eBPF is a Linux technology that extends the kernel functionalities. Instead of loading a kernel module, or recompiling a kernel, it is now possible to dynamically run an eBPF program to extend Linux capabilities.
Nowadays, eBPF is mainly used in four areas:
While these topics are well explored, we believe that eBPF could also be leveraged to help security researchers. For example, it could be used to fingerprint a process, and follow its network communications. Similarly, eBPF could be weaponized to modify userland memory.
This internship consists in exploiting eBPF as a security research tool, and to highlight its weaknesses from a security perspective.
What you will do:
You will have to learn eBPF and evaluate its possible usages for security research such as fuzzing or sandboxing. After getting a good understanding of the technology, your will investigate eBPF shortcomings that could be leveraged by attackers.
Your task consists in developing a tool that uses eBPF to automatically identify processes communicating using the TLS protocol with the OpenSSL library. Your code should display the destination IP adress and port, the PID and the process name. You are free to choose your prefered programming language for the task. The expected output is the documented source code of the tool, accompagnied by its installation and usage methodology.
To get you started, pick a command line tool such as curl and observe it behavior on a recent Linux distribution like Ubuntu 21.04.
- identify other TLS libraries
- discard all TLS traffic that do not use the OpenSSL library on the 443 TCP port
More info here: https://blog.quarkslab.com/internship-offers-for-the-2021-2022-season.html#ebpf-for-security
Your application was submitted successfully.