Utilising eBPF for Malware Analysis

Organisations and individuals are more and more aware of the financial and personal risk that malware poses. In order to protect ourselves against these threats, malware analysis is used to understand the nature and behaviour of malware. One way to do this, is by using dynamic malware analysis where a malware sample is monitored while it executes. New types of malware are made every day, and researchers need capable tools in order to analyse them effectively and quickly.

An exciting, relatively new feature of the Linux kernel is eBPF. eBPF allows users to to hook programs to many places in the Linux kernel at run-time, such as internal kernel functions or system calls. When execution of the kernel hits these hooks, the eBPF program is run. The program can then inspect the execution context of the kernel at that point. This is called tracing, and allows users to monitor events that happen in the system. eBPF programs are executed in a sandboxed environment and are subjected to strict safety checks, which makes them a lot more reliable than kernel modules. In this research project, we will investigate the effectiveness of eBPF for the analysis of malware targeting Linux systems. We have looked at scientific surveys detailing the typical behaviour of Linux malware, and selected several behaviours for each category. We then emulated each of these selected behaviours in stand-alone programs. Finally, we have created a suite of eBPF programs, that aims to detect and correctly classify the behaviour of each of these emulated malware samples.

In order to evaluate this eBPF program suite, we created a framework that executes the emulated malware programs while the eBPF programs are hooked in the system. Our evaluation shows that our suite of eBPF programs are able to correctly classify the behaviour of each of the emulated malware behaviours. We do note however, that our eBPF suite and framework should be applied on real-life malware in order to verify our methods.