eBPF Forensic Tools
The extended Berkeley Packet Filter (eBPF) is a recently developed technology that makes it easy to run sandboxed programs in kernel mode without modifying the kernel itself. Although this new technology has many advantages, it is also exploitable for malicious adversaries. It is of great importance for security reasons to be able to detect attacks that make use of eBPF. The forensic tool Volatility can be used to detect malicious use of eBPF by attackers in memory dumps. However, not enough evaluation of this tool was performed to show that it is able to detect all possible attacks that make use of eBPF. Case and Richard III conducted research where the goal was to detect system calls of eBPF programs using Volatility. This research extended their work by evaluating how well Volatility could detect a refined attack that exploited eBPF.
If it was determined that Volatility could not detect the attack properly, the goal was to develop a plugin for Volatility that could detect it. Furthermore, as there are other forensic tools that may be suitable for detecting eBPF attacks, this research also aimed to evaluate another tool, such as the Crash utility by Red Hat, and compare it with Volatility.
EBPF Attacks Detection
The main problem addressed in this research was that, since eBPF is a relatively new tool, little research had been done regarding how well the forensic tool Volatility could detect attacks that make use of eBPF. As eBPF allows users to run code directly in the kernel, it can be exploited by adversaries, which is a serious issue because adversaries can then gain direct access to all the resources on the victim’s system. For this reason, it was important to ensure that attacks using eBPF could be properly detected with memory dump inspection tools like Volatility.
The research focused on evaluating Volatility’s ability to detect an attack that exploits eBPF. If Volatility could not properly detect the attack, the objective was to address this issue by extending the Volatility plugin set. Additionally, the research aimed to compare Volatility with another forensic tool, such as Red Hat Crash, to provide a broader view of the strengths and weaknesses of these tools in the context of eBPF attacks. The study attempted to detect an existing attack that misused eBPF using Volatility and evaluated how well the tool could detect it. Based on the findings, areas for improvement were identified. Moreover, the research contributed to improving the detection of eBPF exploits and enhancing the overall security of systems using forensic tools.