Extra Better Program Finagling (eBPF) for Attack and Defense
10-12, 14:00–14:50 (US/Pacific), The Point

Program instrumentation and tracing is a key component of any offensive persistence framework or defensive endpoint detection and response (EDR) technology. This talk will focus on the latest tracing infrastructure known as Extended Berkeley Packet Filters (eBPF) which is currently supported on Linux and is coming to Windows as well. eBPF is complex with several front end languages and backend hooking engines. This talk will explain how eBPF works, what it takes to write eBPF based hooks, and demonstrate two simple tools for verfiying or infecting ELF binaries on the fly.


Program instrumentation and tracing is a key component of any offensive persistence framework or defensive endpoint detection and response (EDR) technology. Desktop and Server platforms have included various tracing tools and APIs over the years from strace and truss to DTrace and SystemTap. This talk will focus on the latest tracing infrastructure known as Extended Berkeley Packet Filters (eBPF) which is currently supported on Linux and is coming to Windows as well.

eBPF has the ability to trace arbitrary kernel and userland binaries and includes a program verifier for the attached hook functions implemented by the user. As the tracing technologies are merging into a unified API layer, we see adoption happening for both the offensive and defensive tooling. eBPF is complex with several front end languages and backend hooking engines. This talk will explain how eBPF works, what it takes to write eBPF based hooks, and demonstrate two simple tools for verfiying or infecting ELF binaries on the fly.

Some of the topics we will cover:
- What workflows allow rapid development of eBPF programs
- How to use eBPF to verify privileged processes and build your own telemetry
- How to use eBPF to stealthily infect ELF binaries from kernel
- Why you should never load eBPF with Python w/ demo against real EDR
- Fuzzing results for uBPF, the eBPF front end for Windows
- The future of eBPF on Windows and Linux

Richard Johnson is a computer security specialist with a focus on software vulnerability analysis. Currently Principal Security Researcher at Fuzzing IO, a research and development company offering professional training and consulting services, Richard offers over 18 years of professional expertise and leadership in the information security industry including past positions as Director of Security Research at Oracle Cloud Infrastructure and Research Lead roles at Cisco Talos and Microsoft. Richard has been speaking at Toorcon since 2004 and has taken the stage for talks and training at many other premier conferences including Black Hat, RECON, and Hack in the Box.