Just to clarify what this is probably about, for people who don't do security research (that's what Quarkslab does) --- this is mostly valuable information for people who need to instrument apps under test to see what they're doing.
Locked-down TLS is a pain for testers, because, of course, the whole idea is preventing third parties from seeing plaintext. But that's what app testers need to do (usually, to get enough information to write their own tooling-grade clients and servers to use to probe vulnerabilities with). There's a bunch of different tools people use for this purpose; Frida is probably the best-known example, for mobile and native clients.
But if your target under test is Linux, modern eBPF gives you enough tooling to capture plaintext without directly instrumenting binaries, which is handy.
This isn't, like, per se a vulnerability; they're not saying it is.
Meh, I don't think so, any more than "defeating" content protection is a poor choice for an article about testing game and video playback systems. Defeating these things is just a step you have to take to test them.
The subtitle for the talk is "a security focused introduction to eBPF". I guess they changed it to give a bit of a heads-up for those just reading the posts title, but it's not the subtitle chosen by the author.
If you have root access to a host, it's pretty much game over, unless the OS vendor doesn't trust even the owner of the hardware/licensee of the software and has taken effective countermeasures against diving deep into the software (Linux, of course, has not). You don't need "eBPF tricks" to observe processes on the host perform traffic decryption. It's just another mechanism for doing so.
I wouldn't characterize it as "defeating TLS encryption" either, because it's not like you're decrypting traffic someplace other than on the host you already have privileged access to (and assuming you already have MITM capability, which is by no means assured).
Being at the author's talk earlier today, that wasn't really the spirit that it was given in. The author isn't really talking about "defeating" TLS as a technical control more as he is talking about "defeating" it as an annoyance when reverse engineering.
It's meant more as a showcase of how eBPF can be applied to a technical challenge, as opposed to the author claiming they fundamentally broke TLS.
I do point out that is editorializing on submitters part, the actual subtitle is "A security focused introduction to eBPF", which is much more descriptive of the content
> unless the OS vendor doesn't trust even the owner of the hardware/licensee of the software and has taken effective countermeasures against diving deep into the software (Linux, of courage, has not).
This is not entirely true.
SELinux does allow you to lock down certain actions while leaving root access available.
And of course you can configure selinux to prevent root user from disabling selinux.
So you might have root access and the game would not be over.
This makes me wonder: what's the worst of side effects if I were to disable eBPF via, say, modifying the boot arguments for the kernel in something like /etc/default/grub.conf?
Please correct me if I'm wrong here (I likely am), but isn't the fundamental design of eBPF engineered to allow injection of code into the kernel pertaining to MORE than just network-level stuff? Sure we see it at the network level primarily right now, but what's stopping that from being used for all kinds of things?
Short of very specific server-side applications, I see that as all risk, and little-to-no reward, so I'd like it disabled, especially on my personal workstation. Thing is, I know next to jack $#!t about eBPF, so I'm not sure what'll happen to my network (or other stuff?) if I just throw down and do that.
To clarify: systemd uses seccomp to filter system calls. Seccomp employs the older BPF, but not eBPF. There was some work done to make seccomp use eBPF, but so far nothing is merged.
eBPF is used in systemd's firewall code though, which allows filtering the IP addresses a service can contact. If this feature is not needed, eBPF can probably be disabled without impacting the other sandboxing features of systemd.
Great presentation. Any thoughts on including these tricks directly into wireshark to allow fluid decryption at least on the Linux client where CAP_BPF is present?
Could be a good weekend project, they already allow importing keys for decryptions so most of the work is finding references where openssl, etc stores it.
Locked-down TLS is a pain for testers, because, of course, the whole idea is preventing third parties from seeing plaintext. But that's what app testers need to do (usually, to get enough information to write their own tooling-grade clients and servers to use to probe vulnerabilities with). There's a bunch of different tools people use for this purpose; Frida is probably the best-known example, for mobile and native clients.
But if your target under test is Linux, modern eBPF gives you enough tooling to capture plaintext without directly instrumenting binaries, which is handy.
This isn't, like, per se a vulnerability; they're not saying it is.