Detection and Mitigation of eBPF Security Risks in the Linux Kernel

The continuous adoption of cloud-native architectures and the widespread use of containerization have increased the demand for powerful, low-overhead observability and monitoring tools. eBPF (extended Berkeley Packet Filter) has emerged as a cornerstone technology in this domain, enabling the dynamic injection of user-defined programs into the Linux kernel to implement high-performance networking, tracing and security functionalities. However, executing code at kernel level inherently carries significant security risks and enlarges the system attack surface: verifier bugs, misused helper functions, map tampering, and interactions with pre-existing kernel vulnerabilities are among the threats that may lead to privilege escalation, denial-of-service, and container escapes. This thesis investigates the security implications of eBPF with the goal of analyzing critical vulnerabilities and developing systematic hardening strategies. The first part provides a compact but comprehensive background, including eBPF technology and its primitives, the Linux security architecture (capabilities and the LSM framework), and an overview of monitoring and hardening tools such as Tetragon and LKRG (Linux Kernel Runtime Guard). Building on this foundation, the core of the work presents two in-depth case studies of high-impact vulnerabilities, examining their root causes, exploitation techniques, and reproducibility in a controlled environment, followed by the design of practical mitigation strategies. Proposed countermeasures include kernel and configuration recommendations, runtime detection policies for Tetragon, integration with LKRG, and the development of custom LSM BPF programs to enforce security policies directly within the kernel. Each mitigation approach is evaluated in terms of security effectiveness, operational practicality, and limitations. The research concludes by outlining practical recommendations for reducing the attack surface of eBPF-enabled systems and proposes a general framework for strengthening defenses against future vulnerabilities, based on common exploitation patterns identified in the case studies.