Red Canary

Dave Bogle

Entering the hive: Understanding eBPF-based malware

eBPF (extended Berkeley Packet Filter) is a rapidly growing technology that’s revolutionizing the Linux ecosystem. It allows developers to write code that can safely run in the kernel while handling much of the processing and analysis in userspace. As with most new and useful tech, adversaries will inevitably begin to leverage eBPF to implement common malware tradecraft.

This presentation explores how adversaries can leverage the power of eBPF to implement common tradecraft such as process hiding, file hiding, privilege escalation, and more. We’ll examine this emergent eBPF tradecraft from both the offensive and defensive perspective, analyzing the many ways that adversaries might abuse eBPF and diving into the identification, classification, and detection of eBPF malware — while also educating the audience about how the technology is also useful for endpoint and cloud security vendors.

Dave Bogle is a security researcher at Red Canary, where he focuses primarily on Linux threat research. He works closely with engineering teams, detection engineers, threat hunters and others to apply his research across the company. He has a passion for diving deep into the inner workings of operating systems and applies that knowledge to his research. He also loves to share knowledge through writing, teaching, and training.

Bogle_Dave