eBPF tracing is a hot new technology in the EDR and infrastructure space providing high speed instrumentation and telemetry on events, processes, and network connections. Last year, Microsoft released a completely new implementation of an eBPF tracing system for Windows which is destined to become a primary telemetry provider in the near future. eBPF for Windows has a complex architecture that leverages program analysis to verify unsigned user code via abstract interpretation before running it in a kernel context so integrity of the software is paramount. This research will be the first public work to analyze the new eBPF for Windows implementation for security vulnerabilities. Our presentation will discuss the capabilities and security model of eBPF for Windows followed by details of the design and attack surface which will include the eBPF API, the trusted static verifier and JIT engine, and the kernel implementation of trace hooks and telemetry providers. During our deep dive into the implementation details we will uncover vulnerabilities at multiple layers and discuss how they were found with demos of fuzzing Windows eBPF components and real-time bug discovery.
Speaker: Richard Johnson
Richard Johnson is a computer security specialist with a focus on software vulnerability analysis. Currently Senior Principal Security Researcher at Trellix and Chief Research Officer at Fuzzing IO, Richard offers over 20 years of professional expertise and leadership in the information security industry.
Current responsibilities include zeroday vulnerability research and development of advanced fuzzing and automated reverse engineering solutions. Prior to Trellix, he built security research and bug hunting teams for Oracle Cloud and Cisco Talos.
Richard has delivered training and presented annually at top-tier industry conferences for over 15 years at several leading events including Black Hat, Defcon, Hack in the Box, RECON, and OffensiveCon. Richard was co-founder of the Uninformed Journal and has been on program committees for USENIX WOOT, RECON, and Toorcon.