Analysis and Testing of eBPF Attack Surfaces

eBPF (Extended Berkeley Packet Filter) is a powerful technology that allows pro- grams to be executed directly in the Linux kernel within a sandbox, in a safe and isolated environment. This capability is crucial because it allows developers to extend kernel functionalities by dynamically inserting custom code, avoiding the lengthy pro- cess required to modify the kernel source code or to add new modules to it and then recompile. Unlike its predecessor BPF, eBPF programs offer great flexibility as they can be attached at many different points in the kernel, called hook points. This al- lows new high-performance networking, observability and security tools to be created. However, the broad and promising potential of this fast-growing technology makes it imperative to properly and thoroughly investigate its security. Even more so, consid- ering that operating directly at the kernel level the risk of causing major damages to the system is significantly increased. In this regard, the study conducted in the thesis explores in detail the cyber security state-of-the-art of eBPF and its offensive capabili- ties. The paper also focuses on different use cases of the technology, such as programs dedicated to network operations (XDP and TC), as well as probing and tracing pro- grams. A comprehensive overview of the potential attack surfaces is provided, enriched by the analysis of the causes and risks related to the eBPF-based CVEs and the study of existing attack techniques and rootkits. The paper concludes with the results of the tests conducted during the experimental phase using the rootkits and other attack techniques, reproduced within a controlled environment.