logo
allArticlesConferencesPresentations

eBPF ELFs JMPing Through the Windows

Conference:  Black Hat USA 2022

2022-08-11

Summary

The presentation discusses the use of fuzzing to find vulnerabilities in the eBPF technology on Windows.
  • eBPF is a technology that allows for the creation of custom programs that can be run in the kernel space of an operating system
  • The presentation focuses on the use of fuzzing to find vulnerabilities in the eBPF implementation on Windows
  • The presenter describes the process of fuzzing and the tools used to carry it out
  • The presentation includes a live demo of the fuzzing process
  • The presenter notes that while eBPF is an exciting technology, it is still relatively new and there are likely to be vulnerabilities that can be found through fuzzing
The presenter demonstrates the use of the WTF buzzer to find vulnerabilities in real-time during the live demo

Abstract

eBPF tracing is a hot new technology in the EDR and infrastructure space which provides high speed instrumentation and telemetry on events, processes, and network connections. eBPF is natively supported in the Linux kernel and is used in endpoint security products such as Carbon Black and Windows Defender for Linux. Last year, Microsoft released a completely new implementation of an eBPF tracing system for Windows which is destined to become a primary telemetry provider in the near future. eBPF for Windows has a complex architecture that leverages program analysis to verify unsigned user code via abstract interpretation before running it in a kernel context — integrity of the software is paramount. This research will be the first public work to analyze and discover security vulnerabilities in the new eBPF for Windows implementation.Our presentation will discuss the capabilities and security model of eBPF for Windows, followed by details of the design and attack surface which will include the eBPF API, the trusted static verifier and JIT engine, and the kernel implementation of trace hooks and telemetry providers. During our deep dive into the implementation details, we will uncover vulnerabilities at multiple layers and discuss how they were found with demos of fuzzing Windows eBPF components and real-time bug discovery. We will conclude with a discussion about exploitation of memory corruption in the eBPF implementation on Windows which comes with its own challenges as a Windows Protected Process.Join us on this journey as we examine this emerging technology on Windows and the security implications of the new attack surface.
Materials:
Tags:

Post a comment

Related work

Evil eBPF In-Depth: Practical Abuses of an In-Kernel Bytecode Runtime

Conference:  Defcon 27
Authors:
2019-08-01

eBPF, I thought we were friends !

Conference:  Defcon 29
Authors:
2021-08-01

Securing the Superpowers: Who Loaded That EBPF Program?

Conference:  Cloud Native SecurityCon North America 2023
Authors: John Fastabend, Natalia Reka Ivanko

With Friends Like eBPF, Who Needs Enemies?

Conference:  BlackHat USA 2021
Authors:
2021-08-05

Tutorial: Create Your First EBPF Program to Monitor Your System Using Bumblebee

Conference:  CloudOpen 2022
Authors: Adam Sayah
2022-06-23

Alice in Kernel Land: Lessons Learned From the eBPF Rabbit Hole

Conference:  Black Hat Asia 2023
Authors: Simon Scannell, Valentina Palmiotti, Juan José López Jaimez
2023-05-11