Appearance
Security Model
Jibril operates in kernel space using eBPF, providing monitoring that cannot be bypassed by userspace processes, including those running as root.
eBPF Execution Safety
The Linux kernel verifies all eBPF programs before execution:
| Property | Enforcement |
|---|---|
| Memory safety | No unauthorized memory access; kernel/userspace isolation enforced |
| Termination | No infinite loops; all code paths validated |
| Resource bounds | Bounded CPU and memory usage per program |
| Isolation | Sandboxed execution; cannot crash the kernel |
eBPF safety
- eBPF programs run in kernel space but cannot modify arbitrary kernel memory or execute arbitrary code.
- The verifier rejects programs that violate safety properties.
Monitoring Visibility
Kernel-level placement provides visibility that userspace tools cannot achieve:
- Process monitoring:
all processes are visible, regardless of privilege level - Container boundaries:
host kernel observes all container operations - eBPF program loading:
unauthorized program loads are detected - Kernel introspection:
ftrace usage, perf events, and modification attempts are monitored
Kernel touchpoints monitored
- system call interfaces and tables
- network stack (socket operations, traffic routing)
- security hooks and permission changes
- memory operations and pointer integrity
- container namespace boundaries
Access Control
Initialization
Jibril requires elevated privileges to load eBPF programs:
CAP_BPForCAP_SYS_ADMINcapability- root access for initial eBPF map creation
Runtime
After initialization, unnecessary capabilities are dropped.
Component Isolation
| Component | Isolation Method | Failure Behavior |
|---|---|---|
| Plugins | Dedicated thread per plugin | Contained; other plugins unaffected |
| Detection recipes | Independent execution paths | No cross-contamination |
| Reactions | Separate JavaScript VM per reaction | Resource-limited; cannot impact monitoring |
Data Integrity
Event data is immutable after capture:
- Cryptographic checksums computed at capture time
- Event context is immutable (but extensible)
- UUID is the same for attack lifecycle tracking
Detection Logic
Detection recipes define patterns matched against correlated events. Detection recipes are distributed both as compiled logic and source patterns. If compiled, the detection logic is not exposed at runtime.
Noise reduction
- Repetitive events aggregated before evaluation
- Optional AI-powered classification reduces false positives
- Event deduplication reduces event volume
AI-powered noise reduction
- AI-powered priority re-evaluation of false positives
- AI-powered event interpretation