Architecture
Overview
Jibril is a modular runtime security tool that combines an eBPF loader, eBPF programs and a userland daemon to monitor, detect and respond to system behaviors causing minimal overhead. Its design emphasizes extensibility through plugins, printers, and events.
Key Components
eBPF Loader
Jibril is, at the same time, an eBPF object(s) loader and a main extension. This means the Jibril source code can act as multiple applications when needed (generating, from the same source code, applications for different means).
Binary Generation Creates optimized binaries incorporating one or more extensions
Extensibility Supports feature expansion through simple source tree additions
Core Functionality Serves dual purpose as primary loader and default extension
By default, Jibril acts as the eBPF loader and the main Jibril extension (as the application).
Agent
Jibril userland agent interprets patterns detected by the in-kernel code and acts accordingly.
Extensions Define core features and system integrations.
Plugins Execute specialized detection and monitoring functions.
Printers Handle output routing to logs, files, and APIs.
Events Capture, process, and dispatch system behaviors and conditions.
Caching Caches immutable data from kernel to improve performance.
Attenuate Disallow duplicates for the same workloads using internal mechanisms. Sends events to external LLMs to filter false-positives (or amend them).
React Reacts to specific detections using internal and isolated JavaScript API.
This modular architecture ensures both flexibility and performance, allowing Jibril to maintain comprehensive visibility while adapting to evolving security requirements.
Execution Flow
Jibril components follow a structured execution order:
Initialization: Core libraries and packages are initialized first.
Extensions: Load features like configuration or data storage logic.
Plugins: Execute monitoring or detection tasks.
Printers: Process and output event data.
Events: Dispatch captured behaviors to active printers.
Each component runs through five lifecycle stages:
Init
Start
Execute
Finish
Exit
that can be observed in the output informational messages.
Modular Design
Plugins
Plugins add specialized functionality to Jibril, focusing on monitoring, detection, and system analysis. All plugins can be enabled or disabled in the configuration file. Examples include:
Hold Keeps Jibril running until receiving a termination signal (e.g.,
SIGSTOP
).Procfs Reads data from existing processes in
/proc
at the startup (to include existing processes info).Detect Provides extensive detection capabilities.
Printers
Printers define how and where events are output. They are highly configurable and support various endpoints, including:
Stdout: Prints event data directly to the console for immediate visibility.
Varlog: Outputs events to log files in
/var/log
for persistent storage.
Events
Events represent system behaviors or states that Jibril monitors and processes. They are the core of Jibril's detection and response capabilities. Some examples:
Network Flows
jibril:detect:flow
Captures detailed information about active network flows.
Network Policy Drops
jibril:netpolicy:dropip
Flags traffic dropped due to IP-based policies.jibril:netpolicy:dropdomain
Flags traffic dropped due to DNS resolutions made to blocked domains.
NOTE: Need network policy plugin (
jibril:netpolicy
) to be enabled.File Access:
jibril:detect:capabilities_modification
Detects changes to file capabilities.jibril:detect:credentials_files_access
Identifies unauthorized access to sensitive credential files.
Execution Monitoring:
jibril:detect:hidden_elf_exec
Detects hidden ELF binary execution.jibril:detect:binary_executed_by_loader
Tracks executions made by ELF loaders.
Network Activity:
jibril:detect:net_scan_tool_exec
Flags usage of network scanning utilities.jibril:detect:net_sniff_tool_exec
Identifies execution of network-sniffing tools.
Configuration-Driven Behavior
Jibril’s flexibility comes from its configuration file, which governs how components are enabled and interact. Key configurable elements include:
Log Levels Control verbosity, ranging from minimal output (
fatal
) to detailed debugging (debug
).Daemon Mode Run Jibril interactively or as a background service.
Profiling and Health Checks Enable profiling or activate health endpoints for system monitoring.
Extensions and Plugins Select which extensions, plugins, and events to load.
Printers Define where and how data should be output.
These options allow Jibril to integrate seamlessly into various operational environments.
Why Jibril’s Architecture Works
Flexibility
Configurable plugins, printers, and events
Enable/disable components based on specific needs
Tailor monitoring scope to organizational requirements
Scalability
Seamlessly scales from single systems to enterprise deployments
Consistent performance across diverse environments
Resource-efficient even in high-density infrastructures
Efficiency
eBPF-powered kernel-level data collection minimizes overhead
Structured userland execution optimizes resource utilization
Maintains minimal footprint even under heavy monitoring loads
Comprehensive Visibility
Complete coverage across network, file, and process domains
Unified view of system activity and security events
Detailed context for accurate threat assessment
Enterprise Integration
Ready-to-use connectivity with existing security infrastructure
Flexible output options for dashboards, SIEM systems, and logs
API-friendly architecture for custom tool integration
Conclusion
Jibril combines the power of eBPF with a modular, extensible framework to deliver advanced runtime security monitoring. Its architecture balances flexibility, efficiency, and ease of use, making it a robust solution for detecting and responding to threats in modern IT environments. Whether monitoring network flows, detecting file access anomalies, or integrating with GitHub workflows, Jibril offers the tools needed to secure your systems effectively.
Last updated
Was this helpful?