Share
## https://sploitus.com/exploit?id=61272AD6-8F36-5554-A307-6580B152296A
# eBPF Guard  
**eBPF-based Container Runtime Security Tool**  

eBPF Guard is a **security tool** designed for cloud-native environments. It utilizes eBPF (Extended Berkeley Packet Filter) technology to monitor system call behaviors at the Linux kernel level in real time. Combined with container context awareness and a rule engine, it enables **real-time detection, alerts, and proactive blocking** of intrusion behaviors such as container escape, privilege escalation, shell reverse shells, and unauthorized access to sensitive files. This ensures secure container runtime.  

## Protection Capabilities  
| Protection Type | Description | Severity Level |
|-----------------|-------------|------------------|
| Reverse Shell Protection | Detects and blocks abnormal external connections of shell processes | Critical |
| Container Escape Protection | Prevents processes within containers from accessing sensitive paths on the host machine | Critical |
| Privilege Escalation Protection | Monitors and intercepts illegal setuid privilege escalations | High |
| Sensitive File Protection | Prevents unauthorized access to critical system files | High / Medium |

## Features  
- **Kernel-level security monitoring** โ€“ Based on eBPF Tracepoint + Ring Buffer, low overhead, non-bypassable, and unalterable.  
- **Four types of intrusion protection** โ€“ Covers the four most common attack vectors in container environments.  
- **Behavior chain analysis** โ€“ Identifies multi-step intrusion behaviors using process parent-child relationship state machines.  
- **Container awareness** โ€“ Automatically recognizes Docker/Kubernetes/containerd container contexts and distinguishes risk levels inside and outside containers.  
- **Three protection modes** โ€“ Audit (silent auditing), Alert (real-time alerts), Enforce (proactive blocking).  
- **Multi-format alerts** โ€“ CLI color-based terminals, JSON-structured logs, and webhook notifications to the security platform.  
- **Scalable rule engine** โ€“ YAML-formatted protection rules, support for custom extensions; includes 9 built-in rules.  

## System Architecture  
```
+--------------------------------------------------+
|                 User Space                    |
|--------------------------------------------------|
| Alert Output (CLI / JSON / Webhook)            |
|--------------------------------------------------|
| Protection Executors (Audit / Alert / Enforce Modes) |
|--------------------------------------------------|
| Detection Engine (Rule Matching / Behavior Chain Analysis / Risk Scoring) |
|--------------------------------------------------|
| Event Handler (Container Context Completion / PPID Association)  |
|--------------------------------------------------|
| eBPF Manager (BPF Program Loading / Ring Buffer Reading)  |
+--------------------------------------------------+

+--------------------------------------------------+
|                 Kernel Space                |
|--------------------------------------------------|
| eBPF Tracepoint Hooks                     |
|   sched_process_exec  ยท sys_enter_openat     |
|   sys_enter_connect   ยท sys_enter_setuid      |
|   sched_process_exit                   |
|--------------------------------------------------|
| BPF Ring Buffer (Kernel โ†’ User Space Event Transfer Channel) |
+--------------------------------------------------+
```

## Quick Start  
### Environment Requirements  
| Project | Requirements |
|-------|-------------|
| Linux Kernel | โ‰ฅ 5.8 (Recommended: 5.15+) |
| clang   | โ‰ฅ 10.0      |
| Go     | โ‰ฅ 1.21      |

| Permission | Root |
### Compilation and Installation

```bash
git clone https://github.com/guaguaguagau/eBPF-Guard.git
cd eBPF-Guard

# Set up Go proxy for domestic users
go env -w GOPROXY=https://goproxy.cn,direct

# Compile everything with one click (eBPF kernel program + Go user-land program)
make build
```

### Starting Protection

```bash
# Alarm mode โ€“ Output alerts in real-time when an intrusion is detected
sudo ./bin/ebpf-guard

# Protection mode โ€“ Automatically terminate malicious processes when high-risk intrusions are detected
sudo ./bin/ebpf-guard --mode enforce

# JSON output โ€“ Adapted for security log platforms like ELK/Splunk
sudo ./bin/ebpf-guard --format json

# Webhook โ€“ Send alerts to the enterprise security operation platform
sudo ./bin/ebpf-guard --format webhook --webhook http://soc-server:8080/alert
```

### Command-Line Parameters

| Parameter | Default Value | Description |
|----------|--------------|-------------|
| `--mode` | `alert` | Protection mode: `audit` (audit), `alert` (alarm), `enforce` (block) |
| `--format` | `cli` | Alert output format: `cli`, `json`, `webhook` |
| `--webhook` | โ€” | Webhook push URL |
| `--rules` | Built-in rules | Path to external YAML protection rules files |

## Detailed Explanation of Protection Scenarios

### 1. Shell Rebound Protection

Identifies and intercepts two types of shell rebound attacks through behavior chain analysis:

- **Direct connection mode**: Attackers use built-in Shell functions to connect directly (e.g., `bash -i >& /dev/tcp/...`)
- **Toolchain mode**: Attackers start network tools via the Shell (e.g., `nc`, `python`, `perl`) before connecting externally

```
[17:47:46] [high] Suspected shell rebound: bash โ†’ nc โ†’ 8.8.8.8:4444 (score:85)
```

### 2. Container Escape Prevention

Monitors processes within containers for access to sensitive host resources, preventing attackers from escaping the container sandbox:

- `/var/run/docker.sock` โ€“ Prevents control of the host via Docker sockets
- `/proc/sysrq-trigger`, `/proc/kcore` โ€“ Prevents access to sensitive kernel interfaces
- `/sys/kernel`, `/sys/fs/cgroup` โ€“ Prevents manipulation of the system control plane
- `/proc/*/root` โ€“ Prevents access to the host file system via procfs

### 3. Privilege Escalation Prevention

- Detects attempts by non-root users to escalate privileges to root using `setuid(0)`
- Detects any changes in UID within the container (Changing setuid values within a container is considered a high-risk behavior)

### 4. Sensitive File Protection

Prevents attackers from stealing critical system credentials after an intrusion:

- `/etc/shadow`, `/etc/gshadow` โ€“ Prevents password hash leaks
- `/root/.ssh` โ€“ Prevents theft of SSH private keys
- `/etc/sudoers` โ€“ Prevents tampering with permission configurations
- `/var/spool/cron` โ€“ Prevents implantation of scheduled backdoors

## Running Results

```
โ•”โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•—
โ•‘          eBPF Guard โ€” Container runtime threat detection & prevention             โ•‘
โ•‘    Container Runtime Threat Detection & Prevention   โ•‘
โ•šโ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•
2026/03/21 17:47:27 [Information] Using built-in default rules (9 rules)
2026/03/21 17:47:27 [Started] eBPF Guard is running | Mode = alert | Output = cli

[17:47:43] [high] Sensitive file access: /etc/shadow was read by cat (PID:44652, UID:0) (Score:80)
[17:47:43] [medium] Sensitive file access: /etc/passwd was read by cat (PID:44653, UID:0) (Score:50)
[17:47:46] [high] Suspected shell rebound: bash โ†’ nc โ†’ 8.8.8.8:53 (Score:85)
```

[17:47:47] [high]      Suspicious reverse shell: bash โ†’ nc โ†’ 8.8.8.8:4444 (score:85)

JSON alert output example:

```json
{
  "time": "2026-03-21T17:47:47+08:00",
  "type": "reverse_shell",
  "rule": "reverse_shell_chain",
  "severity": "high",
  "pid": 44680,
  "uid": 0,
  "comm": "nc",
  "message": "Suspicious reverse shell: bash โ†’ nc โ†’ 8.8.8.8:4444",
  "score": 85,
  "dst_ip": "8.8.8.8",
  "dst_port": 4444
}
```

## Protection Rule Configuration

Protection rules are defined in YAML format and can be customized according to business needs:

```yaml
rules:
  - name: Reverse Shell Detection        # Rule name
    type: reverse_shell                   # Protection type
    condition:
      processes: ["bash", "sh", "zsh"]    # Monitoring shell processes
      child_processes: ["nc", "python"]   # Suspected child processes
      network: true                       # Whether involving network behavior
    severity: critical                    # Severity level
    action: kill                          # Response action (alert/kill)
    enabled: true                         # Whether enabled
```

## Project Structure

```
eBPF-Guard/
โ”œโ”€โ”€ bpf/
โ”‚   โ”œโ”€โ”€ helpers.h              # BPF helper function definitions (self-contained, no external dependencies)
โ”‚   โ””โ”€โ”€ guard.c                # eBPF kernel security monitoring program (5 Tracepoint Hooks)
โ”œโ”€โ”€ cmd/
โ”‚   โ””โ”€โ”€ main.go                # Program entry and main event loop
โ”œโ”€โ”€ pkg/
โ”‚   โ”œโ”€โ”€ collector/             # eBPF collector (loads kernel programs, reads Ring Buffer)
โ”‚   โ”œโ”€โ”€ container/             # Container context identification (Docker/Kubernetes/containerd)
โ”‚   โ”œโ”€โ”€ detector/              # Security detection engine + 4 types of intrusion detectors
โ”‚   โ”œโ”€โ”€ enforcer/              # Protection execution module (process termination)
โ”‚   โ”œโ”€โ”€ events/                # Security event type definitions
โ”‚   โ””โ”€โ”€ output/                # Alert output module (CLI/JSON/Webhook)
โ”œโ”€โ”€ configs/
โ”‚   โ””โ”€โ”€ rules.yaml             # Protection rule configuration file
โ”œโ”€โ”€ scripts/
โ”‚   โ””โ”€โ”€ test_detection.sh      # Protection function verification test script
โ”œโ”€โ”€ Makefile                   # Build script
โ””โ”€โ”€ go.mod                     # Go module definition
```

## Technology Stack

- **Kernel-level security monitoring**: eBPF C (TracePoint Hook + Ring Buffer)
- **User-level protection engine**: Go + [cilium/ebpf](https://github.com/cilium/ebpf)
- **Rule engine**: YAML ([gopkg.in/yaml.v3](https://gopkg.in/yaml.v3))

## Protection Function Verification

When eBPF Guard is running, open another terminal to execute the test script, simulating four types of intrusion scenarios to verify the protection effectiveness:

```bash
sudo bash scripts/test_detection.sh
```

The test script will simulate the following sequences:
1. Access of sensitive files (`/etc/shadow`, `/etc/passwd`)
2. Container escape detection (Docker Socket, `/proc/sysrq-trigger`)
3. Abnormal outbound connections (connecting to external IPs)
4. Reverse shell behavior chain (`bash โ†’ nc โ†’ external IP`)

## License

[GPL-2.0](LICENSE)