Post AbeCSsjunuQxVrEIKW by DarcMoughty@infosec.exchange
(DIR) More posts by DarcMoughty@infosec.exchange
(DIR) Post #AbdnVfradVQbao3Pmq by mttaggart@infosec.town
2023-11-09T20:19:00.440Z
0 likes, 0 repeats
After a couple weeks of living in #eBPF code after the sun went down, here's kind of where I'm at:1. I still think this technology is amazing.2. Hoo boy is the #Rust implementation not ready to come out of the oven.3. It's a shame it's at the mercy of the Linux kernel.4. Better tooling could make this explode5. It's also a shame that the main pusher of this tech is so tied to Kubernetes, because I feel like the association does eBPF a disservice.6. What Sysmon for Linux does with it is just scratching the surface.
(DIR) Post #AbeCSsjunuQxVrEIKW by DarcMoughty@infosec.exchange
2023-11-09T22:55:07Z
1 likes, 0 repeats
@mttaggart I've long wondered if eBPF had potential to replace a lot of driver and subsystem code. I know that's not the current intent, but it seems like it might offer a path towards microkernel-like flexibility (but not microkernel-like security or separation).Heck, I wonder if it could even be an 'egg' for actual microkernel stuff. Like, if you can program a driver in it, and you have known interfaces, couldn't those interfaces be brokered out of the kernel and to a 'server' that handled them in userspace?I'm not at all an expert in such things, but I think eBPF is potentially the good kind of slippery slope; the kind where Mesa might ship eBPF components that encroach on or replace kernel-side components and decouple a whole lot of things.
(DIR) Post #AbeCV2uVxYX5dXDeSG by Hemera@meow.social
2023-11-09T22:26:22Z
1 likes, 0 repeats
@mttaggart Now I'm interested! What kind of things do you find amazing about it?What kind of tooling is missing?
(DIR) Post #AbeCqTJaz1fZbtAQvA by mttaggart@infosec.town
2023-11-10T01:02:51.019Z
0 likes, 0 repeats
@Hemera@meow.social There's an entire virtual machine running in the Linux kernel that allows you to write hooks into almost any conceivable event—including networking events, some of which are processed directly on the NIC!As a security person, this is absolutely the missing link when it comes to Linux endpoint security and observability. Our guardian process (like an endpoint protection agent) can use eBPF probes to watch for and detect/prevent malicious activity in ways not previously possible.And of course, the bad guys already know about this power. The BPFDoor malware was able to hijack existing network connections to hide itself and slip command-and-control traffic alongside legitimate traffic in very stealthy ways. So we might as well use the same technology to defend the endpoint.
(DIR) Post #AbeCqhysSL0f5yabD6 by mre@mastodon.social
2023-11-09T22:12:18Z
1 likes, 0 repeats
@mttaggart what tooling could make it explode?
(DIR) Post #AbeGRWuGtOxNKHgUXA by mttaggart@infosec.town
2023-11-10T01:43:12.798Z
0 likes, 0 repeats
@mre@mastodon.social Saner APIs in higher-level languages for writing probes. Right now it's either C (actually a subset of C) or very incomplete shims in Go or Rust. Even BCC, the preeminent library that allows you to write eBPF in Python, actually just loads strings of C code. So a better pipeline for generating that CO-RE bytecode is one thing.Also, holy crap, documentation. Right now the only way to review tracepoints is ls /sys/kernel/tracing/events. And that works, but is hardly what a developer expects—I mean, besides a kernel dev, and that's hardly the model to follow.
(DIR) Post #AberiZ2zsomXBzkewK by Hemera@meow.social
2023-11-10T08:17:47Z
1 likes, 0 repeats
@mttaggart Yeah that's pretty cool!It also says something about handling application stuff?Could I make a HTTP server that pre-transforms an HTTP requests into something else to potentially save time? Or am I misunderstanding the tech
(DIR) Post #AbermO8sN1J0WrKCVU by mttaggart@infosec.town
2023-11-10T08:41:34.151Z
0 likes, 0 repeats
@Hemera@meow.social It's kind of at a different layer. But what you could do is mutate HTTP packets on the way out the door.