discord

New Era

New Era of Runtime Security

Jibril: A New Era in Runtime Security

Why Jibril Stands Out ?

Jibril addresses key challenges by using eBPF in a "query-driven" approach, rather than an event-streaming model. This allows Jibril to gather behavioral data from the kernel with low system overhead.

Modern IT environments generate an immense amount of events and logs. Security teams often depend on tools that stream kernel events to user space in nearly real-time. However, during traffic surges or complex kernel operations, these tools may become overloaded, resulting in system slowdowns and incomplete data collection.

The result ?

Experience detailed monitoring without concerns of ring-buffer overruns, missed events, or CPU bottlenecks. Jibril's low-latency design and commitment to data integrity make it ideal for high-throughput, security-sensitive environments.

1. Core Innovations in Jibril's Architecture

1.1 Event-Less, Query-Driven Monitoring

  • Jibril's Innovation:

    Jibril utilizes in-kernel eBPF maps for event storage, retrieving them on-demand. This method avoids ring-buffer overload, minimizes data loss, and ensures high performance under pressure.

  • Traditional Tools:

    Depend on event flooding via ring buffers to transfer kernel events to user space, often leading to bottlenecks under

1.2 Minimal Overhead, Maximum Visibility

  • Ensured Data Integrity: Maps are hashed to prevent unauthorized generation or modification of keys. If a user tries to alter map data, the system becomes "tainted," allowing for detectable changes and maintaining forensic integrity.

  • Kernel-Resident Data Management: By using inter-connected hashed key-value maps with strategic caching to prevent query exhaustion, Jibril minimizes frequent context switching and reduces overhead, unlike traditional streaming tools that often struggle under heavy loads.

1.3 High-Frequency Event Efficiency

  • Resiliency: With Jibril's in-kernel storage, you can achieve reliable real-time monitoring without straining your CPU. In typical mid-sized enterprise environments that generate over 50,000 events per second, standard eBPF tools like side-car might struggle and drop events under heavy load. Jibril, however, remains resilient.

2. Jibril Security Model: The Technical Deep Dive

2.1 Architectural Pillars

  1. Behavioral Data Integrity

    • Detection Recipe Confidentiality: The logic behind Jibril's monitoring is kept secret, preventing attackers from understanding detection patterns and reducing their chances of evasion.

    • Rate-Limiting: Jibril can impose limits on repetitive events globally, per binary, or per process, ensuring your system isn't overwhelmed by

  2. Kernel/Userland Separation

    • Secure Memory Access in eBPF Programs:

      eBPF programs need to be validated by the Linux kernel's verifier, ensuring they don't access memory without authorization

    • Low-Latency Interactions: Queries happen only when needed. No constant "firehose" of events from kernel space to user space.

  3. Access Control and Monitoring

    • Root-Only, Capability-Based: Only authorized root users with CAP_BPF (or CAP_SYS_ADMIN in older kernels) can load or inspect Jibril's kernel programs. Unauthorized attempts are flagged as tampering.

    • Userland Privilege Management: Jibril's daemon starts with higher privileges for eBPF initialization, then drops unnecessary capabilities. This "least-privilege" design prevents misuse of elevated permissions.

  4. System Resilience

    • Tamper Detection: Any unverified writes to eBPF maps or rogue eBPF loads are caught and flagged.

    • Plugin Isolation: Each plugin or detection mechanism runs in its own thread. One faulty plugin can't bring down the entire system.

  5. Compliance Alignment

    • GDPR-Focused: Jibril tracks metadata (filenames, process IDs, timestamps), not file contents. This reduces the legal overhead of processing personal data. Future enhancements will offer anonymization for deployments needing deeper compliance.

    • ISO 27001 Ready: Strong logging, access controls, and tamper alerts support the security frameworks typical of ISO 27001.

3. End-to-End Flow: From Kernel to Userland

  1. Data Collection (Kernel Space)

    • Uniform Binary Object: Jibril's eBPF code can run consistently across different kernel versions—no custom modules needed.

    • Key-Value Map Storage: Events or process behaviors are hashed into eBPF maps, ensuring minimal CPU usage and quick lookups.

  2. Userland Daemon

    • Detection & Pattern Matching: The daemon retrieves only relevant kernel data, analyzing it against "detection recipes" to identify anomalies or suspicious activity.

    • Plugins: Jibril's detection logic is packaged into built-in plugins organized by detection type (file operations, network flows, etc.). Each plugin runs in an isolated thread, preventing system-wide failures if a single plugin encounters issues.

  3. Printers & Dashboards

    • Flexible Output: Detection events can be dispatched to stdout, logs, the listen.dev dashboard, or even summarized through an OpenAI plugin.

    • Secure Submissions: Data is sent over authenticated channels (e.g., HTTPS with API tokens), maintaining confidentiality and integrity.

Feature
Falco/Tracee/Tetragon
Jibril

Event Handling

Continuous streaming

Query-driven, on-demand

Performance

Can degrade under load

Consistent under high loads

Security Model

Limited tamper detection

Full integrity safeguards

Data Integrity

Event loss possible

Tamper-evident, no loss

5. Extensibility & Future-Ready

  1. Plugins & Extensions

    • Security-by-Design: Plugins are compiled into Jibril and operate with well-defined detection recipes. Future versions aim to allow runtime extension using a descriptive language—without compromising stability.

    • Thread-Based Isolation: Each plugin is self-contained, so a faulty network-monitoring plugin won't affect file-based detection capabilities.

  2. Printers

    • Built-In Dispatch: Shipping with a range of "printers," Jibril can forward detection events to logs, dashboards, or external APIs, all configured via simple toggles.

    • Optional Integrations: For advanced threat analytics, Jibril can send summarized data to OpenAI services. This leverages machine learning to interpret event patterns more intuitively—without exposing raw data.

  3. Roadmap Highlights

    • Encryption & Anonymization: Future updates plan to anonymize sensitive data and optionally encrypt kernel-collected data.

    • Deeper Compliance: Enhanced support for GDPR and ISO 27001 audits with finer access logs, documentation, and optional redaction features.

6. Why Jibril is the Future of Runtime Security

  1. Minimal Overhead, Maximum Insights Jibril's kernel-first approach cuts down on CPU churn, letting you monitor production traffic without debilitating slowdowns.

  2. Robust Security Model Tamper detection, hashed key-value maps, and strict privilege requirements guarantee strong defenses against both external and insider threats.

  3. Uncompromised Data Fidelity Even at 50,000+ events per second, Jibril captures everything. By querying on-demand, you'll never lose critical intel to ring-buffer overflow.

  4. Scalable & Compliant Built with privacy and compliance in mind, Jibril easily slots into existing frameworks and enterprise security mandates.

Conclusion: Embrace the Next Generation

Jibril redefines runtime security by collecting, storing, and analyzing kernel events in a radically efficient, low-latency, and tamper-resistant way. While other solutions struggle when event volumes spike, Jibril thrives—delivering confidence, clarity, and true operational security.

The Future

If you're ready for a secure, future-proof, and highly performant approach to runtime security, Jibril is the solution you've been waiting for.

Last updated

Was this helpful?