Infosec.Pub

4,850 readers
105 users here now

To support infosec.pub, please consider donating through one of the following services:

Paypal: jerry@infosec.exchange

Ko-Fi: https://ko-fi.com/infosecexchange

Patreon: https://www.patreon.com/infosecexchange

founded 2 years ago

ADMINS

jerry

shellsharks

modbot

Breaking eBPF Security: How Kernel Rootkits Blind Observability Tools (matheuzsecurity.github.io)

submitted 1 month ago by digicat to c/blueteamsec

0 comments fedilink

Breaking eBPF Security: How Kernel Rootkits Blind Observability Tools (matheuzsecurity.github.io)

submitted 1 month ago by lemmydev2 to c/pulse_of_truth

0 comments fedilink

eBPF programs cannot protect themselves from kernel-level manipulation eBPF verifier only ensures memory safety, not security guarantees All eBPF data flow mechanisms (iterators, ringbuffers, maps) are implemented as kernel functions Kernel functions can be hooked via ftrace The moment an attacker has kernel-level access, observability becomes optional.