Evil eBPF programs can hide their presence from the bpf syscall as well. | Hacker News

Hacker Newsnew | past | comments | ask | show | jobs | submit

		ronsor 24 days ago \| parent \| context \| favorite \| on: Rex is a safe kernel extension framework that allo... Evil eBPF programs can hide their presence from the bpf syscall as well.

ignoramous 24 days ago [–]

Interesting. Any good read you'd recommend on the topic/attack? Thanks.

ronsor 23 days ago | [–]

Look up "eBPF rootkits"

This is a good article about one found in the wild: https://www.synacktiv.com/en/publications/linkpro-ebpf-rootk...

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact