With Friends Like eBPF, Who Needs Enemies?

Conference:  BlackHat USA 2021



The presentation discusses the potential risks and techniques of using eBPF-based rootkits for container breakouts and exfiltration of data, and proposes detection and mitigation strategies.
  • eBPF-based rootkits can be used to override passwords, exfiltrate data, and hide processes
  • Detection and mitigation strategies include auditing and assessing vendor-provided eBPF programs, monitoring and restricting calls to eBPF scopes, and validating program signatures
  • The presentation provides a demo of exfiltrating PostgreSQL credentials and file contents using eBPF-based rootkits
  • The potential risks of eBPF-based rootkits include DNS spoofing and hijacked connections
  • The code for the rootkit and monitor is available for review
The presenter demonstrates how the rootkit can be used to exfiltrate PostgreSQL credentials and file contents by making a request to a specific URL, and shows how the rootkit can hide processes and override passwords. The potential risks of eBPF-based rootkits are illustrated by the possibility of DNS spoofing and hijacked connections.


Since its first appearance in Kernel 3.18, eBPF (Extended Berkeley Packet Filter) has progressively become a key technology for observability in the Linux kernel. Initially dedicated to network monitoring, eBPF can now be used to monitor and trace any kind of kernel space activity.Over the past few years, many vendors have started using eBPF to speed up their services or introduce new features. Cilium, Calico, Cloudflare, Netflix and Facebook are leading the charge, showing off new complex networking use cases on a monthly basis. On the security side of things, Google recently contributed the Kernel Runtime Security Instrumentation which opens the door to writing Linux Security Modules with eBPF.In other words, eBPF is the new kid in town and a growing number of companies are running services with eBPF access in production. This leads us to a simple question: how bad can things get if one of those services were to be compromised? This talk will cover how we leveraged eBPF to implement a full blown rootkit with all the features you would expect: various obfuscation techniques, command and control with remote and persistent access, data theft and exfiltration techniques, Runtime Application Self-Protection evasion techniques, and finally two original container breakout techniques. Simply put, our goal is to demonstrate that rogue kernel modules might have finally found a worthy opponent. We will also detail how to detect such attacks and protect your infrastructure from them, while safely enjoying the exciting capabilities that eBPF has to offer.