Extra Better Program Finagling (eBPF) for Attack and Defense
2021-10-12, 14:00–14:50, The Point

Program instrumentation and tracing is a key component of any offensive persistence framework or defensive endpoint detection and response (EDR) technology. This talk will focus on the latest tracing infrastructure known as Extended Berkeley Packet Filters (eBPF) which is currently supported on Linux and is coming to Windows as well. eBPF is complex with several front end languages and backend hooking engines. This talk will explain how eBPF works, what it takes to write eBPF based hooks, and demonstrate two simple tools for verfiying or infecting ELF binaries on the fly.


Program instrumentation and tracing is a key component of any offensive persistence framework or defensive endpoint detection and response (EDR) technology. Desktop and Server platforms have included various tracing tools and APIs over the years from strace and truss to DTrace and SystemTap. This talk will focus on the latest tracing infrastructure known as Extended Berkeley Packet Filters (eBPF) which is currently supported on Linux and is coming to Windows as well.

eBPF has the ability to trace arbitrary kernel and userland binaries and includes a program verifier for the attached hook functions implemented by the user. As the tracing technologies are merging into a unified API layer, we see adoption happening for both the offensive and defensive tooling. eBPF is complex with several front end languages and backend hooking engines. This talk will explain how eBPF works, what it takes to write eBPF based hooks, and demonstrate two simple tools for verfiying or infecting ELF binaries on the fly.

Some of the topics we will cover:
- What workflows allow rapid development of eBPF programs
- How to use eBPF to verify privileged processes and build your own telemetry
- How to use eBPF to stealthily infect ELF binaries from kernel
- Why you should never load eBPF with Python w/ demo against real EDR
- Fuzzing results for uBPF, the eBPF front end for Windows
- The future of eBPF on Windows and Linux