A Compendium of Exploits and Bypasses for eBPF-based Cloud Security

eBPF-based security solutions are taking the cloud by storm. Many vendors shifted from traditional kernel-module based agents to eBPF agents to provide runtime security for Linux workloads in the cloud. This talk begins with a basic introduction to eBPF and runtime cloud security. It then discusses inherent weaknesses in eBPF-based security solutions and presents several techniques such as resource consumption attacks, memory map attacks, eBPF verifier vulnerabilities, time of check time of use exploits, and agent tampering that all may be used to bypass defenses which rely on eBPF. Possible mitigations for these techniques are also discussed. Example C++ code or Bash scripts for the techniques are provided so audience members may experiment on their own. All code examples are open source and available for download. This talk will be technical, and attendees should come to this talk with a basic knowledge of the Linux operating system.

SANS HackFest Summit 2023
A Compendium of Exploits and Bypasses for eBPF-based Cloud Security
Austin Gadient, Chief Technology Officer, Vali Cyber

View upcoming Summits: http://www.sans.org/u/DuS

• #science_technology
• #offensive_security_operations
• #offensive_operations
• #sans_institute
• #sans_offensive_operations
• #sans_offensive_security
• #sans_offensive_ops
• #offensive_ops
• #offensive_security