eBPF (extended Berkeley Packet Filter) is a powerful and mysterious technology in the Linux kernel. As its name suggests, it was originally created for network packet filtering. However, it evolved into a more general-purpose mechanism to observe and manipulate kernel behavior. What could go wrong?
We will not pick on eBPF because it is not a flawed or vulnerable technology, but it is a powerful one, and threat actors also recognize that.
In this presentation, we will first understand how eBPF works, then look into the different use cases and how threat actors like to use them, and finally, we will look into what defenders can do to keep eBPF usage under control.
This presentation is intended for a technical audience: incident responders, malware analysts, SOC analysts, or anybody else who might face Linux malware using eBPF or responsible for the security of Linux systems.
