/bpf-template

Primary LanguageCBSD 3-Clause "New" or "Revised" LicenseBSD-3-Clause

Bad BPF

A collection of malicious eBPF programs that make use of eBPF's ability to read and write user data in between the usermode program and the kernel.

Overview

See my blog and my DEF CON talk for an overview on how thee programs work and why this is interesting.

Examples have been tested on:

  • Ubuntu 20.10
  • Fedora 34

Build

To use pre-build binaries, grab them from the Releases page.

To build from source, do the following:

Dependecies

To build and run all the examples, you will need a Linux kernel version of at least 4.7.

As this code makes use of CO-RE, it requires a recent version of Linux that has BTF Type information. See these notes in the libbpf README for more information. For example Ubuntu requries Ubuntu 20.10+.

To build it requires these dependecies:

  • zlib
  • libelf
  • libbfd
  • clang 11
  • make

On Ubuntu these can be installed by

sudo apt install build-essential clang-11 libelf-dev zlib1g-dev libbfd-dev libcap-dev linux-tools-common linux-tools-generic

NOTE: Some examples fail to build on Clang 12. To install specifically clang 11 on Fedora 34+ you have to run:

# First install clang 12
sudo dnf install clang
# Then downgrade to Clag 11, which was in Fedora 33
sudo dnf downgrade --releasever=33 clang

Build

To Build from source, recusivly clone the respository the run make in the src directory to build:

# --recursive is needed to also get the libbpf source
git clone --recursive https://github.com/pathtofile/bad-bpf.git
cd bad-bpf/src
make

The binaries will built into bad-bpf/src/bin. If you encounter issues with related to vmlinux.h, try remaking the file for your specific kernel and distribution:

cd bad-bpf/tools
./bpftool btf dump file /sys/kernel/btf/vmlinux format c > ../src/vmlinux.h

Run

To run, launch each program as root. Every program has a --help option that has required arguments and examples.