Skip to content

Jibril Architecture

Overview

Jibril is a modular runtime security tool that combines an eBPF loader and a userland daemon to monitor, detect, and respond to system behaviors. Its design emphasizes extensibility through plugins, printers, and events, all controlled by a centralized configuration file. This architecture ensures flexibility while maintaining a low resource footprint.

1. Key Components

1.1 eBPF Loader

The eBPF loader is the foundation of Jibril's kernel-level operations. It is responsible for:

  • Binary Generation: Creating binaries that include one or more extensions.
  • Extensibility: Adding new features by introducing additional files to the source tree.
  • Core Role: Acting as both the primary loader and the default extension in the current implementation.

The loader ensures kernel-level data collection with efficiency and scalability.

1.2 Userland Daemon

The userland daemon processes the data collected by the eBPF loader and provides flexible integration points. It comprises several key components:

  • Extensions: Define core features and integrations.
  • Plugins: Perform specific detection or monitoring tasks.
  • Printers: Handle the output of data or events to logs, dashboards, or files.
  • Events: Capture and dispatch system behaviors or conditions.

The daemon enables or disables these components based on user configuration, allowing Jibril to adapt to different environments and workloads.

2. Execution Flow

Jibril components follow a structured execution order:

  1. Initialization: Core libraries and packages are initialized first.
  2. Extensions: Load features like configuration or data storage logic.
  3. Plugins: Execute monitoring or detection tasks.
  4. Printers: Process and output event data.
  5. Events: Dispatch captured behaviors to active printers.

Each component runs through five lifecycle stages: init, start, execute, finish, and exit, ensuring stability and clear state management.

3. Modular Design: Plugins, Printers, and Events

3.1 Plugins

Plugins add specialized functionality to Jibril, focusing on monitoring, detection, and system analysis. All plugins can be enabled or disabled in the configuration file. Examples include:

  • Hold: Keeps Jibril running until receiving a termination signal (e.g., SIGSTOP).
  • Procfs: Reads data from existing processes in /proc, allowing Jibril to analyze both historical and real-time process activity.
  • Net: Monitors network flows, capturing details about active connections and traffic.
  • Detect: Provides extensive detection capabilities, such as monitoring file modifications, unauthorized code execution, and suspicious network activity.
  • GitHub: Integrates with GitHub repositories to summarize pull requests or changes.

3.2 Printers

Printers define how and where events are output. They are highly configurable and support various endpoints, including:

  • Stdout: Prints event data directly to the console for immediate visibility.
  • Varlog: Outputs events to log files in /var/log for persistent storage.
  • Listendev: Sends data to the dashboard.listen.dev for real-time visualization.
  • Datakeeper: Maintains a recent history of events in memory for quick lookups by other components.

Some printers like datakeeper are used as infrastrucure for other components, not as regular event-dispatching printers.

3.3 Events

Events represent system behaviors or states that Jibril monitors and processes. They are the core of Jibril's detection and response capabilities. Examples include:

  • Network Monitoring Events:

    • jibril:net:flow: Captures detailed information about active network flows.
    • jibril:netpolicy:dropip: Flags traffic dropped due to IP-based policies.

  • Detection Events:

  • File Access:
    • jibril:detect:capabilities_modification: Detects changes to file capabilities.
    • jibril:detect:credentials_files_access: Identifies unauthorized access to sensitive credential files.
  • Execution Monitoring:
    • jibril:detect:binary_executed_by_loader: Tracks binaries executed by ELF loaders.
    • jibril:detect:hidden_elf_exec: Detects hidden ELF binary execution.

  • Network Activity:

    • jibril:detect:net_sniff_tool_exec: Identifies execution of network-sniffing tools.
    • jibril:detect:net_scan_tool_exec: Flags usage of network scanning utilities.

  • GitHub Integration Events:

    • jibril:github:pull_summary: Summarizes pull requests.
    • jibril:github:change_summary: Highlights changes in repositories.

With a wide range of events, Jibril allows users to monitor everything from basic system activity to sophisticated threats.

4. Configuration-Driven Behavior

Jibril’s flexibility comes from its configuration file, which governs how components are enabled and interact. Key configurable elements include:

  • Log Levels: Control verbosity, ranging from minimal output (fatal) to detailed debugging (debug).
  • Daemon Mode: Run Jibril interactively or as a background service.
  • Profiling and Health Checks: Enable profiling to debug performance or activate health endpoints for system monitoring.
  • Extensions and Plugins: Select which extensions, plugins, and events to load, tailoring Jibril for specific use cases.
  • Printers: Define where and how data should be output, such as stdout, log files, or external dashboards.

These options allow Jibril to integrate seamlessly into various operational environments.

5. Why Jibril’s Architecture Works

  • Flexibility: Components like plugins, printers, and events can be enabled or disabled, making Jibril highly adaptable.
  • Scalability: The modular design allows Jibril to handle small setups or large-scale deployments with ease.
  • Efficiency: By using eBPF for kernel-level data collection and a structured userland execution model, Jibril maintains a low resource footprint.
  • Comprehensive Monitoring: A wide range of events ensures visibility across network activity, file access, process behavior, and more.
  • Integration Ready: Printers and configuration options make it easy to connect Jibril to external systems like dashboards, logs, or custom tools.

Conclusion

Jibril combines the power of eBPF with a modular, extensible framework to deliver advanced runtime security monitoring. Its architecture balances flexibility, efficiency, and ease of use, making it a robust solution for detecting and responding to threats in modern IT environments. Whether monitoring network flows, detecting file access anomalies, or integrating with GitHub workflows, Jibril offers the tools needed to secure your systems effectively.