When eBPF meets TLS!
Currently a work in-progress that will be extended for the final version, this submission aims at demystifying the eBPF technology for the security community. While it is currently well-known in cloud environments (such as process visibility and programmable network flows), eBPF has had little experimentation when it comes to its usage as a building block of security focused tools.
The purpose of this proposal is to achieve a step by step introduction to eBPF by providing working examples of four different eBPF programs and tools:
Identify the network traffic of a specific process
Detect processes doing TLS traffic
Dump TLS session from a process memory
Intercept a process traffic transparently
Ultimately, this collection of programs could be used to develop a tool that can seamlessly intercept a process TLS traffic and modify it.
Guillaume Valadon
Guillaume Valadon is the Director of Security Resarch at Quarkslab and holds a PhD in networking. He likes looking at data and crafting packets. In his spare time, he co-maintains Scapy and learns reversing embedded devices. Also, he still remembers what AT+MS=V34 means! Guillaume regularly gives technical presentations, classes and live demonstrations, and writes research papers for conferences and magazines.
