44CON2022 has ended
Back To Schedule
Thursday, September 15 • 11:00am - 12:00pm
Kev Sheldrake - What is eBPF and why should you care?

Sign up or log in to save this to your schedule, view media, leave feedback and see who's attending!

eBPF is relatively new and “a revolutionary technology with origins in the Linux kernel that can run sandboxed programs in an operating system kernel.” You can achieve similar results to writing a kernel module, but in a (supposedly – we’ll come to that) safe manner. eBPF code runs in a virtual machine and, depending on the program type, can access all sorts of kernel internals, with programs being launched when specified code points get hit.

I will talk about the basics and how to get up and running, the challenges and pitfalls to overcome, a library I wrote when working at Sysinternals to take away some of the pain, the Sysmon For Linux tool I wrote for Sysinternals that logs events to Syslog, and Cilium/Tetragon (and Cilium/ebpf library) that makes accessing eBPF for system observability easier. I will discuss technical details and explain the different use cases that might benefit you, from blue team using Sysmon and Cilium/Tetragon to achieve super powerful abilities, to researchers building custom program tracers, to red team exploiting kernel vulns, to sysadmins seeking performance issues.

It is a truly exciting thing that everyone is talking about.

avatar for Kev Sheldrake

Kev Sheldrake

Kev Sheldrake is a security software engineer and researcher who started working in the technical security field in 1997. Over the years, Kev has been a developer and systems administrator of ‘secure’ systems, an infosec policy consultant, a penetration tester, a reverse engineer... Read More →

Thursday September 15, 2022 11:00am - 12:00pm BST
*Track 1*