Currently a work in-progress that will be extended for the final version, this submission aims at demystifying the eBPF technology for the security community. While it is currently well-known in cloud environments (such as process visibility and programmable network flows), eBPF has had little experimentation when it comes to its usage as a building block of security focused tools.
The purpose of this proposal is to achieve a step by step introduction to eBPF by providing working examples of four different eBPF programs and tools:
- Identify the network traffic of a specific process
- Detect processes doing TLS traffic
- Dump TLS session from a process memory
- Intercept a process traffic transparently
Ultimately, this collection of programs could be used to develop a tool that can seamlessly intercept a process TLS traffic and modify it.