Sysarmor: Meta's eBPF Security Detection and Enforcement Tool

Explore a comprehensive conference talk on Sysarmor, Meta's eBPF-based security detection and enforcement tool. Delve into the tool's deployment in high-threat environments, including collocated hosts, Meta Network Appliances, development servers, Meta cloud gaming, and public cloud platforms. Discover Sysarmor's unique approach of evaluating rules within the BPF program, enabling BPF-LSM enforcement. Learn about its 40+ BPF-based detections covering networking, privilege escalation, hardware attacks, rootkits, unknown executables, container creation, and container escape. Gain insights into challenging areas addressed by the Sysarmor team, such as efficient process information gathering, container information association with kernel data, effective use of uprobes in system executables, and leveraging BPF iterators for context recreation after service restarts.

Sysarmor Metas eBPF Security Detection and Enforcement Tool- Liam Wisehart, Shankaran Gnanashanmugam