Using eBPF for Malware Analysis
Organizations and individuals are increasingly aware of the financial and personal risks posed by malware. In order to protect ourselves against these threats, malware analysis is used to understand the nature and behavior of malware. One way to do this is by using dynamic malware analysis, where a malware sample is monitored while it executes. New types of malware are created every day, and researchers need capable tools in order to analyze them effectively and quickly.
An exciting, relatively new feature of the Linux kernel is eBPF. eBPF allows users to hook programs to many places in the Linux kernel at run-time, such as internal kernel functions or system calls. When execution of the kernel hits these hooks, the eBPF program is run. The program can then inspect the execution context of the kernel at that point. This is called tracing, and allows users to monitor events that happen in the system. eBPF programs are executed in a sandboxed environment and are subjected to strict safety checks, which makes them a lot more reliable than kernel modules. In this research project, we will investigate the effectiveness of eBPF for the analysis of malware targeting Linux systems. We have looked at scientific surveys detailing the typical behaviour of Linux malware, and selected several behaviours for each category. We then emulated each of these selected behaviors in stand-alone programs. Finally, we have created a suite of eBPF programs, that aims to detect and correctly classify the behavior of each of these emulated malware samples.
In order to evaluate this eBPF program suite, we created a framework that executes the emulated malware programs while the eBPF programs are hooked into the system. Our evaluation shows that our suite of eBPF programs are able to correctly classify the behavior of each of the emulated malware behaviors. We do note, however, that our eBPF suite and framework should be applied to real-life malware in order to verify our methods.
