Can't my eBPF sched starve my monitoring processes, or my eBPF firewall rules pr... | Hacker News

Hacker Newsnew | past | comments | ask | show | jobs | submit

		dietr1ch 20 days ago \| parent \| context \| favorite \| on: Rex is a safe kernel extension framework that allo... Can't my eBPF sched starve my monitoring processes, or my eBPF firewall rules prevent me from getting security updates? If Eve gets to load bad eBPFs programs in your computer then I doubt counter-measures in how they run can save you.

ronsor 20 days ago [–]

Evil eBPF programs can hide their presence from the bpf syscall as well.

ignoramous 20 days ago | [–]

Interesting. Any good read you'd recommend on the topic/attack? Thanks.

ronsor 19 days ago | | [–]

Look up "eBPF rootkits"

This is a good article about one found in the wild: https://www.synacktiv.com/en/publications/linkpro-ebpf-rootk...

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact