Announcing VED-eBPF: A Proof-of-Concept Implementation of Kernel Exploit and Rootkit Detection using eBPF

We are thrilled to introduce VED-eBPF, an innovative proof-of-concept implementation that showcases the power of eBPF (extended Berkeley Packet Filter) technology in enabling robust kernel security monitoring and exploit detection for Linux systems. VED-eBPF leverages the capabilities of eBPF to provide runtime analysis and detection of kernel exploits and rootkits. The open source version is under AGPLv3 license.

🔒Enhancing Kernel Security with eBPF eBPF is an in-kernel virtual machine that allows code execution within the kernel without the need for modifying the kernel source code. With VED-eBPF, we harness the potential of eBPF to trace security-sensitive kernel behaviors and detect anomalies that may be indicative of malicious activities.

💡Key Features of VED-eBPF:

• wCFI (Control Flow Integrity): VED-eBPF includes wCFI, which focuses on detecting control flow hijacking attacks. By tracing the kernel call stack, VED-eBPF generates a bitmap of valid call sites and validates return addresses against this bitmap. Any invalid return address, indicating a corrupted stack, triggers a security event for further analysis.

• PSD (Privilege Escalation Detection): VED-eBPF incorporates PSD to detect unauthorized privilege escalations. By monitoring changes to credential structures in the kernel, VED-eBPF compares credentials before and after specific function calls to identify any unauthorized modifications. When an illegal privilege escalation is detected, a security event is generated for analysis.

💻 How VED-eBPF Works VED-eBPF attaches eBPF programs to relevant kernel functions, enabling the tracing of execution flows and the extraction of security events. These events are then submitted to userspace for further analysis using perf buffers, ensuring real-time detection of potential threats.

🤝 Join Us in Exploring eBPF’s Security Capabilities We invite all security enthusiasts, researchers, and developers interested in leveraging eBPF for security mitigation to explore VED-eBPF. By utilizing eBPF’s tracing capabilities and perf buffers, VED-eBPF demonstrates how critical security events can be extracted and analyzed in real-time to identify emerging kernel threats.

We are actively working on the development of VED LKM (Linux Kernel Module), a production-ready version of VED that will provide runtime protection and advanced features for securing Linux kernels. VED-LTS integrate with Hardened Linux (for public cloud and on-premise) and it’s designed to meet the stringent requirements of production environments, ensuring stability, performance, and scalability.