Originally posted by stormcrow
View Post
The reality here the port knocking of BPFDoor is nothing special open source code documented how todo in 2017. The older pcap portkocking also bypassed all firewall protections.
Also in 2017 to be correct Linux kernel 4.13 included feature to list all running bpf/ebpf programs and the tools to check.
So its not that Linux kernel security is poor here. The functionality to detect this malware was include almost since day 1. Functionality to make implement this malware had was added with Linux kernel 5.8 Aug 2020 with added capabilities flag for BPF usage so now don't have to run processes that need other capabilities with BPF support.
There is a old saying you can lead a horse to water but you cannot make it drink.
No Linux is not like windows in the naughts. Windows in the naughts you had a stack of security faults that no matter what you did you were never close to safe right to down have ping of death faults and other remote exploits with no prevention or detection options. This is if configured right using the functionality provide the attack was detectable in 2017 and preventable in 2020.
JIT in kernel is still a lot safer than random binary blob kernel modules. There are a lot of Window backdoor kernel drivers that are very hard to detect. Yes a BPF program cannot filter the output of the list running BPF programs or hook that that function has been called and that is by design from 2017 so there was some thought to this problem in 2017.
Comment