The SSL/TLS Trap: Why Your Database Security Goes Blind in Production

In production environments, SSL/TLS isn't optional—it's mandatory:

• Compliance requirements (PCI-DSS, HIPAA, SOC2) explicitly require encrypted database connections
• Cloud providers enforce TLS by default (AWS RDS, Google Cloud SQL, Azure Database)
• Zero-trust architectures assume all network traffic is hostile
• Data protection regulations (GDPR, CCPA) mandate encryption in transit

Option 1: MITM Proxy (The "Breaking Security to Add Security" Paradox)

The traditional enterprise approach: terminate SSL at a proxy, inspect the traffic, re-encrypt it.

Why it fails:

• You're breaking end-to-end encryption. The entire point of TLS is to prevent man-in-the-middle attacks. You're literally implementing one.
• Certificate management nightmare. Every database client needs to trust your proxy's certificate. Good luck deploying that across 1000 microservices.
• Added latency. Every query goes through an extra hop: decrypt → inspect → re-encrypt. That's 2-5ms added to every single query.
• Single point of failure. Your proxy goes down? Your entire database layer is unreachable.

Companies are rightfully afraid of inline solutions. We've heard this fear repeatedly from security teams: "We can't put anything in the critical path. One bug and we take down production."

Option 2: Database Audit Logs (The "Trust But Don't Verify" Approach)

Most databases have built-in audit logging. PostgreSQL has pgaudit, MySQL has the audit plugin.

Why it's insufficient:

• Only sees server-side activity. If an attacker compromises a database user's credentials, the audit log just shows "legitimate" queries.
• Can be disabled. Attackers with admin access turn off logging first.
• No client attribution. Who ran that query? The audit log says "postgres user from 10.0.2.15". Which of your 50 microservices is that?
• Performance overhead. Audit logging can add 20-40% CPU load on the database server itself.

Option 3: Application-Level Instrumentation (The "Boil the Ocean" Strategy)

Instrument every application that touches databases. Add logging to every ORM, every database client library.

Why it doesn't scale:

• You need to instrument everything. Python, Node.js, Java, Go, Ruby, .NET—each with multiple database libraries.
• Code changes in every microservice. That's months of engineering work across dozens of teams.
• Developers will disable it. When debugging production issues, the first thing devs do is remove "non-essential" code.
• Partial coverage is worse than no coverage. You think you're monitoring all database access, but you're missing that one legacy service still using raw SQL.

For Aurva, the requirements were non-negotiable:

• ✅ Zero application changes - Works with any database client, any language
• ✅ Out-of-band monitoring - Never in the request path, can't cause outages
• ✅ SSL-transparent - Captures plaintext without breaking encryption
• ✅ Full attribution - Knows which process, user, container made each query
• ✅ Production-safe - Sub-1% overhead, graceful degradation on failures

Think of it as a virtual machine inside the kernel:

• You write programs in a restricted C subset
• The kernel's verifier checks for safety (no infinite loops, no crashes, bounded execution time)
• Programs attach to kernel events (system calls, function calls, network packets)
• When events fire, your program runs with full kernel visibility

Why eBPF for SSL monitoring?

• Can't be disabled by applications - Runs in kernel space, outside application control
• Out-of-band - Never in the application's execution path
• Safe - The verifier guarantees programs can't crash the kernel
• Fast - Runs in kernel context, no user-space context switches for hot paths

The plan:

1. Hook OpenSSL's SSL_read() and SSL_write() functions
2. Capture the plaintext buffer before encryption (write) or after decryption (read)
3. Correlate with TCP connection metadata to attribute to processes
4. Send to user-space for protocol parsing and analysis

OpenSSL 1.1.x has a simple 4-field structure:

SSL {
  version
  method
  rbio → points to Read BIO → contains socket FD
  wbio → points to Write BIO
}

OpenSSL 3.0 restructured the BIO:

BIO {
  libctx        ← NEW FIELD!
  method
  callback
  ... 6 more fields ...
  num           ← The FD we need, now at a different offset
}

OpenSSL 3.2 added seven fields to the SSL structure:

SSL {
  type          ← NEW!
  ctx           ← NEW!
  defltmeth     ← NEW!
  method
  references    ← NEW!
  lock          ← NEW!
  ex_data       ← NEW!
  version
  rbio          ← Offset shifted by 56 bytes!
  wbio
}

You are restricted to:

• Calling only approved helper functions - No arbitrary function calls like OpenSSL_version()
• Simple, bounded string operations - Can't do regex matching or strlen() on unknown-length strings
• Pre-allocated, limited memory - No malloc(), no dynamic allocation at runtime
• Verifier rules vary by kernel version - Older kernels (pre-5.x) have even stricter limits on map lookups and loop unrolling (see eBPF verifier docs)

Step 1: Parse the ELF file

/proc/{pid}/maps → find libssl.so.3
/proc/{pid}/root/usr/lib/libssl.so.3 → open as ELF

Step 2: Search the .rodata section

.rodata contains string literals like "OpenSSL 3.0.13"
Regex match: "OpenSSL \d+\.\d+\.\d+"

Step 3: Map to structure version

3.0.x-3.1.x → use ssl_st_3_0
3.2.x-3.4.x → use ssl_st_3_2
3.5.x+      → use ssl_st_3_5

Fallback: If version detection fails (custom builds, stripped binaries), use filename heuristics:

.so.3 or .so.3.0 → Assume OpenSSL 3.x
.so.1.1          → Assume OpenSSL 1.1.x

Go's crypto/tls library presents three new problems:

1. No dynamic library - It's compiled directly into the Go binary
2. No symbols in stripped binaries - We can't just hook crypto/tls.(*Conn).Read
3. Calling convention changed - Go 1.17 switched from stack-based to register-based parameters

Step 1: Detect Go binaries

Check ELF file for ".note.go.buildid" section
Parse Go build info to get version

Step 2: Find the crypto/tls.(Conn).Read symbol

Even stripped binaries keep some symbols for runtime
Symbol table contains function boundaries
(See Go's symbol table format: https://pkg.go.dev/debug/gosym)

Step 3: Disassemble the function

Read machine code bytes from .text section
Scan for RET instructions (opcode 0xC3 on x86_64)
Record offset of each RET

Step 4: Hook every RET instruction

For each RET offset:
  Attach uprobe at that address
  In probe: extract return value (bytes read) and buffer pointer

Go 1.17+ passes arguments in registers:

buf = PT_REGS_PARM2(ctx)     // Second argument (buffer)
ret_len = PT_REGS_PARM1(ctx) // First return value (length)

Go <1.17 passes arguments on the stack:

buf = *(stack_pointer + 16)
ret_len = *(stack_pointer + 40)

Entry probe (saves state):

uprobe__SSL_write(ssl_ctx, buffer_ptr, requested_len) {
    // Save buffer pointer for later
    saved_state = {
        buffer: buffer_ptr,
        ssl_ctx: ssl_ctx
    }
    map.store(thread_id, saved_state)
}

Return probe (reads actual data):

uretprobe__SSL_write(actual_bytes_written) {
    saved_state = map.lookup(thread_id)

    if (actual_bytes_written <= 0) {
        return  // Write failed
    }

    // Now read exactly the bytes that were written
    read_buffer(saved_state.buffer, actual_bytes_written)

    map.delete(thread_id)
}

Our implementation handles:

• ✅ OpenSSL 1.1.x → 3.5.x (all production versions)
• ✅ Go TLS (all versions since 1.17)
• ✅ Stripped binaries (using filename heuristics)
• ✅ Containers (correct /proc namespace handling)
• ✅ High-throughput systems (tested to 100K queries/sec)

The system is designed to never break existing database operations:

• Uprobe attachment fails → Log warning, continue monitoring other processes
• FD extraction fails → Drop SSL event, but still capture socket metadata (IPs, ports, connection timing)
• Unknown OpenSSL version → Try all known structures with validation
• eBPF program crashes → Kernel automatically unloads it, application continues unaffected

Chrome and many Google services use BoringSSL, which has different internal structures. We'd need to:

• Detect BoringSSL (check for specific version strings)
• Define BoringSSL-specific structures
• Add to our fallback chain

Rust's rustls library is gaining adoption, especially in Rust-native services. Challenges:

• No C ABI (uses Rust's trait system)
• Virtual dispatch makes hooking tricky
• Need to understand Rust's trait object memory layout

QUIC runs TLS 1.3 over UDP instead of TCP. Our connection tracking assumes TCP sockets with file descriptors. We'd need:

• UDP 5-tuple tracking (src IP/port, dst IP/port, protocol)
• QUIC connection ID mapping
• QUIC frame parsing to extract TLS records