5aca39b8c2320501ce4b94fe34f2ad5808aa
RUN curl -O https://raw.githubusercontent.com/leaksignal/leaksignal/master/examples/envoy/envoy_command_remote_wasm.yaml > envoy_raw.yaml
RUN API_KEY="YOUR-API-KEY" DEPLOYMENT_NAME="YOUR-DEPLOYMENT-NAME" envsubst < envoy_raw.yaml > /etc/envoy.yaml
RUN chmod go+r /etc/envoy.yaml
CMD ["/usr/local/bin/envoy", "-c", "/etc/envoy.yaml"]
  • Go to Deployments -> YOUR-DEPLOYMENT-NAME and learn more about the L7 Policy that is currently running.
  • View metrics in COMMAND
Envoy-Local Docker Quickstart (no cloud connection)

Docker commands to run an Envoy proxy with LeakSignal installed.

  • This configuration runs LeakSignal in "local" mode where metrics are only exported in the running Envoy instance.
  • The LeakSignal L7 Policy is contained in the Envoy yaml configuration.
  • LeakSignal API Key and deployment name are not needed.
FROM envoyproxy/envoy-dev:0b1c5aca39b8c2320501ce4b94fe34f2ad5808aa
RUN curl -O https://raw.githubusercontent.com/leaksignal/leaksignal/master/examples/envoy/envoy_local.yaml > /etc/envoy.yaml
RUN curl -O https://ingestion.app.leaksignal.com/s3/leakproxy/2023_02_01_17_26_09_c937839/leaksignal.wasm > /lib/leaksignal.wasm
RUN chmod go+r /etc/envoy.yaml
CMD ["/usr/local/bin/envoy", "-c", "/etc/envoy.yaml"]

Use the test environment to see a working example. Your sensitive data labels and counts will be exported as Envoy metrics.

Istio

Install LeakSignal across all Istio sidecar proxies with the following:

  1. Register for an account
  2. Get your API key by clicking "Deployments" in the left hand navigation.
  3. Create a simple barebones deployment by clicking "Create Deployment" on the Deployments page.
  4. Replace YOUR-API-KEY and YOUR-DEPLOYMENT-NAME below with the values in LeakSignal Command.
#set Istio to preview mode
istioctl install --set profile=preview

# Apply the following leaksignal.yaml to deploy the filter
export API_KEY="YOUR-API-KEY" && \
export DEPLOYMENT_NAME="YOUR-DEPLOYMENT-NAME" && \
curl https://raw.githubusercontent.com/leaksignal/leaksignal/master/examples/istio/leaksignal.yaml | \
envsubst | \
kubectl apply -f -

#restart all the pods
kubectl delete --all pod

Go to Deployments -> YOUR-DEPLOYMENT-NAME and learn more about the L7 Policy that is currently running.

Istio-Local (no cloud metrics)

Install LeakSignal across all Istio sidecar proxies with the following.

  • This configuration runs LeakSignal in "local" mode where metrics are only exported in the running Envoy instance.
  • The LeakSignal L7 Policy is contained in the Envoy yaml configuration.
  • LeakSignal API Key and deployment name are not needed.

A connection to the cloud is still necessary to pull the WASM proxy, but no metrics or sensitive data are uploaded.

#set Istio to preview mode
istioctl install --set profile=preview

# Apply the following leaksignal.yaml to deploy the filter
curl https://raw.githubusercontent.com/leaksignal/leaksignal/master/examples/istio/leaksignal_local.yaml | kubectl apply -f -

#restart all the pods
kubectl delete --all pod

Verify Proper Setup

After you've installed the LeakSignal filter, you can check the logs to see how things are running:

For Envoy standalone run:

tail -f /var/log/envoy.log

For Kubernetes run:

kubectl get pods
#find the envoy pod and use it below
kubectl logs -f [envoy podname]

For Istio run:

kubectl -n istio-system get pods
kubectl -n istio-system logs istio-ingressgateway-abc123
#if you see no policy loaded, make sure your api key and deployment name is correct.
kubectl -n istio-system describe EnvoyFilter | grep api_key

In all cases you should see messsages with "leaksignal" in the logs. Use those to understand if things are setup correctly. Note that you may see messages like createWasm: failed to load (in progress) from https://ingestion.app... if loading the wasm file remotely. This is a known issue and the wasm filter is functioning properly.

View Metrics (Prometheus & Grafana)

Prometheus is capable of ingesting LeakSignal metrics. You can configure your policy to alert on specific data types to detect spikes in emission of data or edge cases like the signature of a known RCE. (If you don't have or want to use Prometheus skip to the next step).

Here's an example from our k8s test environment where grafana displays LeakSignal metrics from prometheus:

LeakSignal defines 2 new metrics in Grafana:

  1. Sensitive Data per Minute (SDPM)
  2. Exploits per Minute (EPM)

These metrics are visible for any API endpoint configured in the LeakSignal policy.

View Metrics (COMMAND)

Once you login to LeakSignal COMMAND, you'll see the Sensitive Data Overview as the default screen.

The following example data is from the k8s test environment.

This chart shows the emission of sensitive data and exploited logic as defined by the L7 policy.

The following test pages are used to generate the alerts

  • ssn001.html contains PII data such as Social Security and Phone Numbers. (green and purple)
  • root.html is an example of leaked configuration file or any response with the word "root" in it.
  • ls.html and ifconfig.html are examples of a response that contain results from a system command being executed on the server (RCE).

Scroll down to the data grid and click on a Response ID to examine the alerts that were generated.

Click Heat Map in the left hand nav for a complete view of how sensitive data is accessed by IP addresses and/or authentication tokens

More docs coming soon!

Test and configure L7 Policy

After you've verified that the filter is running, you can configure the policy to check for specific sensitive data types or patterns. For examples of preconfigured and performance tested policies, see LeakSignal Policies

Community / How to Contribute

  • Code contribution guidelines (Coming soon)

Commercial support

  • Leaksignal, Inc offers support and self-hosted versions of the cloud dashboard. Contact [email protected].

License

Copyright 2022 LeakSignal, Inc.

Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at

http://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.

Comments
  • fixed compilation error around logging

    fixed compilation error around logging

    #12 didn't change the logging level of header matches, only body matches. this meant that the info macro wasn't imported anymore even though it was still used. this pr just changes header match logging to use debug as well.

    opened by 0rphon 1
  • Remove async from parsers

    Remove async from parsers

    async was slowing down json parsing, so this PR removes it.

    all parsers have been changed to be re-entrant without relying on async. the biggest change is to the json parser. i also had to change a lot of the structs in evaluator to hold arcs instead of relying on references.

    before/after benchmarks

    html

    bigjson.html fortio: 1.4ms -> 1.4ms approximate time in dashboard: 2.6ms -> 2.3ms

    25mb.html approximate time in dashboard: 610ms -> 613ms

    json

    bigjson.json fortio: 4.8ms -> 2.4ms approximate time in dashboard: 4.2ms -> 2.8ms

    25mb.json approximate time in dashboard: 1360ms -> 820ms

    its worth noting that my original POC (which was to just read the whole json body in then parse it as a slice) was able to run bigjson.json in 1.5ms through fortio. so there may still be room for improvement. theres also some possible optimizations to the html and grpc parsers.

    opened by 0rphon 0
  • changed webserver to apache

    changed webserver to apache

    there was a bug with our current example webserver that caused it to load some json files much slower than others.

    this updates our example to use a modern apache server instead. it also fixes a few clippy errors that didnt pop up for me before.

    opened by 0rphon 0
  • Add MatcherState check

    Add MatcherState check

    adds a check when constructing MatcherState to see if the matcher should actually run. if no match groups were prepared then the parser will return early. this effects the following parsers: headers, json, grpc, and plaintext

    opened by 0rphon 0
  • cleaned up duplicate data in header matches

    cleaned up duplicate data in header matches

    once i got to actually adding in header matching in command i realized there was a lot of duplicate/empty data being sent. header matches no longer contain the body and now header matching only produces an entry if matches are actually generated

    opened by 0rphon 0
  • changed header body to string

    changed header body to string

    small tweak to the protobuf. just changes the header body to be stored as a string instead of bytes. this does change the signature of the protobuf, but there hasnt been a release with header matching yet so i believe it should be fine, correct me if wrong.

    opened by 0rphon 0
  • clippy fixes

    clippy fixes

    for some reason clippy refuses to run normally, even from a fresh project with no cached builds. i was able to temporarily fix it using a hacky script and then fixed warnings manually from there.

    opened by 0rphon 0
  • Json parser rework

    Json parser rework

    this PR does 2 things:

    1: replaces the use of fancy-regex with regex while i was testing i found that the ssn regex was responsible for 70% of our compute time during regex matching. this was because it used lookahead so its compute would scale exponentially with the size of the input. this also would cause a panic within fancy-regex if a string larger than 1mb was passed with a regex that used backtracking features. @Protryon and i agreed that we should remove fancy-regex for now and re-add it later on as an opt-in feature.

    2: optimizes json parser the current json parser would parse each key and value within a json body separately. this meant that the regex engine would have to start up for every key/value in the body. this PR aims to fix that by introducing batched json parsing. this does several things:

    1. during policy parsing, it creates a separate version of each regex with multi-line enabled. this is used specifically for json parsing
    2. during json parsing, it keeps a cache capable of storing 10kb worth of keys and 10kb worth of values. new keys and values are added to these caches, separated by \n. it also keeps a list of index mappings so that the original indexes can be restored when a match occurs.
    3. when a caches fills up OR the json body ends:
      • a regex scan is performed across the cache using the multi-line regex,
      • matches get their indexes restored using the index mappings,
      • and finally the cache is flushed.

    testing to test this i used a 25mb json file i found online with a fair amount of "sensitive" data in it. i performed several timed runs of the json parser and averaged out the results.

    removing fancy-regex and the ssn rule dropped the parse time by 70% from 12.5s -> 3.5s. using batched matching reduced the parse time by 50% from 3.5s -> 1.7s

    things worth noting:

    • i found that pipelines will timeout during json parsing after 15~ seconds of work. this should be looked into
    • the indexes that get logged when a match occurs are printed before index correction, so the indexes are meaningless. this is purely an aesthetic/logging issue, as the indexes returned from matching are correct.
    • 10kb seemed to be the sweet spot for the cache size. that being said,i have a second related PR planned that will attempt to optimize matching further by using RegexSets. if it ends up working, it may change the current cache size
    opened by 0rphon 0
  • cleanup clippy/deps

    cleanup clippy/deps

    fixes clippy warnings and updates dependency structure to match new standard pattern. some deps are out of date but were intentionally held back to avoid accidental breaking changes

    opened by 0rphon 0
  • Small cleanup on readme.

    Small cleanup on readme.

    • The word data is plural
    • Collapsable quickstarts so they don't take so much room
    • Small grammar fixes

    Signed-off-by: Dan Garfield [email protected]

    opened by todaywasawesome 0
  • Make sure repo follows CLO standards

    Make sure repo follows CLO standards

    These guidelines are just guidelines, we don't have to follow all of them but it's a good idea to follow most and have a decision about why one wouldn't be done.

    Reference doc here: https://clomonitor.io/docs/topics/checks/

    code (recommended for projects’ primary code repository)

    code-lite (subset of code, recommended for secondary code repositories)

    community (recommended for repositories with community content)

    docs (recommended for other documentation repositories)

    opened by todaywasawesome 0
Releases(v0.1.6)

  • v0.1.6(Feb 1, 2023)

    Changes:

    • Add GRPC status message logging, improve upstream ping functionality

    Direct S3 Download: https://leakproxy.s3.us-west-2.amazonaws.com/2023_02_01_17_26_09_c937839/leaksignal.wasm Ingestion-S3 Proxy Download (used within Envoy configurations): https://ingestion.app.leaksignal.com/s3/leakproxy/2023_02_01_17_26_09_c937839/leaksignal.wasm SHA256 of leaksignal.wasm: 466f54b1c8c70c32879ad845f07f75e66493552add745d9c3e59d7f4e580fbca

    Source code(tar.gz)
    Source code(zip)

  • v0.1.5(Jan 17, 2023)

    Added Features:

    • Header matching support
    • Reduce log verbosity of matches

    Direct S3 Download: https://leakproxy.s3.us-west-2.amazonaws.com/2023_01_17_21_46_31_db53ff0/leaksignal.wasm Ingestion-S3 Proxy Download (used within Envoy configurations): https://ingestion.app.leaksignal.com/s3/leakproxy/2023_01_17_21_46_31_db53ff0/leaksignal.wasm SHA256 of leaksignal.wasm: 053ee95d6f9c26bc2d9d96d48bd1b107b0c29484a13a5df78f075bdb432b9c79

    Source code(tar.gz)
    Source code(zip)
    leaksignal.wasm(3.05 MB)

  • v0.1.4(Jan 10, 2023)

    Added Features:

    • Ratelimiting support
    • 10x JSON parsing speedup thanks to @0rphon
    • Removed fancy_regex crate in favor of just using the underlying regex crate. fancy_regex was too slow in practice.

    Direct S3 Download: https://leakproxy.s3.us-west-2.amazonaws.com/2023_01_10_15_57_30_ad09498/leaksignal.wasm Ingestion-S3 Proxy Download (used within Envoy configurations): https://ingestion.app.leaksignal.com/s3/leakproxy/2023_01_10_15_57_30_ad09498/leaksignal.wasm SHA256 of leaksignal.wasm: 73ef8485730561ef6786c301f28daf7c123d7546772b0b2477bc2b39d47a7de9

    Source code(tar.gz)
    Source code(zip)
    leaksignal.wasm(2.99 MB)

  • v0.1.3(Dec 12, 2022)

    Added Features:

    • Connection info reporting (SPIFFE ID/mTLS, for service mapping)
    • gRPC parsing
    • Environment variable reporting
    • Add request body scanning
    • Add ability to block IPs/tokens from policy
    • Add per-service access control list configuration

    Direct S3 Download: https://leakproxy.s3.us-west-2.amazonaws.com/2022_12_12_19_59_59_3808c82/leaksignal.wasm Ingestion-S3 Proxy Download (used within Envoy configurations): https://ingestion.app.leaksignal.com/s3/leakproxy/2022_12_12_19_59_59_3808c82/leaksignal.wasm SHA256 of leaksignal.wasm: 06236c621ca78580287604a6e570cbd23e59f2c167d5c22110ecd6bd191acc93

    Source code(tar.gz)
    Source code(zip)
    leaksignal.wasm(2.79 MB)

  • v0.1.2(Oct 27, 2022)

    Added Features:

    • Token Hashing
    • Per-category performance reporting
    • Case insensitive raw matchers

    Fixes:

    • Fixed an issue in correlate matchers causing them to only report one match in some situations

    Direct S3 Download: https://leakproxy.s3.us-west-2.amazonaws.com/2022_10_27_17_08_50_5e5d31f/leaksignal.wasm Ingestion-S3 Proxy Download (used within Envoy configurations): https://ingestion.app.leaksignal.com/s3/leakproxy/2022_10_27_17_08_50_5e5d31f/leaksignal.wasm SHA256 of leaksignal.wasm: 8cbb8fb8912da2f89005561d4c093f79a71099daeb22447f3232ec4e68e6e53a

    Source code(tar.gz)
    Source code(zip)
    leaksignal.wasm(2.38 MB)

  • v0.1.1(Oct 18, 2022)

Owner
LeakSignal
LeakSignal
GitHub
UDP proxy with Proxy Protocol and mmproxy support

udppp UDP proxy with Proxy Protocol and mmproxy support. Features Async Support Proxy Protocol V2 SOCKET preserve client IP addresses in L7 proxies(mm

b23r0 10 Dec 18, 2022
Lightweight proxy that allows redirect HTTP(S) traffic through a proxy.

Proxyswarm Proxyswarm is a lightweight proxy that allows redirect HTTP(S) traffic through a proxy. WARNING: This app isn't recomended for download lar

Jorge Alejandro Jimenez Luna 4 Apr 16, 2022
Web3-proxy: a fast caching and load balancing proxy for web3 (Ethereum or similar) JsonRPC servers.

web3-proxy Web3-proxy is a fast caching and load balancing proxy for web3 (Ethereum or similar) JsonRPC servers. Signed transactions (eth_sendRawTrans

null 55 Jan 8, 2023
A TCP proxy using HTTP - Reach SSH behind a Nginx reverse proxy

?? TCP over HTTP ?? The Questions ?? What does it do? You can proxy TCP traffic over HTTP. A basic setup would be: [Your TCP target] <--TCP-- [Exit No

Julian 185 Dec 15, 2022
Test the interception/filter of UDP 53 of your local networks or hotspots.

udp53_lookup Test the interception/filter of UDP 53 of your local networks or hotspots. Inspired by BennyThink/UDP53-Filter-Type . What's the purpose?

null 1 Dec 6, 2021
A simple configuration-based module for inter-network RPC in Holochain hApps.

DNA Auth Resolver A simple configuration-based module for inter-network RPC in Holochain hApps. About Usage In the origin zome In the destination DNA

Shadman Baig 0 Feb 4, 2022
Prometheus instrumentation service for the NGINX RTMP module.

nginx-rtmp-exporter Prometheus instrumentation service for the NGINX RTMP module. Usage nginx-rtmp-exporter [OPTIONS] --scrape-url <SCRAPE_URL> O

kaylen ✨ 2 Jul 3, 2022
Easy per application transparent proxy built on cgroup.

cproxy can redirect TCP and UDP traffic made by a program to a proxy, without requiring the program supporting a proxy. Compared to many existi

Xiangru Lian 263 Dec 20, 2022
server security proxy write by Rust

server-security-proxy server security proxy write by Rust how to use config toml file

baoyachi. Aka Rust Hairy crabs 3 May 24, 2021
A tcp over http2 + tls proxy

mtunnel A tcp over http2 + tls proxy. Usage 1. get certificates, by following steps. 2. make your config client config: { "local_addr": "127.0.0.1

cssivision 9 Sep 5, 2022
A versatile and efficient proxy framework with nice features suitable for various use cases.

A versatile and efficient proxy framework with nice features suitable for various use cases.

null 1.7k Jan 9, 2023
Hudsucker is a MITM HTTP/S proxy written in Rust.

hudsucker Hudsucker is a MITM HTTP/S proxy written in Rust. Features Modify HTTP/S requests Modify HTTP/S responses Modify websocket messages Usage Fo

null 86 Dec 25, 2022
Simple and fast layer 4 proxy in Rust

Fourth 这一波在第四层。 English Fourth是一个Rust实现的Layer 4代理,用于监听指定端口TCP流量,并根据规则转发到指定目标。 功能 监听指定端口代理到本地或远端指定端口 监听指定端口,通过TLS ClientHello消息中的SNI进行分流 安装方法 为了确保获得您架构

Rui Li 17 Nov 8, 2022
Drop-in proxy for Discord gateway connections and sessions allowing for zero downtime deploys

gateway-proxy This is a very hacky project, so it might stop working if Discord changes their API core. This is unlikely, but keep that in mind while

Jens Reidel 39 Nov 26, 2022
Minecraft proxy

mc-proxy This is a fully functional proxy for online and offline-mode Minecraft servers. It is based on an optimized, custom-made packet parser for Mi

null 21 Oct 7, 2022
A remote shell, TCP tunnel and HTTP proxy for Replit.

Autobahn A remote shell, TCP tunnel and HTTP proxy for Replit. Hybrid SSH/HTTP server for Replit. Based on leon332157/replish. Autobahn runs a WebSock

Patrick Winters 12 Sep 24, 2022
Hybrid Traffic Mesh Proxy

Hybrid Traffic Mesh Proxy L7 proxy on kubernetes dependencies: routeagent: refresh proxy routes fetched with k8s sdk register routes curl -v --unix-s

Goku 1 Feb 11, 2022
Shotover: L7 data-layer proxy

Shotover: L7 data-layer proxy

null 64 Dec 16, 2022
A high performence Socks5 proxy server with bind/reverse support implementation by Rust.

rsocx A high performence Socks5 proxy server with bind/reverse support implementation by Rust Features Async-std No unsafe code Single executable Linu

b23r0 259 Jan 6, 2023