ebpf security impact #20
Description
Hi,
I wanted to raise a concern regarding the security implications of using eBPF with tracepoints in our C application. While this combination provides powerful capabilities for monitoring kernel behavior, there are some risks you need to consider, particularly in terms of security.
One significant issue is that under heavy kernel load, not all tracepoint functions may be executed. This could lead to missed tracepoint or unpredictable behavior in your application, especially if you rely on tracepoints for security-related purposes. Additionally, there's a risk associated with depending on kernel functions that may change or be removed in subsequent OS releases, potentially leading to inconsistencies or errors in our application.
As a result, I suggest we refrain from positioning your product as a security tool per se. While it can be valuable for monitoring and analysis purposes, it should not be considered the sole means of securing a system against threats.
I also recommend considering adding a warning in Readme to alert users to these potential security issues.
Ref1: https://www.brendangregg.com/blog/2023-04-28/ebpf-security-issues.html
Ref2: https://blog.trailofbits.com/2023/09/25/pitfalls-of-relying-on-ebpf-for-security-monitoring-and-some-solutions/