Extra Better Program Finagling (eBPF) for Attack and Defense

Presented at ToorCamp 2022, July 14, 2022, 2 p.m. (50 minutes).

Program instrumentation and tracing is a key component of any offensive persistence framework or defensive endpoint detection and response (EDR) technology. This talk will focus on the latest tracing infrastructure known as Extended Berkeley Packet Filters (eBPF) which is currently supported on Linux and is coming to Windows as well. eBPF is complex with several front end languages and backend hooking engines. This talk will explain how eBPF works, what it takes to write eBPF based hooks, and demonstrate two simple tools for verfiying or infecting ELF binaries on the fly. Program instrumentation and tracing is a key component of any offensive persistence framework or defensive endpoint detection and response (EDR) technology. Desktop and Server platforms have included various tracing tools and APIs over the years from strace and truss to DTrace and SystemTap. This talk will focus on the latest tracing infrastructure known as Extended Berkeley Packet Filters (eBPF) which is currently supported on Linux and is coming to Windows as well. eBPF has the ability to trace arbitrary kernel and userland binaries and includes a program verifier for the attached hook functions implemented by the user. As the tracing technologies are merging into a unified API layer, we see adoption happening for both the offensive and defensive tooling. eBPF is complex with several front end languages and backend hooking engines. This talk will explain how eBPF works, what it takes to write eBPF based hooks, and demonstrate two simple tools for verfiying or infecting ELF binaries on the fly. Some of the topics we will cover: - What workflows allow rapid development of eBPF programs - How to use eBPF to verify privileged processes and build your own telemetry - How to use eBPF to stealthily infect ELF binaries from kernel - Why you should never load eBPF with Python w/ demo against real EDR - The future of eBPF

Presenters:

  • Richard Johnson
    Richard Johnson is a computer security specialist with a focus on software vulnerability analysis. Currently Senior Principal Security Researcher at Trellix and Chief Research Officer of Fuzzing IO, Richard offers over 20 years of professional expertise and leadership in the information security industry. Current responsibilities include zeroday vulnerability research and development of advanced fuzzing and automated reverse engineering solutions. Prior to Trellix, he built security research and bug hunting teams for Oracle Cloud and Cisco Talos. Richard has delivered training and presented annually at top-tier industry conferences for over 15 years at several leading events including Black Hat, Defcon, Hack in the Box, RECON, and OffensiveCon. Richard was co-founder of the Uninformed Journal and has been on program committees for USENIX WOOT, RECON, and Toorcon.

Links:

Similar Presentations: