eBPF – Adding functionality to OS at runtime

This is a good write-up and I like the diagrams. What appears to still be notably missing from eBPF is an &quot;off switch&quot;. AFAIK there are still no kernel boot time commands [0] to disable eBPF entirely. I have to recompile the kernel to disable it and it is known that most people will not do this.<p>eBPF has the potential for file-less malware to run hidden from detection and I foresee the ability to tickle ring -3 (and -4?) <i>CPU within CPU</i> functions while bypassing local firewalls.<p>Here is some example code of what people already know how to do today and this list will grow as people discover more capabilities. [1][2][3][4][5][6] These do require some privileges to insert but will remain running and hidden until reboot. Privilege escalation today is easier than ever with the growing misuse and poor configurations of sudo as well as the growing number of suid&#x2F;setcap binaries. A common argument I get is <i>&quot;Well if someone ... then its game over&quot;</i>. They are not entirely wrong, but I do not want yet another file-less anti-forensics vector that risks Linux being forbidden in secure zones nor do I want to play whack-a-mole using commercial tools like sysdig or complex tools people avoid like SELinux to try to fight this stuff.<p>[0] - <a href="https:&#x2F;&#x2F;www.kernel.org&#x2F;doc&#x2F;html&#x2F;latest&#x2F;admin-guide&#x2F;kernel-parameters.html" rel="nofollow">https:&#x2F;&#x2F;www.kernel.org&#x2F;doc&#x2F;html&#x2F;latest&#x2F;admin-guide&#x2F;kernel-pa...</a><p>[1] - <a href="https:&#x2F;&#x2F;github.com&#x2F;citronneur&#x2F;pamspy" rel="nofollow">https:&#x2F;&#x2F;github.com&#x2F;citronneur&#x2F;pamspy</a><p>[2] - <a href="https:&#x2F;&#x2F;github.com&#x2F;h3xduck&#x2F;TripleCross" rel="nofollow">https:&#x2F;&#x2F;github.com&#x2F;h3xduck&#x2F;TripleCross</a><p>[3] - <a href="https:&#x2F;&#x2F;github.com&#x2F;krisnova&#x2F;boopkit" rel="nofollow">https:&#x2F;&#x2F;github.com&#x2F;krisnova&#x2F;boopkit</a><p>[4] - <a href="https:&#x2F;&#x2F;github.com&#x2F;pathtofile&#x2F;bad-bpf" rel="nofollow">https:&#x2F;&#x2F;github.com&#x2F;pathtofile&#x2F;bad-bpf</a><p>[5] - <a href="https:&#x2F;&#x2F;doublepulsar.com&#x2F;bpfdoor-an-active-chinese-global-surveillance-tool-54b078f1a896?gi=a1053e659852" rel="nofollow">https:&#x2F;&#x2F;doublepulsar.com&#x2F;bpfdoor-an-active-chinese-global-su...</a><p>[6] - <a href="https:&#x2F;&#x2F;blog.doyensec.com&#x2F;2022&#x2F;10&#x2F;11&#x2F;ebpf-bypass-security-monitoring.html" rel="nofollow">https:&#x2F;&#x2F;blog.doyensec.com&#x2F;2022&#x2F;10&#x2F;11&#x2F;ebpf-bypass-security-mo...</a>

As others have mentioned, eBPF is quite neat software, but it&#x27;s observability in an of itself is quite difficult. It&#x27;s hard to understand WHAT eBPF programs are loaded, and what they&#x27;re doing. Supposedly Android has a dozen or two eBPF programs running at anytime. Is Ubuntu on my laptop running a similar batch? I have no clue, and many of us here probably wouldn&#x27;t know where to look either without some Googling.

What is the advantage of eBPF hooks over the ptrace system call ? Can&#x27;t I do most of the same stuff with it ?