One way to block a malicious process is tracing its behavior in kernel space eBPF program and then just simply kill it in user space program, but there is latency before user space program receiving data from kernel space. I wonder if there is a way to kill a malicious process in kernel space eBPF program as it is more efficient.
Is it possible to use eBPF to block a malicious process in kernel space?
1.1k views Asked by hdthky At
1
There are 1 answers
Related Questions in LINUX
- Is there some way to use printf to print a horizontal list of decrementing hex digits in NASM assembly on Linux
- Why does Hugo generate different taxonomy-related HTML on different OS's?
- Writes in io_uring do not advance the file offset
- Why `set -o pipefail` gives different output even though the pipe is not failing
- what really controls the permissions: UID or eUID?
- Compiling eBPF program in Docker fails due to missing '__u64' type
- Docker container unable to make HTTPS requests to external API
- Whow to use callback_query_handler in Python 3.10
- Create kea runtime directory at startup in Yocto image
- Problem on CPU scheduling algorithms in OS
- How to copy files into the singularity sandbox?
- Android kernel error: undefined reference to `get_hw_version_platform'
- Is there a need for BPF Linux namespace?
- Error when trying to execute a binary compiled in a Kali Linux machine on an Ubuntu system
- Issue with launching application after updating ElectronJs to version 28.0.0 on Windows and Linux
Related Questions in LINUX-KERNEL
- Android kernel error: undefined reference to `get_hw_version_platform'
- Is there a need for BPF Linux namespace?
- Facing fatal errors while running "yum update" command on CentOS 7/Cloudlinux 7
- crash utility itself crashes while decoding kdump generated from null pointer dereference in kernel module
- How to compile the Linux kernel with -O0 for more detailed debug?
- Linux support for parallel Pixel data Image sensor
- Can't upgrade to newest version of linux-image-6.5.0-26-generic
- How to protect a page so that it cannot be write in mips arch?
- How to extract the .img file into normal kernel source file in the linux?
- Storage size of struct hash_desc desc; isn't known
- How can I intercept failed file openning calls?
- struct nameidata-Linux Kernel Module
- How to modify a 'struct msghdr' in Linux Kernel Module?
- How to allocate 500MB+ physically contiguous memory in a Linux kernel module and copy data to that memory from a userspace process?
- Hyper Threading: nosmt in grub configuration
Related Questions in FIREWALL
- I am currently trying to implement a rudimentary firewall from a video I watched but the nimda worm detection is not working and i do not know why?
- how to fix PF on M3?
- Redirect outbound traffic to a different port
- AWS route traffic destined to NLB to firewall instance in same subnet
- Block MQTT port from windows firewall
- Netfilter Module to Log HTTP Headers
- Cannot connect on PostgreSQL From remote
- Why is ingress packet not getting DNAT 'edin NAT PREROUTING chain with nftables?
- block specific word in layer 7
- To allow IPsec NAT-T traffic to pass through, why does the firewall still need to permit ESP when it already allows UDP 4500?
- Bypassing default snort rules in order allowing local traffic
- Symfony: get specific token info (app id) and use it inside app rights management
- Azure powershell provision sftp storage with Basic Firewall
- Azure Firewall - Shared between prod and non-prod or separate per environment?
- Problem parsing XML output using community XML module in Ansible
Related Questions in EBPF
- How to monitor the traffic of Android applications uploading images?
- R2 max value is outside of the allowed memory range after explicit bounds checking
- invalid access to map value, value_size=128 off=0 size=0; libbpf: prog 'xdp_parser_func': failed to load: -13
- ebpf not displaying output with tracing_pipe
- ebpf: about the kfuncs call and MAX_BPF_STACK
- Ebpf: Invalid access to map value, with weird compiled code
- Ebpf Kernel Code: permission denied: invalid access to map value
- Invalid access to packet while iterating over packet in eBPF program , with “bpf_trace_printk”
- Where are the "hooks" for BPF functions defined?
- How to iterate vm_area in bpf/bcc program?
- BCC tool execute failed on Android by debianfs
- unknown type name ‘GElf_Nhdr’; did you mean ‘GElf_Shdr’?
- ebpf hook some points, after running for a while. the system is hang ,is kernel bug?
- How do I initialize/reinitialize BPF_MAP_TYPE_PERCPU_HASH entry to zero for all CPUs?
- BPF per CPU array is not zero initialized?
Related Questions in INTRUSION-DETECTION
- A problem of generating network intrusion traffic using a variational autoencoder。
- I am trying to print all pie charts for different types of attack labels but its only printing one?
- Is there a definition to SYN error in KDD99 dataset?
- Ways to fullfil NaN Values for Intrusion Detection with ML, Unsupervised ML
- Is it possible to use eBPF to block a malicious process in kernel space?
- Pytorch GRU Trained on one class to Predict Unlabelled Data
- How to alert if someone goes on a website other than the IP address listed?
- How can I protect against inbound malicious website threats on port 80 and 443?
- I want to send snort3 alert on socket but when I run command " sudo snort -i ens33 -A alert_unixsock -l /tmp" it gives error
- Create Firewall rule using Java
- Finding brute force attacks with splunk
- How to solve ValueError in model.predict()?
- How to determine the state of the motherboard intrusion switch?
- How to identify if the centroid point touches a line or not?
- How do I change the interface snort monitors by default?
Popular Questions
- How do I undo the most recent local commits in Git?
- How can I remove a specific item from an array in JavaScript?
- How do I delete a Git branch locally and remotely?
- Find all files containing a specific text (string) on Linux?
- How do I revert a Git repository to a previous commit?
- How do I create an HTML button that acts like a link?
- How do I check out a remote Git branch?
- How do I force "git pull" to overwrite local files?
- How do I list all files of a directory?
- How to check whether a string contains a substring in JavaScript?
- How do I redirect to another webpage?
- How can I iterate over rows in a Pandas DataFrame?
- How do I convert a String to an int in Java?
- Does Python have a string 'contains' substring method?
- How do I check if a string contains a specific word?
Popular Tags
Trending Questions
- UIImageView Frame Doesn't Reflect Constraints
- Is it possible to use adb commands to click on a view by finding its ID?
- How to create a new web character symbol recognizable by html/javascript?
- Why isn't my CSS3 animation smooth in Google Chrome (but very smooth on other browsers)?
- Heap Gives Page Fault
- Connect ffmpeg to Visual Studio 2008
- Both Object- and ValueAnimator jumps when Duration is set above API LvL 24
- How to avoid default initialization of objects in std::vector?
- second argument of the command line arguments in a format other than char** argv or char* argv[]
- How to improve efficiency of algorithm which generates next lexicographic permutation?
- Navigating to the another actvity app getting crash in android
- How to read the particular message format in android and store in sqlite database?
- Resetting inventory status after order is cancelled
- Efficiently compute powers of X in SSE/AVX
- Insert into an external database using ajax and php : POST 500 (Internal Server Error)
The BPF helper function
bpf_send_signal()can be used to send a signal to the process of the monitored task, see its documentation:The signal to pass can be
SIGKILL, for example.Some projects use it already: Tetragon, a tool based on eBPF for “security observability and runtime enforcement”, can call it to terminate processes.
This helper is available starting with Linux 5.3.