For all it's innovative way of kernel programming, isn't eBPF a huge attack surface? Even a paradise for rootkit devs, perfectly able to hide using eBPF features.
Also worth noting that the verifier is under active development not only to verify more legitimate programs, but also to reject programs with exploits and side channels (and there are runtime defenses too, like dead code elimination and ALU sanitation).
Thanks for sharing my site!
I've been thinking about building a platform like this for a while, and it was quite fun to build.
Let me know if you have questions or ideas for new exercises.
This is really cool.
Are you planning to add "lessons" related to deployment? For example, using libbcc vs CO-RE?
I wanted to add all kind of exercises, but I'm not sure what's a good way of presenting a deployment exercise.
On libbcc specifically, I'm not sure it's worth it, CO-RE / BTF is where things are heading, and any reasonably new kernel supports it (<5 years old)
Thanks for making this, looking forward trying it out!
Nice, always wanted to get my hands on eBPF and this looks like a good way to try it out. Thanks!
@deivid I would certainly buy a pdf or book with this and more examples (with full source code).
Just a hint if you want to change the world and make a few bucks :)
For all it's innovative way of kernel programming, isn't eBPF a huge attack surface? Even a paradise for rootkit devs, perfectly able to hide using eBPF features.
Also worth noting that the verifier is under active development not only to verify more legitimate programs, but also to reject programs with exploits and side channels (and there are runtime defenses too, like dead code elimination and ALU sanitation).
Yes, but you need cap_bpf now to load ebpf programs.