Hacker News new | past | comments | ask | show | jobs | submit login
eBPF for Cybersecurity – Part 1 (cloudnativefolks.org)
81 points by sangam14 on June 4, 2023 | hide | past | favorite | 7 comments



A bit of a stretch to call this ebpf for security. It's a light ebpf intro that briefly mentions security.


Yeah the keyword is so hyped by SEO blog article writers, it's ridiculous.

I am building an eBPF firewall for a couple weeks now and am still in the learning process, but finding articles that actually teach you how to implement something is so ridiculously hard.

I've seen more crappy execve hooks that don't compile than anything useful. The demos of XDP project that are less than 4 weeks old don't even compile.

Took me a long while to get there, and now I am stuck with bytecode parser problems (am assuming I am using an invalid pointer of sorts, results in invalid scalar which could be anything).

The response of the bpftool guy was basically to learn the bytecode format. So here I am, learning the bytecode format to write a C program. In 2023.

In case anyone wants to help build a DNS filter and execve hooks to detect suspicious activity: [1]

(Yeah yeah shitty C code, I know)

[1] https://github.com/cookiengineer/ebpf-firewall


At this point (in 2023) the sheer volume of "intro to ebpf" articles is becoming a bit of a meme.

This product claims to be open source but I had a quick look through their github and didn't see the actual eBPF probe code (which AFAIK is required to be released under GPL)


> the sheer volume of "intro to ebpf" articles is becoming a bit of a mem

It's because eBPF is becoming popular now for Container or Cloud VM runtime security.

Everybody and their momma are writing these SEOed articles either to help shill products like Sysdig, Lacework, etc. Also, it is the conference/procurement time of year so the SEO is much more constant for growth hacking reasons.

Also, you'll see a lot of junior engineers and co writing these types of articles to signal to recruiters that they have the skills so they can be hired. Almost no one knows eBPF so security companies are paying some relatively obscenely high salaries in Czechia, Israel, and India for those skills because there aren't as many people with those skills here in the states.


bypass eBPF, just the first search,

https://www.form3.tech/engineering/content/bypassing-ebpf-to...

"Executing the program in the demo pod allows us to confirm that the system call is not detected"

https://news.ycombinator.com/item?id=33235434


This isn't a bypass of "eBPF", so much as it is a bypass of a detection system that watches only the write(2) system call, and not writev(2), sendfile(2), or io_uring.


eBPF, I thought we were friends! https://www.youtube.com/watch?v=5zixNDolLrg

eBPF, A new frontier for malware https://redcanary.com/blog/ebpf-malware/

How Hackers Use eBPF https://cymulate.com/blog/ebpf_hacking/

Linux eBPF Stack Trace Hack https://www.brendangregg.com/blog/2016-01-18/ebpf-stack-trac...




Consider applying for YC's Summer 2025 batch! Applications are open till May 13

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: