2

One way to block a malicious process is tracing its behavior in kernel space eBPF program and then just simply kill it in user space program, but there is latency before user space program receiving data from kernel space. I wonder if there is a way to kill a malicious process in kernel space eBPF program as it is more efficient.

hdthky
  • 57
  • 1
  • 4
  • 1
    There's a `bpf_send_signal()` helper in eBPF. It [wasn't designed](https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?h=8b401f9ed2441ad9e219953927a842d24ed051fc) for your use case, but maybe worth investigating? – Qeole Feb 17 '22 at 10:04
  • 1
    Although most of the time, intrusion detection system block specific actions rather than killing processes, such as what can be done with BPF LSM or the like. – Qeole Feb 17 '22 at 10:33

1 Answers1

4

The BPF helper function bpf_send_signal() can be used to send a signal to the process of the monitored task, see its documentation:

       long bpf_send_signal(u32 sig)
              Description
                     Send signal sig to the process of the current task.
                     The signal may be delivered to any of this
                     process's threads.
              Return
                     0 on success or successfully queued.
                     -EBUSY if work queue under nmi is full.
                     -EINVAL if sig is invalid.
                     -EPERM if no permission to send the sig.
                     -EAGAIN if bpf program can try again.

The signal to pass can be SIGKILL, for example.

Some projects use it already: Tetragon, a tool based on eBPF for “security observability and runtime enforcement”, can call it to terminate processes.

This helper is available starting with Linux 5.3.

Qeole
  • 8,284
  • 1
  • 24
  • 52