eBPF ELFs JMPing Through the Windows

Presented at Black Hat USA 2022, Aug. 11, 2022, 1:30 p.m. (40 minutes).

eBPF tracing is a hot new technology in the EDR and infrastructure space which provides high speed instrumentation and telemetry on events, processes, and network connections. eBPF is natively supported in the Linux kernel and is used in endpoint security products such as Carbon Black and Windows Defender for Linux. Last year, Microsoft released a completely new implementation of an eBPF tracing system for Windows which is destined to become a primary telemetry provider in the near future. eBPF for Windows has a complex architecture that leverages program analysis to verify unsigned user code via abstract interpretation before running it in a kernel context — integrity of the software is paramount. This research will be the first public work to analyze and discover security vulnerabilities in the new eBPF for Windows implementation.

Our presentation will discuss the capabilities and security model of eBPF for Windows, followed by details of the design and attack surface which will include the eBPF API, the trusted static verifier and JIT engine, and the kernel implementation of trace hooks and telemetry providers. During our deep dive into the implementation details, we will uncover vulnerabilities at multiple layers and discuss how they were found with demos of fuzzing Windows eBPF components and real-time bug discovery. We will conclude with a discussion about exploitation of memory corruption in the eBPF implementation on Windows which comes with its own challenges as a Windows Protected Process.

Join us on this journey as we examine this emerging technology on Windows and the security implications of the new attack surface.


Presenters:

  • Richard Johnson - Senior Principal Security Researcher, Trellix Threat Labs
    Richard Johnson is a computer security specialist with a focus on software vulnerability analysis. Currently Senior Principal Security Researcher at Trellix and Chief Research Officer of Fuzzing IO, Richard offers over 20 years of professional expertise and leadership in the information security industry. Current responsibilities include zeroday vulnerability research and development of advanced fuzzing and automated reverse engineering solutions. Prior to Trellix, he led the security research efforts and built bug hunting teams for Oracle Cloud and Cisco Talos. Richard has delivered training and presented annually at top-tier industry conferences worldwide for over 15 years and has been a speaker and trainer at several leading events including Black Hat, Defcon, Hack in the Box, RECON, and OffensiveCon. Richard was co-founder of the Uninformed Journal and has been on program committees for USENIX WOOT, RECON, and Toorcon.

Links:

Similar Presentations: