I am reading up upon attaching eBPF programs in the kernel in a security context. While i have read that kprobes are susceptible to time-of-check-to-time-of-use attacks, i would like to know it the same holds up for fentry/ fexit probes also known as BPF-trampoline. As far as i understand fentry/ fexit probes have lower overhead and do not trap to the eBPF program but execute it directly. However i am not entirely sure about the last part and if that already is enough to protect against TOCTTOU-attacks.
Asked
Active
Viewed 962 times
1
-
Where did you read that "kprobes are susceptible to time-of-check-to-time-of-use attacks"? Whether you are susceptible to TOCTTOU attacks depends on where you hook the kprobes. – pchaigno Jan 02 '22 at 13:00
-
[Here](https://research.nccgroup.com/2021/08/06/some-musings-on-common-ebpf-linux-tracing-bugs/). "..we discussed how there exists a significant time-of-check-to-time-of-use (TOCTTOU) race condition when hooking a syscall entrypoint". Okay i am a complete newby to syscalls and kernel security, but from the article it seems like a syscall specific problem? – BillGatesPriv Jan 02 '22 at 13:18
-
I see. That's a vulnerability tracee and Falco had (and still have?) and it mainly concerns syscalls. If you hook to kernel functions executed after the copy to kernel memory has happened, you should be fine. – pchaigno Jan 02 '22 at 17:24
-
Alright, thank you! :) – BillGatesPriv Jan 02 '22 at 17:41