Conference:  Black Hat Asia 2023

Authors: Simon Scannell, Valentina Palmiotti, Juan José López Jaimez

2023-05-11

Extended Berkeley Packet Filter (eBPF) is a technology that provides capabilities to programmers seeking to make use of kernel layer performance and functionality. Fundamentally, eBPF allows users to load programs into kernel space and attach them to hook points. This allows for loading kernel code at runtime without needing to modify the kernel source code itself or develop a kernel module. eBPF programs are written in a high-level language and then compiled into assembly-like bytecode. At load time, the bytecode is JIT-compiled into the native architecture which allows for the program to be kernel and architecture-independent. The instruction set is minimal but allows programmers to call outside kernel functions, read and store data in various data structures and perform pointer arithmetic and operations.Programs that run in the kernel must be carefully analyzed to ensure that these programs follow rules to guarantee the integrity and security of the kernel running the program. A single code flaw in any of the components involved in program parsing, analysis, optimization, and compilation may lead to a compromise of the kernel running an eBPF implementation.As eBPF becomes more prevalent, the goal of our talk is to share the history of eBPF vulnerabilities, bug classes, mitigations and provide an outlook for the future. We will also share our insights into automated vulnerability discovery. We will introduce listeners to advanced concepts of structured fuzzing such as designing and implementing an Intermediate Language. We will also discuss identifying roadblocks such as bug detection and give practical examples of how to overcome them. This will enable anyone to apply these concepts to their own fuzzing campaigns. The source code of our fuzzer will also be made available.

Conference:  Cloud Native SecurityCon North America 2022

Authors: Cole Kennedy

2022-10-24

Witness is an open-source project that allows software producers to make and verify attestations about the software they produce, making it easy to produce verifiable evidence for software builds. Archivist is a platform that stores these attestations. The goal is to automate pipeline compliance and ensure that the build materials that are expected to go into the build actually do go into that build.

• Witness implements the internal specifications and allows software producers to make and verify attestations about the software they produce
• It has integrations with open-source projects such as Sig store, Inspire, GitHub, and GitLab
• Witness makes it easy to produce verifiable evidence for software builds
• It supports both containerized and non-containerized workloads
• Archivist stores these attestations
• The goal is to automate pipeline compliance and ensure that the build materials that are expected to go into the build actually do go into that build

Conference:  Linux Security Summit Europe 2022

Authors: Yueqi Chen, Zhenpeng Li

2022-09-15

The presentation discusses the use of hard BPF for dynamic memory separation to protect against memory corruption vulnerabilities.

• Dynamic memory separation is necessary to protect against memory corruption vulnerabilities
• Hard BPF is a tool that can be used for dynamic memory separation
• The hard BPF design involves an agent in the user space and a BPF program in the kernel
• The BPF program intercepts the allocation of vulnerable objects and diverts them to a v-metal region
• One-time allocation is guaranteed to prevent use after free exploitation techniques