Proposal for a whitelist-based countermeasure against abusing BPF

Malware that exploits Berkeley Packet Filter (BPF) to evade detection has been reported as an emerging cybersecurity threat. There are two types of BPF: extended BPF (eBPF) and classic BPF (cBPF), but existing countermeasures typically focus on mitigating only one of these exploit types, thereby leaving systems vulnerable to the other. In this paper, we propose a whitelist-based protection mechanism that can handle both eBPF and cBPF. By adopting a whitelist-based approach, it is possible to comprehensively counter BPF exploits while maintaining low implementation complexity. This comprehensive approach ensures enhanced security while maintaining system efficiency. Evaluations have shown that the overhead of the proposed method is negligibly small, and its effectiveness in real environments has been confirmed. Furthermore, our analysis reveals that the downtime during reloading with the proposed method is at least \SI{300}{ms}. We also discuss various potential attack vectors that exploit this downtime and thoroughly explore strategies for mitigating such risks.