#Cisco
BPF-based kernel exploit shielding presented at LSFMM+BPF
8/10lwn.net · ⭐️ 8/10 · 2026-07-13
John Fastabend of Cisco presented a technique at the 2026 LSFMM+BPF Summit that uses BPF to quickly shield running Linux kernels from exploits, potentially reducing response time from months to minutes. This approach could dramatically improve security for devices with custom kernels, like Cisco switches, where patching is slow and disruptive. It also underscores the need for additional kernel hooks to make BPF-based shielding fully effective. Tetragon, an open-source BPF-based monitoring tool, collects event data into a time-series database for post-exploit analysis. BPF can override system call return values and leverage Linux Security Module hooks to block exploits without rebooting.