Jailbreaking the Hivemind: Finding and Exploiting Kernel Vulnerabilities in the eBPF Subsystem

Presented at DEF CON 33 (2025), Aug. 10, 2025, 10:30 a.m. (45 minutes).

Extended Berkeley Packet Filter (eBPF) has revolutionized Linux kernel programmability, but its complex verification and JIT compilation mechanisms present a significant attack surface. This talk provides a technical deep-dive into discovering and exploiting vulnerabilities in the eBPF subsystem, with three key contributions: state-aware fuzzing methodologies specifically designed for eBPF, focusing on verifier state tracking bugs, JIT compiler flaws, and helper function validation bypasses. These techniques go beyond traditional fuzzing by incorporating knowledge of the verifier's internal state machine. Systematic approach to weaponizing verifier bypasses into practical kernel exploits, including converting bounds calculation errors into arbitrary read/write primitives, bypassing KASLR via targeted information leaks, and achieving privilege escalation through carefully constructed memory corruption. Security architecture of eBPF and provide concrete recommendations for hardening the subsystem against these attacks, including improvements to the verifier's state tracking, JIT compiler security, and runtime validation. References: 1. Alves, T., & Felton, D. (2023). "eBPF, a new Swiss Army knife for Linux." *USENIX ;login:*, 48(1), 42-48. 2. Gershuni, E., Amit, N., Gurfinkel, A., Narodytska, N., Navas, J. A., Rinetzky, N., ... & Wei, Y. (2019). "Simple and precise static analysis of untrusted Linux kernel extensions." *PLDI 2019: Programming Language Design and Implementation*, 1069-1084. 3. Iannillo, A. K., & Natella, R. (2022). "Fuzzing eBPF JITs: Challenges and solutions for effective vulnerability discovery." *Network and Distributed System Security Symposium*. 4. Jian, J., Chen, H., Jiang, Y., & Zou, W. (2021). "The Design and Implementation of a State-Aware eBPF Verifier Fuzzer." *IEEE Transactions on Dependable and Secure Computing*, 18(5), 2342-2355. 5. Kolosick, J., Narayan, A., Conrad, E., & Tobin-Hochstadt, S. (2022). "SandTrap: Securing JavaScript Containers with eBPF." *USENIX Security Symposium 2022*. 6. Linux Kernel Documentation. (2024). "BPF Documentation." [link](https://www.kernel.org/doc/html/latest/bpf/)

Presenters:

• Agostino "Van1sh" Panico
  Dr. Agostino "van1sh" Panico is a seasoned offensive security expert with over 15 years of experience specializing in advanced red teaming, exploit development, product security testing, and deception tactics. He is one of the few hundred globally to hold the prestigious GSE (GIAC Security Expert) certification. Driven by a passion for uncovering vulnerabilities, Agostino actively contributes to the security community as an organizer for BSides Italy, fostering collaboration and innovation.

Similar Presentations:

• DEF CON 29 (2021) / eBPF, I thought we were friends !
• Black Hat USA 2022 / eBPF ELFs JMPing Through the Windows
• DEF CON 29 (2021) / Warping Reality - creating and countering the next generation of Linux rootkits using eBPF