This piece talks about eBPF tools and shows how they can be used to improve system monitoring by keeping track of PTY sessions and sniffing private data like SSH, sudo, and su passwords. It shows users how to set up bpftrace, which is a necessary tool for using eBPF features, and presents ptysnoop, a more …
Tag Archives: eBPF
KRIe :To Detect Linux Kernel Runtime Integrity Exploits With eBPF
KRIe is a research project that aims to detect Linux Kernel exploits with eBPF. KRIe is far from being a bulletproof strategy: from eBPF related limitations to post exploitation detections that might rely on a compromised kernel to emit security events, it is clear that a motivated attacker will eventually be able to bypass it. …
Continue reading “KRIe :To Detect Linux Kernel Runtime Integrity Exploits With eBPF”
Peetch : An eBPF Playground
peetch is a collection of tools aimed at experimenting with different aspects of eBPF to bypass TLS protocol protections. Currently, peetch includes two subcommands. The first called dump aims to sniff network traffic by associating information about the source process with each packet. The second called tls allows to identify processes using OpenSSL to extract cryptographic keys. Combined, these two …
Bpflock : eBPF Driven Security For Locking And Auditing Linux Machines
bpflock uses eBPF to strength Linux security. By restricting access to a various range of Linux features, bpflock is able to reduce the attack surface and block some well known attack techniques. Only programs like container managers, systemd and other containers/programs that run in the host pid and network namespaces are allowed access to full Linux features, containers and …
Continue reading “Bpflock : eBPF Driven Security For Locking And Auditing Linux Machines”
Lockc : Making Containers More Secure With eBPF And Linux Security Modules (LSM)
lockc is open source sofware for providing MAC (Mandatory Access Control) type of security audit for container workloads. The main reason why lockc exists is that containers do not contain. Containers are not as secure and isolated as VMs. By default, they expose a lot of information about host OS and provide ways to “break out” from the container. lockc aims …
Continue reading “Lockc : Making Containers More Secure With eBPF And Linux Security Modules (LSM)”
Ecapture : Capture SSL/TLS Text Content Without CA Cert By eBPF
eCapture is a tool to capture SSL/TLS text content without CA cert Using eBPF. How eCapture works SSL/TLS text context capture, support openssl\libressl\boringssl\gnutls\nspr(nss) libraries. bash audit, capture bash command for Host Security Audit. mysql query SQL audit, support mysqld 5.6\5.7\8.0, and mariadDB. eCapture Architecure Getting started use ELF binary file Download ELF zip file release , unzip …
Continue reading “Ecapture : Capture SSL/TLS Text Content Without CA Cert By eBPF”