Return to Sender - Detecting Kernel Exploits with eBPF

Conference:  Black Hat USA 2022



The presentation discusses the use of eBPF technology for detecting and preventing kernel-level exploits in cybersecurity and DevOps. The speaker highlights the limitations and challenges of eBPF and proposes Cry, an open-source tool that uses eBPF to detect and block malicious activities in the kernel.
  • eBPF technology can be used for detecting and preventing kernel-level exploits in cybersecurity and DevOps
  • eBPF has limitations and challenges that make it less ideal for detecting certain types of exploits
  • Cry is an open-source tool that uses eBPF to detect and block malicious activities in the kernel
  • Cry can be configured to log, block, kill, or operate in paranoid mode
  • Cry has a performance overhead of up to 40% when all features are enabled, but disabling certain detections can reduce overhead to less than 1%
The speaker explains that Cry can detect chain attacks by controlling call sites at runtime, preventing attackers from jumping to sensitive functions without going through specific control points. Cry can also detect logic bugs related to access rights, such as opening a file as read-only but eventually writing to it. However, Cry's detections are not automated and require working around limitations in the kernel. The speaker emphasizes the value of making attackers' lives harder and making exploits more difficult to use, especially for script kiddies.


One of the fastest growing subsystems in the Linux Kernel is, without any doubt, eBPF (extended Berkeley Packet Filter). Although eBPF initially targeted network monitoring and filtering use cases, its capabilities have been broadened over time. With each new kernel version, the capabilities of eBPF are getting closer to that of a kernel module with additional benefits: system safety and stability.When it comes to security, eBPF has been a hot topic in the previous years, for good and less desirable reasons. Like any other kernel features, eBPF has introduced its fair share of kernel bugs and vulnerabilities, questioning the maturity of a solution that introduces a rich feature set but considerably increases the kernel attack surface. On the other hand, eBPF is now powering an increasing amount of endpoint protection solutions, showcasing original ideas to detect threats at runtime.Unlike many projects that aim at detecting malicious behaviors in user space, this talk focuses on how eBPF can be leveraged to detect and prevent various kernel exploitation strategies. As such, we will be releasing KRIE (Kernel Runtime Integrity with eBPF), an open source eBPF-powered tool with real world implementations of the detections we're discussing here. From trying to bypass security features, to changing security parameters or altering the kernel runtime, we'll discover how eBPF can be used to safely introduce security protections, while ensuring system safety and stability. Then, we'll present an original kernel Control Flow Integrity framework that focuses on backward compatibility and doesn't require any specific hardware.Finally, we'll cover the performance and overhead introduced by KRIE. We will also discuss the limitations of KRIE, explaining why it is an exciting security layer but why it shouldn't be considered as a bullet proof solution.



Post a comment