The cool part about eBPF-based rootkits is portability.
A kernel module–based rootkit needs to be rebuilt when a new kernel is deployed.
Conversation
Replying to
Using eBPF solves that: the interfaces are stable. Targeted userspace apps might change, but this shouldn't be hard to handle considering the script-like nature of eBPF.
1
10
1
7
"eBPF, I thought we were friends!" by Guillaume Fournier and Sylvain Afchain
Video: youtube.com/watch?v=5zixND
Slides: media.defcon.org/DEF%20CON%2029
1
7
41
"Warping Reality: Creating and Countering the Next Generation of Linux Rootkits" by
Video: youtube.com/watch?v=g6SKWT
Slides: media.defcon.org/DEF%20CON%2029
1
6
33
TL;DR: They build a rootkit via malicious eBPF programs. The programs are constrained to what the verifier permits (i.e., no AARW), but the allowed functionality is enough to mess with userspace daemons for LPE and with network packets for C&C.
1
1
16
Regarding the last point, no need to imagine, it was already done for GCC 6 years ago: web.cse.ohio-state.edu/~lin.3021/file (actually wanting to debug/support such a thing is another question)
1
1
Show replies
Replying to
we were excited!
a just-in-time, quick on his feet, syn-psh-urg deflecting superhero!
surely he would be able to save our weary conntrack and netfilter from ksoftirqd exhaustion?
but as this world does;
we turned him into a villain.
suit up; it's going to be a long winter.
2