eBPF Offensive Capabilities – Get Ready for Next-Gen Malware (2023)
eBPF technology in the Linux kernel allows low-level program execution, posing security risks as attackers can exploit its features. Safeguards exist, but ongoing vigilance is essential to mitigate potential abuses.
Read original article
eBPF (Extended Berkeley Packet Filter) is a powerful technology integrated into the Linux kernel that allows programs to run at a low level without needing kernel modules. While it has legitimate uses in security monitoring and performance analysis, it also poses risks as it can be exploited for malicious purposes. eBPF programs can be attached to various hooks in the kernel, such as kprobes, uprobes, tracepoints, and traffic control hooks, enabling attackers to monitor and manipulate kernel and user-space functions.
The article discusses the offensive capabilities of eBPF, highlighting how attackers can abuse its features. For instance, they can directly access maps to alter the logic of eBPF programs, use kprobes to hide processes or files, and manipulate network traffic through traffic control hooks. Uprobes can also be exploited to change the behavior of user-space applications.
To mitigate these risks, the kernel employs a verifier that checks eBPF bytecode for safety before execution, ensuring that potentially harmful operations are prevented. Despite these safeguards, the potential for abuse remains significant, necessitating ongoing vigilance in monitoring and securing systems that utilize eBPF technology. The article emphasizes the importance of understanding both the capabilities and the risks associated with eBPF as it becomes increasingly integrated into cloud-native environments and security frameworks.
Related
Bpftop: Dynamic real-time view of running eBPF programs
The GitHub repository for `bpftop` by Netflix provides real-time monitoring of eBPF programs with statistics like average runtime, events per second, and CPU usage. Visit https://github.com/Netflix/bpftop for more details.
How eBPF is shaping the future of Linux and platform engineering
eBPF, developed by Daniel Borkmann, revolutionizes Linux by enabling custom programs in the kernel. It enhances networking, security, and observability, bridging monolithic and microkernel architectures for improved performance and flexibility.
Userland Rootkits Are Lame
Userland rootkits like Symbiote pose a threat on Linux systems by injecting libraries to hide information. Countermeasures include using statically linked binaries for immunity, examining memory layouts, and comparing file lists.
No More Blue Fridays
Future computers aim to avoid crashes from bad updates, like a recent global outage caused by a security company's flawed update. eBPF technology offers secure kernel execution to prevent such incidents.
Hiding Linux Processes with Bind Mounts
The article explains a technique for hiding Linux processes using bind mounts, making them undetectable by standard tools. It highlights the method's implications for both offensive and defensive cybersecurity strategies.
6 commentsNetlink is pretty awesome, you can sort of think of it like ioctl on steroids. As a result it's proliferated around the kernel as much nicer replacement for ioctls or implementing a custom character device or something for userspace/kernel communication.
Knowledge of this isn't widespread however, even security experts I have spoken to that don't have deep kernel development background aren't really aware of how widespread Netlink is in generic non-network related subsystems.
Though it's still not exactly clear to me what the verifier intends to prevent. I can understand that it limits how far you can look up into the stack and what memory your eBPF program can read. But can we otherwise just run any random code in eBPF? The register value tracking and DAG stuff kind of goes over my head.
In short, could I write a Scheme in eBPF and pass it a program at runtime, through a map?
Related
Bpftop: Dynamic real-time view of running eBPF programs
The GitHub repository for `bpftop` by Netflix provides real-time monitoring of eBPF programs with statistics like average runtime, events per second, and CPU usage. Visit https://github.com/Netflix/bpftop for more details.
How eBPF is shaping the future of Linux and platform engineering
eBPF, developed by Daniel Borkmann, revolutionizes Linux by enabling custom programs in the kernel. It enhances networking, security, and observability, bridging monolithic and microkernel architectures for improved performance and flexibility.
Userland Rootkits Are Lame
Userland rootkits like Symbiote pose a threat on Linux systems by injecting libraries to hide information. Countermeasures include using statically linked binaries for immunity, examining memory layouts, and comparing file lists.
No More Blue Fridays
Future computers aim to avoid crashes from bad updates, like a recent global outage caused by a security company's flawed update. eBPF technology offers secure kernel execution to prevent such incidents.
Hiding Linux Processes with Bind Mounts
The article explains a technique for hiding Linux processes using bind mounts, making them undetectable by standard tools. It highlights the method's implications for both offensive and defensive cybersecurity strategies.