KRIe is a research project that aims to detect Linux Kernel exploits with eBPF. KRIe is far from being a bulletproof strategy: from eBPF related limitations to post exploitation detections that might rely on a compromised kernel to emit security events, it is clear that a motivated attacker will eventually be able to bypass it. That being said, the goal of the project is to make attackers’ lives harder and ultimately prevent out-of-the-box exploits from working on a vulnerable kernel.
KRIe has been developed using CO-RE (Compile Once – Run Everywhere) so that it is compatible with a large range of kernel versions. If your kernel doesn’t export its BTF debug information, KRIe will try to download it automatically from BTFHub. If your kernel isn’t available on BTFHub, but you have been able to manually generate your kernel’s BTF data, you can provide it in the configuration file (see below).
This project was developed on Ubuntu Focal 20.04 (Linux Kernel 5.15) and has been tested on older releases down to Ubuntu Bionic 18.04 (Linux Kernel 4.15).
- golang 1.18+
- (optional) Kernel headers are expected to be installed in
lib/modules/$(uname -r), update the
Makefilewith their location otherwise.
- (optional) clang & llvm 14.0.6+
Optional fields are required to recompile the eBPF programs.
- Since KRIe was built using CORE, you shouldn’t need to rebuild the eBPF programs. That said, if you want still want to rebuild the eBPF programs, you can use the following command:
# ~ make build-ebpf
- To build KRIE, run:
# ~ make build
- To install KRIE (copy to /usr/bin/krie) run:
# ~ make install
KRIe needs to run as root. Run
sudo krie -h to get help.
# ~ krie -h
--config string KRIe config file (default "./cmd/krie/run/config/default_config.yaml")
-h, --help help for krie
## Log level, options are: panic, fatal, error, warn, info, debug or trace
## JSON output file, leave empty to disable JSON output.
## BTF information for the current kernel in .tar.xz format (required only if KRIE isn't able to locate it by itself)
## events configuration
## action taken when an init_module event is detected
## action taken when an delete_module event is detected
## action taken when a bpf event is detected
## action taken when a bpf_filter event is detected
## action taken when a ptrace event is detected
## action taken when a kprobe event is detected
## action taken when a sysctl event is detected
## Default settings for sysctl programs (kernel 5.2+ only)
## Custom settings for sysctl programs (kernel 5.2+ only)
## action taken when a hooked_syscall_table event is detected
## action taken when a hooked_syscall event is detected
## kernel_parameter event configuration
ticker: 1 # sends at most one event every [ticker] second(s)
- symbol: system/kprobes_all_disarmed
# - symbol: system/selinux_state
# expecte d_value: 256
# size: 2
- symbol: system/ftrace_dump_on_oops
- symbol: system/kptr_restrict
- symbol: system/randomize_va_space
- symbol: system/stack_tracer_enabled
- symbol: system/unprivileged_userns_clone
- symbol: system/unprivileged_userns_apparmor_policy
- symbol: system/sysctl_unprivileged_bpf_disabled
- symbol: system/ptrace_scope
- symbol: system/sysctl_perf_event_paranoid
- symbol: system/kexe c_load_disabled
- symbol: system/dmesg_restrict
- symbol: system/modules_disabled
- symbol: system/ftrace_enabled
- symbol: system/ftrace_disabled
- symbol: system/sysctl_protected_fifos
- symbol: system/sysctl_protected_hardlinks
- symbol: system/sysctl_protected_regular
- symbol: system/sysctl_protected_symlinks
- symbol: system/sysctl_unprivileged_userfaultfd
## action to check when a regis ter_check fails on a sensitive kernel space hook point
- The first version of KRIe was announced at BlackHat 2022, during the briefing: Return to Sender – Detecting Kernel Exploits with eBPF
- The golang code is under Apache 2.0 License.
- The eBPF programs are under the GPL v2 License.