Leveraging eBPF to Build Effective High-Interaction Honeypots

In current times, people and businesses make great use of interconnected information systems (the Internet). This is not without risk, however, as a large portion of individuals and organizations are affected by cyberattacks yearly. Securing an information system depends to a great extent on understanding existing and emerging threats. To achieve this, collecting information about malicious activities is crucial. Honeypots are tools designed to collect such information by intentionally being compromised by attackers and logging their actions, providing insight into attackers’ behavior and motives. The strength of honeypots lies in their ability to collect information not only about known attacks but also about previously unknown zero-day attacks.

There are different types of honeypots, including those that allow minimal interaction with attackers and those that enable high levels of interaction. This research focused on high-interaction honeypots. One method for creating high-interaction honeypots involves using an entire system as the honeypot and leveraging the system’s kernel to monitor the attacker’s activities after a compromise. In the past, kernel modules were commonly used to achieve this. More recently, a new technology called eBPF (extended Berkeley Packet Filter) has been used to extend the Linux kernel’s capabilities.

Building effective high-interaction honeypots

eBPF enables sandboxed programs to run in the privileged context of the kernel, allowing them to extend its functionality without being directly tied to the kernel version. This design reduces the risk of kernel corruption compared to traditional kernel modules. This research focused on utilizing eBPF to build effective high-interaction honeypots and used a gray literature analysis to explore eBPF’s capabilities for system observability, honeypot concealment, and secure log retrieval. This analysis included research on open-source eBPF projects, such as intrusion detection and malware analysis projects, as these contain techniques applicable to honeypots.

Additionally, a proof-of-concept eBPF honeypot was constructed to demonstrate the practical applicability of techniques identified during the literature analysis. However, due to practical constraints, it was deemed infeasible to test all possible techniques. Consequently, the proof-of-concept honeypot implemented only a single method for system observation, one technique for hiding the honeypot, and one approach for log recovery.

To answer the final subquestion, detection methods used against kernel-module-based honeypots, specifically Sebek, were tested on the proof-of-concept honeypot to determine whether eBPF inherently mitigates these detection techniques.