Can't my eBPF sched starve my monitoring processes, or my eBPF firewall rules prevent me from getting security updates?
If Eve gets to load bad eBPFs programs in your computer then I doubt counter-measures in how they run can save you.
Can't my eBPF sched starve my monitoring processes, or my eBPF firewall rules prevent me from getting security updates?
If Eve gets to load bad eBPFs programs in your computer then I doubt counter-measures in how they run can save you.
Evil eBPF programs can hide their presence from the bpf syscall as well.
Interesting. Any good read you'd recommend on the topic/attack? Thanks.
Look up "eBPF rootkits"
This is a good article about one found in the wild: https://www.synacktiv.com/en/publications/linkpro-ebpf-rootk...