Taggart :donor: on Nostr: npub18rsh6…knyqg There's an entire virtual machine running in the Linux kernel that ...
npub18rsh63zhnhq82zk57xfpcfnzkcplf5rcx79kjy9lv0adyq830mms6knyqg (npub18rs…nyqg) There's an entire virtual machine running in the Linux kernel that allows you to write hooks into almost any conceivable event—including networking events, some of which are processed directly on the NIC!
As a security person, this is absolutely the missing link when it comes to Linux endpoint security and observability. Our guardian process (like an endpoint protection agent) can use eBPF probes to watch for and detect/prevent malicious activity in ways not previously possible.
And of course, the bad guys already know about this power. The BPFDoor malware was able to hijack existing network connections to hide itself and slip command-and-control traffic alongside legitimate traffic in very stealthy ways. So we might as well use the same technology to defend the endpoint.
As a security person, this is absolutely the missing link when it comes to Linux endpoint security and observability. Our guardian process (like an endpoint protection agent) can use eBPF probes to watch for and detect/prevent malicious activity in ways not previously possible.
And of course, the bad guys already know about this power. The BPFDoor malware was able to hijack existing network connections to hide itself and slip command-and-control traffic alongside legitimate traffic in very stealthy ways. So we might as well use the same technology to defend the endpoint.