Andrey Konovalov on Twitter: "If you're wondering, this is about these two @DEFCON talks:" / Twitter

The cool part about eBPF-based rootkits is portability. A kernel module–based rootkit needs to be rebuilt when a new kernel is deployed.

4

37

147

Andrey Konovalov

@andreyknvl

Aug 10, 2021

Using eBPF solves that: the interfaces are stable. Targeted userspace apps might change, but this shouldn't be hard to handle considering the script-like nature of eBPF.

1

10

Andrey Konovalov

@andreyknvl

If you're wondering, this is about these two

@DEFCON

talks:

8:50 PM · Aug 10, 2021Twitter Web App

Replying to

"eBPF, I thought we were friends!" by Guillaume Fournier and Sylvain Afchain Video: youtube.com/watch?v=5zixND Slides: media.defcon.org/DEF%20CON%2029

youtube.com

DEF CON 29 - Guillaume Fournier, Sylvain Afchain, Sylvain Baubeau -...

Since its first appearance in Kernel 3.18, eBPF (Extended Berkley Packet Filter) has progressively become a key technology for observability in the Linux ker...

1

7

41

Andrey Konovalov

@andreyknvl

Aug 10, 2021

"Warping Reality: Creating and Countering the Next Generation of Linux Rootkits" by

@PathToFile

Video: youtube.com/watch?v=g6SKWT Slides: media.defcon.org/DEF%20CON%2029

youtube.com

DEF CON 29 - PatH - Warping Reality: Creating and Countering the Next...

With complete access to a system, Linux kernel rootkits are perfectly placed to hide malicious access and activity. However, running code in the kernel comes...

1

6

33

Andrey Konovalov

@andreyknvl

Aug 10, 2021

TL;DR: They build a rootkit via malicious eBPF programs. The programs are constrained to what the verifier permits (i.e., no AARW), but the allowed functionality is enough to mess with userspace daemons for LPE and with network packets for C&C.

1

16

Conversation