Session
Hauptprogramm 35C3
Security

Kernel Tracing With eBPF

Unlocking God Mode on Linux
Have you ever wanted to trace all syscalls or dump all IPC traffic across a Linux system? Until recently, doing so may have required some significant setup involving a half-baked tracing kernel module, a custom kernel module, or even using a kernel debugger. This talk will introduce the eBPF functionality of the Linux kernel and cover practical uses of the technology beyond mere code profiling. We will show how eBPF can be used both defensively and offensively to protect, or compromise, a system. This talk will primarily focus on using eBPF to dynamically instrument kernel functionality and gain deep insight on the workings of both kernel and userspace code across a running system. Attendees will leave with practical knowledge for using eBPF to (performantly) watch every action taken on a running system and make processes reveal their secrets.

eBPF (or "extended" Berkeley Packet Filter) is a bytecode and virtual machine used as a safe computing environment within the Linux kernel to perform arbitrary programmatic actions. It is a redesign of the original BPF bytecode VM used, typically in userspace, to power features like tcpdump filters. eBPF has an entirely different set of capabilities and instructions, with its primary goal being to serve as a JIT-able virtual machine instruction set that can be targeted by compilers of a memory-safe "restricted C" language. In the Linux kernel BPF and eBPF have been applied to various different kernel features, from programmatic syscall filtering (for sandboxing) to performing efficient custom packet processing inline on the kernel's network data plane.

In this talk, we will first introduce and briefly discuss the internals of the eBPF implementation in the Linux kernel, its features, and the current set of components that it may be integrated with. We will also briefly cover how eBPF does not intrinsically make C code secure and demonstrate how using eBPF instead of other, more mature, technologies may introduce vulnerabilities.

The majority of this talk will focus on using eBPF to trace kernel functions to inspect both kernel and userland code and the data that flows through them. In line with this goal, this talk will cover pragmatic approaches to using eBPF and the non-idiomatic coding styles required to perform useful tasks in eBPF's sandbox. Additionally, while the aim of this talk is to cover the capabilities of "vanilla" eBPF, we will also demonstrate how the kernel may be trivially modified to lift the constraints of the eBPF sandbox when one does not have the time to tiptoe around the bytecode validator (or seeks to use eBPF as a drop-in replacement for kernel modules).

Lastly, this talk will show that while eBPF may generally be "safe" for the kernel itself, it is decidedly not when applied to userspace code. We will conclude this talk by demonstrating a general purpose privilege escalation technique that may be used by privileged users to hop namespacing and escape certain container configurations using nothing but eBPF.

Additional information

Type lecture
Language English

More sessions

12/27/18
Security
hanno
Borg
Since a few months we have a new version of TLS, the most important encryption protocol on the Internet. From the vulnerabilities that created the need of a new TLS version to the challenges of deploying it due to broken devices this talk will give an overview of the new TLS 1.3.
12/27/18
Security
Frédéric Vachon
Clarke
UEFI rootkits have been researched and discussed heavily in the past few years, but sparse evidence has been presented of real campaigns actively trying to compromise systems at this level. Our talk will reveal such a campaign successfully executed by the Sednit group. We will detail the full infection chain showing how Sednit was able to install their custom UEFI module on key targets' computers. Additionally, we will provide an in-depth analysis of their UEFI module and the associated ...
12/27/18
Security
Mark Lechtik
Eliza
Meet SiliVaccine – North Korea's national Anti-Virus solution. SiliVaccine is deployed widely and exclusively in the DPRK, and has been continuously in development by dedicated government teams for over fifteen years. When we heard of this strange software, we were immediately driven to investigate it: it's not every day that you can catch a glimpse of the malware landscape inside the closed garden of the DPRK's intranet. In this talk, we will describe how we were able to obtain a rare copy of ...
12/27/18
Security
Borg
In this presentation we will take a look at how to break the most popular cryptocurrency hardware wallets. We will uncover architectural, physical, hardware, software and firmware vulnerabilities we found including issues that could allow a malicious attacker to gain access to the funds of the wallet. The attacks that we perform against the hardware wallets range from breaking the proprietary bootloader protection, to breaking the web interfaces used to interact with wallets, up to physical ...
12/27/18
Security
Martin Vigo
Dijkstra
Voicemail systems can be compromised by leveraging old weaknesses and top of current technology. The impact goes way beyond having your messages exposed.
12/27/18
Security
Adams
Die Venenerkennung ist eine der letzten Bastionen biometrischer Systeme, die sich bisher der Eroberung durch Hacker widersetzt hat. Dabei ist sie ein lohnendes Ziel, schützt sie doch Bankautomaten und Hochsicherheitsbereiche. In diesem Talk machen wir die Verteidigungsanlagen dem Erdboden gleich.
12/27/18
Security
Borg
We all know what FAX is, and for some strange reason most of us need to use it from time to time. Hard to believe its 2018, right? But can FAX be something more than a bureaucratic burden? Can it actually be a catastrophic security hole that may be used to compromise your entire network? Come watch our talk and find out …