When eBPF meets TLS!

Presented at CanSecWest 2022, May 20, 2022, 11:30 a.m. (60 minutes).

Currently a work in-progress that will be extended for the final version, this submission aims at demystifying the eBPF technology for the security community. While it is currently well-known in cloud environments (such as process visibility and programmable network flows), eBPF has had little experimentation  when it comes to its usage as a building block of security focused tools. The purpose of this proposal is to achieve a step by step introduction to eBPF by providing working examples of four different eBPF programs and tools: * Identify the network traffic of a specific process * Detect processes doing TLS traffic * Dump TLS session from a process memory * Intercept a process traffic transparently Ultimately, this collection of programs could be used to develop a tool that can seamlessly intercept a process TLS traffic and modify it.

Presenters:

• Guillaume Valadon / guedou - Quarkslab   as Guillaume Valadon
  Guillaume Valadon is the Director of Security Resarch at Quarkslab and holds a PhD in networking. He likes looking at data and crafting packets. In his spare time, he co-maintains Scapy and learns reversing embedded devices. Also, he still remembers what AT+MS=V34 means! Guillaume regularly gives technical presentations, classes and live demonstrations, and write research papers for conferences and magazines.

Links:

• https://cansecwest2022.sched.com/event/ztH2/when-ebpf-meets-tls

Similar Presentations:

• DEF CON 29 (2021) / Warping Reality - creating and countering the next generation of Linux rootkits using eBPF
• ToorCon San Diego 2021 / Extra Better Program Finagling (eBPF) for Attack and Defense
• ToorCamp 2022 / Extra Better Program Finagling (eBPF) for Attack and Defense