eBPF tracing is a hot new technology in the EDR and infrastructure space which provides high speed instrumentation and telemetry on events, processes, and network connections. eBPF is natively supported in the Linux kernel and is used in endpoint security products such as Carbon Black and Windows Defender for Linux. Last year, Microsoft released a completely new implementation of an eBPF tracing system for Windows which is destined to become a primary telemetry provider in the near future. eBPF for Windows has a complex architecture that leverages program analysis to verify unsigned user code via abstract interpretation before running it in a kernel context — integrity of the software is paramount. This research will be the first public work to analyze and discover security vulnerabilities in the new eBPF for Windows implementation.
Our presentation will discuss the capabilities and security model of eBPF for Windows, followed by details of the design and attack surface which will include the eBPF API, the trusted static verifier and JIT engine, and the kernel implementation of trace hooks and telemetry providers. During our deep dive into the implementation details, we will uncover vulnerabilities at multiple layers and discuss how they were found with demos of fuzzing Windows eBPF components and real-time bug discovery. We will conclude with a discussion about exploitation of memory corruption in the eBPF implementation on Windows which comes with its own challenges as a Windows Protected Process.
Join us on this journey as we examine this emerging technology on Windows and the security implications of the new attack surface.