Return to Sender - Detecting Kernel Exploits with eBPF presented at Black Hat USA 2022

by Guillaume Fournier,

Tags: Defense Exploit Development


Summary : One of the fastest growing subsystems in the Linux Kernel is, without any doubt, eBPF (extended Berkeley Packet Filter). Although eBPF initially targeted network monitoring and filtering use cases, its capabilities have been broadened over time. With each new kernel version, the capabilities of eBPF are getting closer to that of a kernel module with additional benefits: system safety and stability.When it comes to security, eBPF has been a hot topic in the previous years, for good and less desirable reasons. Like any other kernel features, eBPF has introduced its fair share of kernel bugs and vulnerabilities, questioning the maturity of a solution that introduces a rich feature set but considerably increases the kernel attack surface. On the other hand, eBPF is now powering an increasing amount of endpoint protection solutions, showcasing original ideas to detect threats at runtime.Unlike many projects that aim at detecting malicious behaviors in user space, this talk focuses on how eBPF can be leveraged to detect and prevent various kernel exploitation strategies. As such, we will be releasing KRIE (Kernel Runtime Integrity with eBPF), an open source eBPF-powered tool with real world implementations of the detections we're discussing here. From trying to bypass security features, to changing security parameters or altering the kernel runtime, we'll discover how eBPF can be used to safely introduce security protections, while ensuring system safety and stability. Then, we'll present an original kernel Control Flow Integrity framework that focuses on backward compatibility and doesn't require any specific hardware.Finally, we'll cover the performance and overhead introduced by KRIE. We will also discuss the limitations of KRIE, explaining why it is an exciting security layer but why it shouldn't be considered as a bullet proof solution.