[ComSubVie]

Haven't used it till now (except maybe via nft?).

What I'm not sure is: who is preventing BPF to be used as rootkits? Since they are run inside the kernel and cannot be inspected (?) can they be used to hide malicious activity?

[NyxWulf]

In addition to the compiler there is a verifier that imposes some strict limits on programs. One example is it must prove the program will halt. It would be foolish to say there couldn't be a vector there, but they have done really strong work in protecting against that type of attack.

[rhinoceraptor]

You can see which bpf programs are loaded in the kernel via the bpf() syscall.

Theoretically it could be used for a rootkit, but the programs needed to loaded as root, and they can't have side effects. BPF has also been around for a long time, and it's in basically all of the nix operating systems.

[sanxiyn]

Generally agreed, but Linux BPF is considerably more powerful than traditional Unix BPF, so I wouldn't depend on "it has been around for a long time" for safety.

I would like to see some academic research on Linux BPF verifier. If you are a graduate student working on formal methods looking for a topic, this is a hint.

[allset_]

If someone has root, it's already game over. An attacker could just hook the syscalls directly which would be more stealthy that using BPF programs.

[tsukurimashou]

I was wondering about that as well