The Race to Secure eBPF for Windows

By Trellix · August 11, 2022
This blog was written by Douglas McKee

Innovation often improves functionality and even security; however, adoption starts slow. Adoption often doesn’t increase at a linear rate but at an exponential rate leaving behind attack surfaces that never get a chance to be fully explored. When adoption rates scale quickly, the timer starts for a race between security researchers and threat actors to investigate these ripe attack surfaces to find the next big zero-day. At Trellix, we work hard to get ahead and win this race. We constantly ask ourselves what technology, features, library, etc. is about to take the industry by storm? In a year, 5 years or even 10 years, what will be the focus for threat actors to find and exploit?

As a result, today our Senior Principal Security Researcher, Richard Johnson will present in-depth research into eBPF for Windows at Black Hat. This presentation will demonstrate setup, auditing, fuzzing and discovered vulnerabilities in an up-and-coming attack surface. Didn’t realize eBPF was on Windows? It’s not yet by default, but it’s coming and that is exactly the reason this research is so important.

What is eBPF?

Extended Berkeley Packet Filter or eBPF was introduced into the Linux kernel back in December of 2014 as an upgrade to its predecessor BPF (Berkeley Packet Filter). eBPF is a virtual CPU architecture and virtual machine that allows special applications referred to as “eBPF programs” to execute in a trusted sandboxed environment within the kernel without the need to modify kernel source code. This is a drastic improvement from the classic requirements of needing to either modify kernel source or load an entire kernel module into memory. With eBPF, additional operating system level capabilities can be integrated at runtime not only efficiently but with higher performance than older methods.

Why is it useful?

At a most basic level, decisions and actions require data. The more complete and more detailed the data that can be obtained, the better decisions or actions can be taken. eBPF fundamentally provides a mechanism to collect more detailed information with less overhead than ever before. In some cases, this manifests itself in the ability for eBPF programs to attach to trace points in both kernel and userland providing visibility into runtime environments previously extremely difficult to trace. In other cases, custom telemetry can be gathered about process events, network connections, namespace changes and much more, allowing for more informed actions to be taken. On Linux-based systems we have already seen this pay off in areas such as denial-of-service protection.

eBPF for windows

In May of 2021, Microsoft announced the creation of a new open-source project called ebpf-for-windows. The goal of this project is to simply integrate the technology of eBPF on Windows 10 and Windows Server 2016 and later. The concept is to bring the same visibility and performance that is currently provided for the Linux kernel to the Window kernel and expand upon it even further where possible. This also sparked the creation of the eBPF Foundation with indications to make eBPF a fully cross platform technology. During this time Microsoft completed the first port of a major eBPF Program to Windows, the Cilium Layer 4 Load Balancer. As a security-first minded company, they also began to work on hardening the components and adding fuzz testing to the project.

With Microsoft committing and working towards a larger adoption of this technology it became apparent that this would be an inciting attack surface for threat actors to investigate. As Guillaume Fournier showed during his Black Hat talk in 2021 with eBPF on Linux, with enough time and motivation it would be possible to write rootkits utilizing this technology. The Windows version of eBPF is brand new and cannot use the existing Linux eBPF sandbox code. Therefore, with an emphasis on exploring the components that were Windows focused or new to the eBPF ecosystem, our team sought out to challenge the notation that eBPF on Windows can “guarantee safety” of code execution in the kernel. After all, if our adversary is going to challenge this assumption, shouldn’t we ask the question first?

Initial critical findings

During our enumeration and auditing of this framework our team discovered a heap-based buffer overflow vulnerability that successful exploitation would result in arbitrary code execution with Administrator privileges. The eBPF for Windows project includes a user library called EbpfApi. This library is responsible for loading eBPF programs from ELF Object Files and sending them to the eBPF service. EbpfApi is used by the included BPFTool and the Netsh plugin to allows users with Administrator privileges to load programs into the running kernel. As described above, eBPF is considered a trusted, sandboxed execution environment and these programs are expected to be verified and safe to run without allowing arbitrary code execution on the system. This vulnerability breaks that security boundary and may allow execution of arbitrary code with Administrator privileges through heap memory corruption. By our calculations, this vulnerability would warrant a CVSS 3.0 score of a 7.8. We reported this issue to Microsoft who promptly released a fix to the open-source project and it is fixed in the current code release tree.

Just getting started

We often define vulnerability research success by the impact of the finding for the discovered vulnerability. How many systems does it effect? Is it unauthenticated remote code execution? While this is one important metric to consider it should not be the only metric. In this case there are likely very few machines running the bleeding edge code base of eBPF on Windows, and it is not inherently a remote issue. However, the fundamental construct of an emerging technology that has the potential to be included on a large install base in the future has been broken. More importantly the flaws have been fixed during the development stage before there is even a chance of exploitation by malicious actors. As Trellix and other teams continue to research, find, and report vulnerabilities in eBPF for Windows, we will be creating a more secure environment for the future.