Extended Berkeley Packet Filter, or eBPF, is a fascinating part of the Linux kernel that has seen rapid growth and improvement over the last few years. Originally designed for high-speed packet filtering, it is quickly becoming the backbone of networking and security tooling within the cloud-native landscape.
This blog, from one of the CrowdStrike Falcon OverWatch™ team’s senior security researchers, takes a deep dive into some important security implications for eBPF users. It explores how eBPF is used in Linux and cloud environments, including how it can be abused by attackers to tamper with security tools and introduce backdoors into an environment.
Extending Berkeley: The Fundamentals
eBPF enables auditing and filtering of high-volume events, such as network packets or system calls, without the security or stability overhead of a custom kernel module. This is accomplished using small, lightweight programs that are written in a constrained language and are checked at compile- and runtime for security and performance. eBPF can be broken down into three components:
eBPF Programs: These are the special programs that get loaded into the kernel. They are attached to specific “hook points” in the kernel (such as when a network packet is received, or a syscall function is entered), and can inspect and make decisions about the action. eBPF programs are run in the context of the calling user-mode process, so it is possible to see what process is performing an action.
User-mode Controllers: These are user-mode programs that send the eBPF program to the kernel to be loaded. They also receive data back from the kernel programs, such as log messages or actions taken.
eBPF Maps: These provide the main communication channel between the user-mode and the kernel programs. Maps take the form of either a fixed-size array, c ..
Support the originator by clicking the read the rest link below.
