• Oct 2, 2025

    Introducing 0xB33SM0K3R: The Ultimate eBPF Bypass Technique

    TL;DR: Your eBPF tools are safe. This is tongue-in-cheek post about a general exploit technique applied to the eBPF subsystem, parodying clout chasing tweeters and overwrought corporate blogs. It could be useful for rootkits, but is not a vulnerability in and of itself.

  • Sep 16, 2024

    Replicating an eBPF SDIV Oops

    TL;DR: Signed division is hard and sometimes it makes the kernel sad.

  • Sep 5, 2024

    Vulnerable eBPF CTF Challenge 01

    A CTF style vulnerable box where you need to find and exploit a mistake in an eBPF program that allows privilege escalation to root.

  • May 5, 2023

    Interactivity is the halting problem in a trench coat.

    Or: please, please, stop piping curl into bash in prod.

  • Mar 13, 2023

    Stop saying eBPF when you mean cBPF.

    TL;DR: Let’s detect malware that uses BPF the right way. eBPF has become a hot topic, which leads to some hype whenever BPF is found in malware. The thing is, BPF malware is nothing new and most malware is using cBPF, not eBPF. Conflating cBPF with eBPF is harmful to defenders, who really need to understand the difference between the two when writing detections.