Carleton University - School of Computer Science Honours Project
Fall 2019
Extended Berkeley Packet Filter for Intrusion Detection Implementations
ABSTRACT
System introspection is becoming an increasingly attractive option
for maintaining operating system stability and security. This is primarily
due to the many recent advances in system introspection technology; in particular,
the 2013 introduction of eBPF (Extended Berkeley Packet Filter)
into the Linux Kernel along with the recent
development of more usable interfaces such as bcc (BPF Compiler Collection)
has resulted in a highly compelling,
performant, and (perhaps most importantly) safe subsystem for both kernel and userland
instrumentation.
The proposed thesis seeks to test the limits of what eBPF programs are capable of
with respect to the domain of computer security; specifically, I present ebpH,
an eBPF-based intrusion detection system based on Anil Somayaji's
pH (Process Homeostasis). Preliminary testing
has shown that ebpH is able to detect anomalies in process behavior by instrumenting
system call tracepoints with negligible overhead. Future work will involve testing and
iterating on the ebpH prototype, in order to extend its functionality beyond that
of the current prototype system.