Back to overview

Download research

* required

By downloading you indicate that you have taken note of our privacy Statement.

eBPF Forensic Tools

The extended Berkeley Packet Filter (eBPF) is a recently developed technology that makes it easy to run sandboxed programs in kernel mode without modifying the kernel itself. Although this new technology has many advantages, it is also exploitable for malicious adversaries. It is of great importance for security reasons to be able to detect attacks that make use of eBPF. The forensic tool Volatility can be used to detect malicious use of eBPF by attackers in memory dumps. However, not enough evaluation of this tool was performed to show that it is able to detect all possible attacks that make use of eBPF. Case and Richard III  conducted research where the goal was to detect system calls of eBPF programs using Volatility. This research extended their work by evaluating how well Volatility could detect a refined attack that exploited eBPF.

If it was determined that Volatility could not detect the attack properly, the goal was to develop a plugin for Volatility that could detect it. Furthermore, as there are other forensic tools that may be suitable for detecting eBPF attacks, this research also aimed to evaluate another tool, such as the Crash utility by Red Hat, and compare it with Volatility.

EBPF Attacks Detection

The main problem addressed in this research was that, since eBPF is a relatively new tool, little research had been done regarding how well the forensic tool Volatility could detect attacks that make use of eBPF. As eBPF allows users to run code directly in the kernel, it can be exploited by adversaries, which is a serious issue because adversaries can then gain direct access to all the resources on the victim’s system. For this reason, it was important to ensure that attacks using eBPF could be properly detected with memory dump inspection tools like Volatility.

The research focused on evaluating Volatility’s ability to detect an attack that exploits eBPF. If Volatility could not properly detect the attack, the objective was to address this issue by extending the Volatility plugin set. Additionally, the research aimed to compare Volatility with another forensic tool, such as Red Hat Crash, to provide a broader view of the strengths and weaknesses of these tools in the context of eBPF attacks. The study attempted to detect an existing attack that misused eBPF using Volatility and evaluated how well the tool could detect it. Based on the findings, areas for improvement were identified. Moreover, the research contributed to improving the detection of eBPF exploits and enhancing the overall security of systems using forensic tools.

Stay up to date
By signing up for our newsletter you indicate that you have taken note of our privacy statement.
Table of contents
Reinier Goeman

Let's talk!

reinier.goeman@sue.nl +31 345 656 666

* required

By sending this form you indicate that you have taken note of our privacy Statement.

Related resources

Investigating Open Source Transformer Techniques for Question Answering Systems on Cloud Domain

*Collaboration with Utrecht University* | In recent times, there has been considerable interest in Question Answering (QA) systems, making them a prominent area of study in Natural Language Processing (NLP).

Published

08.08.2024

Creating, Detecting and Preventing Malicious Ansible Packages

*Collaboration with the University of Amsterdam* | Infrastructure as Code (IaC) uses DevOps methodology and versioning with a descriptive model to define and deploy infrastructure, such as networks, virtual machines, load balancers, and connection topologies.

Published

15.12.2024

Remediating Rogue Resources in an Infrastructure as Code Multi-Cloud Environment

*Collaboration with the University of Amsterdam* | In this research project we have focused on the detection and remediation of resources outside of a certain “state” that affect resources inside the “state,” which we define as “rogue resources.” We define “state” as “the collection of IaC-managed resources.” Rogue resources can introduce several problems for the defined state.

Published

30.01.2023

Privacy Overview
This website uses cookies. We use cookies to ensure the proper functioning of our website and services, to analyze how visitors interact with us, and to improve our products and marketing strategies. For more information, please consult our privacy- en cookiebeleid.