Share
## https://sploitus.com/exploit?id=61272AD6-8F36-5554-A307-6580B152296A
# eBPF Guard
**eBPF-based Container Runtime Security Tool**
eBPF Guard is a **security tool** designed for cloud-native environments. It utilizes eBPF (Extended Berkeley Packet Filter) technology to monitor system call behaviors at the Linux kernel level in real time. Combined with container context awareness and a rule engine, it enables **real-time detection, alerts, and proactive blocking** of intrusion behaviors such as container escape, privilege escalation, shell reverse shells, and unauthorized access to sensitive files. This ensures secure container runtime.
## Protection Capabilities
| Protection Type | Description | Severity Level |
|-----------------|-------------|------------------|
| Reverse Shell Protection | Detects and blocks abnormal external connections of shell processes | Critical |
| Container Escape Protection | Prevents processes within containers from accessing sensitive paths on the host machine | Critical |
| Privilege Escalation Protection | Monitors and intercepts illegal setuid privilege escalations | High |
| Sensitive File Protection | Prevents unauthorized access to critical system files | High / Medium |
## Features
- **Kernel-level security monitoring** โ Based on eBPF Tracepoint + Ring Buffer, low overhead, non-bypassable, and unalterable.
- **Four types of intrusion protection** โ Covers the four most common attack vectors in container environments.
- **Behavior chain analysis** โ Identifies multi-step intrusion behaviors using process parent-child relationship state machines.
- **Container awareness** โ Automatically recognizes Docker/Kubernetes/containerd container contexts and distinguishes risk levels inside and outside containers.
- **Three protection modes** โ Audit (silent auditing), Alert (real-time alerts), Enforce (proactive blocking).
- **Multi-format alerts** โ CLI color-based terminals, JSON-structured logs, and webhook notifications to the security platform.
- **Scalable rule engine** โ YAML-formatted protection rules, support for custom extensions; includes 9 built-in rules.
## System Architecture
```
+--------------------------------------------------+
| User Space |
|--------------------------------------------------|
| Alert Output (CLI / JSON / Webhook) |
|--------------------------------------------------|
| Protection Executors (Audit / Alert / Enforce Modes) |
|--------------------------------------------------|
| Detection Engine (Rule Matching / Behavior Chain Analysis / Risk Scoring) |
|--------------------------------------------------|
| Event Handler (Container Context Completion / PPID Association) |
|--------------------------------------------------|
| eBPF Manager (BPF Program Loading / Ring Buffer Reading) |
+--------------------------------------------------+
+--------------------------------------------------+
| Kernel Space |
|--------------------------------------------------|
| eBPF Tracepoint Hooks |
| sched_process_exec ยท sys_enter_openat |
| sys_enter_connect ยท sys_enter_setuid |
| sched_process_exit |
|--------------------------------------------------|
| BPF Ring Buffer (Kernel โ User Space Event Transfer Channel) |
+--------------------------------------------------+
```
## Quick Start
### Environment Requirements
| Project | Requirements |
|-------|-------------|
| Linux Kernel | โฅ 5.8 (Recommended: 5.15+) |
| clang | โฅ 10.0 |
| Go | โฅ 1.21 |
| Permission | Root |
### Compilation and Installation
```bash
git clone https://github.com/guaguaguagau/eBPF-Guard.git
cd eBPF-Guard
# Set up Go proxy for domestic users
go env -w GOPROXY=https://goproxy.cn,direct
# Compile everything with one click (eBPF kernel program + Go user-land program)
make build
```
### Starting Protection
```bash
# Alarm mode โ Output alerts in real-time when an intrusion is detected
sudo ./bin/ebpf-guard
# Protection mode โ Automatically terminate malicious processes when high-risk intrusions are detected
sudo ./bin/ebpf-guard --mode enforce
# JSON output โ Adapted for security log platforms like ELK/Splunk
sudo ./bin/ebpf-guard --format json
# Webhook โ Send alerts to the enterprise security operation platform
sudo ./bin/ebpf-guard --format webhook --webhook http://soc-server:8080/alert
```
### Command-Line Parameters
| Parameter | Default Value | Description |
|----------|--------------|-------------|
| `--mode` | `alert` | Protection mode: `audit` (audit), `alert` (alarm), `enforce` (block) |
| `--format` | `cli` | Alert output format: `cli`, `json`, `webhook` |
| `--webhook` | โ | Webhook push URL |
| `--rules` | Built-in rules | Path to external YAML protection rules files |
## Detailed Explanation of Protection Scenarios
### 1. Shell Rebound Protection
Identifies and intercepts two types of shell rebound attacks through behavior chain analysis:
- **Direct connection mode**: Attackers use built-in Shell functions to connect directly (e.g., `bash -i >& /dev/tcp/...`)
- **Toolchain mode**: Attackers start network tools via the Shell (e.g., `nc`, `python`, `perl`) before connecting externally
```
[17:47:46] [high] Suspected shell rebound: bash โ nc โ 8.8.8.8:4444 (score:85)
```
### 2. Container Escape Prevention
Monitors processes within containers for access to sensitive host resources, preventing attackers from escaping the container sandbox:
- `/var/run/docker.sock` โ Prevents control of the host via Docker sockets
- `/proc/sysrq-trigger`, `/proc/kcore` โ Prevents access to sensitive kernel interfaces
- `/sys/kernel`, `/sys/fs/cgroup` โ Prevents manipulation of the system control plane
- `/proc/*/root` โ Prevents access to the host file system via procfs
### 3. Privilege Escalation Prevention
- Detects attempts by non-root users to escalate privileges to root using `setuid(0)`
- Detects any changes in UID within the container (Changing setuid values within a container is considered a high-risk behavior)
### 4. Sensitive File Protection
Prevents attackers from stealing critical system credentials after an intrusion:
- `/etc/shadow`, `/etc/gshadow` โ Prevents password hash leaks
- `/root/.ssh` โ Prevents theft of SSH private keys
- `/etc/sudoers` โ Prevents tampering with permission configurations
- `/var/spool/cron` โ Prevents implantation of scheduled backdoors
## Running Results
```
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โ eBPF Guard โ Container runtime threat detection & prevention โ
โ Container Runtime Threat Detection & Prevention โ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
2026/03/21 17:47:27 [Information] Using built-in default rules (9 rules)
2026/03/21 17:47:27 [Started] eBPF Guard is running | Mode = alert | Output = cli
[17:47:43] [high] Sensitive file access: /etc/shadow was read by cat (PID:44652, UID:0) (Score:80)
[17:47:43] [medium] Sensitive file access: /etc/passwd was read by cat (PID:44653, UID:0) (Score:50)
[17:47:46] [high] Suspected shell rebound: bash โ nc โ 8.8.8.8:53 (Score:85)
```
[17:47:47] [high] Suspicious reverse shell: bash โ nc โ 8.8.8.8:4444 (score:85)
JSON alert output example:
```json
{
"time": "2026-03-21T17:47:47+08:00",
"type": "reverse_shell",
"rule": "reverse_shell_chain",
"severity": "high",
"pid": 44680,
"uid": 0,
"comm": "nc",
"message": "Suspicious reverse shell: bash โ nc โ 8.8.8.8:4444",
"score": 85,
"dst_ip": "8.8.8.8",
"dst_port": 4444
}
```
## Protection Rule Configuration
Protection rules are defined in YAML format and can be customized according to business needs:
```yaml
rules:
- name: Reverse Shell Detection # Rule name
type: reverse_shell # Protection type
condition:
processes: ["bash", "sh", "zsh"] # Monitoring shell processes
child_processes: ["nc", "python"] # Suspected child processes
network: true # Whether involving network behavior
severity: critical # Severity level
action: kill # Response action (alert/kill)
enabled: true # Whether enabled
```
## Project Structure
```
eBPF-Guard/
โโโ bpf/
โ โโโ helpers.h # BPF helper function definitions (self-contained, no external dependencies)
โ โโโ guard.c # eBPF kernel security monitoring program (5 Tracepoint Hooks)
โโโ cmd/
โ โโโ main.go # Program entry and main event loop
โโโ pkg/
โ โโโ collector/ # eBPF collector (loads kernel programs, reads Ring Buffer)
โ โโโ container/ # Container context identification (Docker/Kubernetes/containerd)
โ โโโ detector/ # Security detection engine + 4 types of intrusion detectors
โ โโโ enforcer/ # Protection execution module (process termination)
โ โโโ events/ # Security event type definitions
โ โโโ output/ # Alert output module (CLI/JSON/Webhook)
โโโ configs/
โ โโโ rules.yaml # Protection rule configuration file
โโโ scripts/
โ โโโ test_detection.sh # Protection function verification test script
โโโ Makefile # Build script
โโโ go.mod # Go module definition
```
## Technology Stack
- **Kernel-level security monitoring**: eBPF C (TracePoint Hook + Ring Buffer)
- **User-level protection engine**: Go + [cilium/ebpf](https://github.com/cilium/ebpf)
- **Rule engine**: YAML ([gopkg.in/yaml.v3](https://gopkg.in/yaml.v3))
## Protection Function Verification
When eBPF Guard is running, open another terminal to execute the test script, simulating four types of intrusion scenarios to verify the protection effectiveness:
```bash
sudo bash scripts/test_detection.sh
```
The test script will simulate the following sequences:
1. Access of sensitive files (`/etc/shadow`, `/etc/passwd`)
2. Container escape detection (Docker Socket, `/proc/sysrq-trigger`)
3. Abnormal outbound connections (connecting to external IPs)
4. Reverse shell behavior chain (`bash โ nc โ external IP`)
## License
[GPL-2.0](LICENSE)