Internship - eBPF for Security

Research · Paris, Paris
Department Research
Employment Type Stage
Minimum Experience Entry-level
Compensation 1800€ gross / month (1550€ net)

eBPF is a Linux technology that extends the kernel functionalities. Instead of loading a kernel module, or recompiling a kernel, it is now possible to dynamically run an eBPF program to extend Linux capabilities.


Nowadays, eBPF is mainly used in four areas:

  • networking: enhance packets processing
  • tracing and profiling: troubleshoot issues and performance bottlenecks
  • observability: report metrics
  • security: detect and block threats


While these topics are well explored, we believe that eBPF could also be leveraged to help security researchers. For example, it could be used to fingerprint a process, and follow its network communications. Similarly, eBPF could be weaponized to modify userland memory.


This internship consists in exploiting eBPF as a security research tool, and to highlight its weaknesses from a security perspective.


Required Skills:

  • familiar with the Linux Kernel source code
  • experience with security tools
  • good understanding of C and Python
  • being already familiar with eBPF is a plus


What you will do:

You will have to learn eBPF and evaluate its possible usages for security research such as fuzzing or sandboxing. After getting a good understanding of the technology, your will investigate eBPF shortcomings that could be leveraged by attackers.


Assignment

Your task consists in developing a tool that uses eBPF to automatically identify processes communicating using the TLS protocol with the OpenSSL library. Your code should display the destination IP adress and port, the PID and the process name. You are free to choose your prefered programming language for the task. The expected output is the documented source code of the tool, accompagnied by its installation and usage methodology.


To get you started, pick a command line tool such as curl and observe it behavior on a recent Linux distribution like Ubuntu 21.04.

 

Bonuses:
- identify other TLS libraries
- discard all TLS traffic that do not use the OpenSSL library on the 443 TCP port


Location:

Paris/Rennes


Duration:

6 months


More info here: https://blog.quarkslab.com/internship-offers-for-the-2021-2022-season.html#ebpf-for-security

Thank You

Your application was submitted successfully.

  • Location
    Paris, Paris
  • Department
    Research
  • Employment Type
    Stage
  • Minimum Experience
    Entry-level
  • Compensation
    1800€ gross / month (1550€ net)