eBPF – Running sandboxed programs in a privileged context such as OS kernel

This page summarizes the projects mentioned and recommended in the original post on news.ycombinator.com

Our great sponsors
  • InfluxDB - Power Real-Time Data Analytics at Scale
  • WorkOS - The modern identity platform for B2B SaaS
  • SaaSHub - Software Alternatives and Reviews
  • pamspy

    Credentials Dumper for Linux using eBPF

  • This is a good write-up and I like the diagrams. What appears to still be missing in an "off switch". AFAIK there are still no kernel boot time commands to disable eBPF entirely. I have to recompile the kernel to disable it.

    eBPF has the potential for file-less malware to run hidden from detection and I foresee the ability to tickle ring -3 (and -4?) CPU within CPU functions while bypassing local firewalls.

    Here is some example code of what people already know how to do today and this list will grow as people discover more capabilities. [1][2][3][4][5] These do require some privileges to insert but will remain running and hidden until reboot.

    [1] - https://github.com/citronneur/pamspy

    [2] - https://github.com/h3xduck/TripleCross

    [3] - https://github.com/krisnova/boopkit

    [4] - https://github.com/pathtofile/bad-bpf

    [5] - https://doublepulsar.com/bpfdoor-an-active-chinese-global-su...

  • TripleCross

    A Linux eBPF rootkit with a backdoor, C2, library injection, execution hijacking, persistence and stealth capabilities.

  • This is a good write-up and I like the diagrams. What appears to still be missing in an "off switch". AFAIK there are still no kernel boot time commands to disable eBPF entirely. I have to recompile the kernel to disable it.

    eBPF has the potential for file-less malware to run hidden from detection and I foresee the ability to tickle ring -3 (and -4?) CPU within CPU functions while bypassing local firewalls.

    Here is some example code of what people already know how to do today and this list will grow as people discover more capabilities. [1][2][3][4][5] These do require some privileges to insert but will remain running and hidden until reboot.

    [1] - https://github.com/citronneur/pamspy

    [2] - https://github.com/h3xduck/TripleCross

    [3] - https://github.com/krisnova/boopkit

    [4] - https://github.com/pathtofile/bad-bpf

    [5] - https://doublepulsar.com/bpfdoor-an-active-chinese-global-su...

  • InfluxDB

    Power Real-Time Data Analytics at Scale. Get real-time insights from all types of time series data with InfluxDB. Ingest, query, and analyze billions of data points in real-time with unbounded cardinality.

    InfluxDB logo
  • boopkit

    Linux eBPF backdoor over TCP. Spawn reverse shells, RCE, on prior privileged access. Less Honkin, More Tonkin.

  • This is a good write-up and I like the diagrams. What appears to still be missing in an "off switch". AFAIK there are still no kernel boot time commands to disable eBPF entirely. I have to recompile the kernel to disable it.

    eBPF has the potential for file-less malware to run hidden from detection and I foresee the ability to tickle ring -3 (and -4?) CPU within CPU functions while bypassing local firewalls.

    Here is some example code of what people already know how to do today and this list will grow as people discover more capabilities. [1][2][3][4][5] These do require some privileges to insert but will remain running and hidden until reboot.

    [1] - https://github.com/citronneur/pamspy

    [2] - https://github.com/h3xduck/TripleCross

    [3] - https://github.com/krisnova/boopkit

    [4] - https://github.com/pathtofile/bad-bpf

    [5] - https://doublepulsar.com/bpfdoor-an-active-chinese-global-su...

  • bad-bpf

    A collection of eBPF programs demonstrating bad behavior, presented at DEF CON 29

  • This is a good write-up and I like the diagrams. What appears to still be missing in an "off switch". AFAIK there are still no kernel boot time commands to disable eBPF entirely. I have to recompile the kernel to disable it.

    eBPF has the potential for file-less malware to run hidden from detection and I foresee the ability to tickle ring -3 (and -4?) CPU within CPU functions while bypassing local firewalls.

    Here is some example code of what people already know how to do today and this list will grow as people discover more capabilities. [1][2][3][4][5] These do require some privileges to insert but will remain running and hidden until reboot.

    [1] - https://github.com/citronneur/pamspy

    [2] - https://github.com/h3xduck/TripleCross

    [3] - https://github.com/krisnova/boopkit

    [4] - https://github.com/pathtofile/bad-bpf

    [5] - https://doublepulsar.com/bpfdoor-an-active-chinese-global-su...

  • falco

    Cloud Native Runtime Security

  • systemd

    The systemd System and Service Manager

  • ```

    https://github.com/systemd/systemd/blob/c76691d708ac7fe13b7c...

    Unfortunately, most of the programs loaded by systemd are more-or-less hand-generated (the ingress/egress programs specifically) and do not include this information.

    It's a surprisingly small group of folks who work in this space upstream, but I know that they're aware of this as an opportunity to improve things :)

NOTE: The number of mentions on this list indicates mentions on common posts plus user suggested alternatives. Hence, a higher number means a more popular project.

Suggest a related project

Related posts