Experiments with eBPF and signals

This repository holds a series of scripts and mini programs that attempt to demonstrate "what happens if we use SIGKILL as a security mechanism". Primarily we are interested in pinpointing what kind of system behaviour we can effectively "block".

Running

$ make test
or
$ make test FAST=y # (escapes racers)
or
$ make test FAST=y ART=/path/artefacts

As discussed in the blog post, different file systems may yield different results, you can pass ART=/tmp/artefacts to see how tmpfs behaves for instance.

Name		Name	Last commit message	Last commit date
Latest commit History 3 Commits
.gitignore		.gitignore
LICENSE		LICENSE
Makefile		Makefile
README.md		README.md
execer.c		execer.c
forker.c		forker.c
helpers.sh		helpers.sh
onewrite.c		onewrite.c
pipewrite.c		pipewrite.c
race-openwrite.c		race-openwrite.c
run-chmod.sh		run-chmod.sh
run-exec.sh		run-exec.sh
run-link.sh		run-link.sh
run-mknod.sh		run-mknod.sh
run-onewrite.sh		run-onewrite.sh
run-pipewrite.sh		run-pipewrite.sh
run-race-openwrite.sh		run-race-openwrite.sh
run-rename.sh		run-rename.sh
run-taskalloc.sh		run-taskalloc.sh
run-truncate.sh		run-truncate.sh
run-unlink.sh		run-unlink.sh

License

elastic/ebpf-sig-exp

Folders and files

Latest commit

History

Repository files navigation

Experiments with eBPF and signals

Running

About

Resources

License

Security policy

Stars

Watchers

Forks

Languages