Evil eBPF In-Depth: Practical Abuses of an In-Kernel Bytecode Runtime

Conference:  Defcon 27



The presentation discusses the use of BPF (Berkeley Packet Filter) to build rootkits and modify syscalls in the kernel. It also covers the limitations and potential risks of using this approach.
  • BPF can be used to modify syscalls and redirect them to a different path
  • Careful filtering is necessary to avoid crashing the system
  • Persisting stack or heap data can help hide the modifications
  • Blackholing syscalls can be useful for reverse engineering
  • Non-writable pages cannot be modified using this approach
The speaker mentions that pretending to be the kernel and writing arbitrary data can be useful for blocking syscalls and preventing communication with the outside world. However, this approach may not work if the program is using seccomp to deny access.


eBPF (or "extended" Berkeley Packet Filter) is a bytecode instruction set and virtual machine used as a safe computing environment within the Linux kernel to perform arbitrary programmatic actions. It is a redesign of Linux's original in-kernel BPF bytecode VM used to power features like tcpdump filters. eBPF has an entirely different set of capabilities and instructions, with its primary goal being to serve as a JIT-able virtual machine instruction set that can be targeted by compilers of a memory-safe "restricted C" language. In the Linux kernel, it is actively being applied to anything and everything to provide performant programmatic capabilities to userland that extend traditionally kernel-based functionality. In this exploit development focused talk, we will first introduce eBPF and discuss several nefarious techniques enabled by the technology. As we do so, we will cover the respective sets of APIs, file descriptor types, and other eBPF machinery that enable such techniques, building up from various forms of hidden IPC channels to full-fledged rootkits. Within this talk, we will walk through the implementations of the techniques we discuss so that attendees will walk away with the knowledge of how to implement their own variants. Along the way we will discuss novel container breakout techniques and interesting "dual-purpose" eBPF features that enable the development of mutative syscall hooks that work for processes that work for processes already attached by a debugger. Finally, we will provide insight on how defenders should begin to attempt to detect and recover from such abuses, when possible at all. This presentation significantly extends on work we first presented at 35C3, which focused more heavily on the underlying aspects of general eBPF-based kernel tracing. In contrast, this talk will demo new techniques and include substantially improved versions of techniques presented previously as proofs-of-concept.