undefined | Better HN

0 pointsLinuxBender4y ago0 comments

I would be curious to know what malicious implications eBPF could have. related discussion [1] [2] For example, could a file-less trojan be injected via eBPF to reroute specific data payloads or copy specific payloads to different destinations? Or silently censor specific destinations?

Are there ways that eBPF could be abused and if so what mitigations, limitations and logging can one implement so that eBPF can remain enabled in a hardened and sensitive environment?

[1] - https://utcc.utoronto.ca/~cks/space/blog/linux/DisablingUser...

[2] - https://access.redhat.com/security/cve/cve-2021-33624

0 comments

srcmap4y ago

ebpf requires root privilege to run. If you're root, there are a lots of harms one can do a system without any ebpf script/commands.

LinuxBenderOP4y ago

Agreed, however people can be easily tricked into running scripts as root hence my question about mitigations and logging and file-less trojans. I assume I can get half the internet to run my script as root. The remaining challenge is how does one work backwards and see what occurred? I can see some pieces with auditd logging. I can disable user-space eBPF. What additional logging and mitigations can be enabled?

Some additional discussion points [1]

[1] - https://blog.tofile.dev/2021/08/01/bad-bpf.html

jwandborg4y ago

> The remaining challenge is how does one work backwards and see what occurred?

How would you work backwards to see what occurred if you'd run a malicious script/binary as root? The launching of an eBPF thing would leave the same traces and non-traces, right? And if there's a way to introspect all running eBPF things, it might be harder for an eBPF thing to hide itself, due to my assumed limitations of the eBPF runtime/VM/world-view-thing, the only problem then would be forgetting to look for it, but eBPF isn't unique in being potentially forgotten.

1 more reply

j / k navigate · click thread line to collapse