🔍 Probes and Traces
Jibril is a runtime detection tool designed to monitor and analyze advanced system manipulation techniques that might evade other detection mechanisms. Building upon the eBPF Foundation foundation, Jibril specifically tracks the usage of kernel introspection and modification tools including eBPF, perf, ftrace, and other related hooking mechanisms.
🛡️ Detecting Kernel-Level Threats
Sophisticated attackers use eBPF, ftrace, and kernel hooks to hide their activities. Jibril detects this abuse. From rootkits to advanced persistent threats, kernel-level visibility catches what others miss.
⚙️ How Probes and Traces Monitoring Works
🔒 Kernel Structure Integrity Verification
Jibril continuously monitors critical kernel structures to detect unauthorized modifications:
- 📋 Syscall Table Monitoring - Verifies the integrity of system call tables to detect unauthorized modifications that could redirect legitimate system calls to malicious handlers
- 🪝 Kernel Function Hooking Detection - Identifies attempts to patch or redirect core kernel functions through techniques like function pointer manipulation or code patching
- 🗄️ VFS Layer Tampering - Monitors for modifications to Virtual File System structures that might be used to hide files or directories from standard system utilities
🔬 Introspection Tool Surveillance
Jibril tracks the usage of legitimate kernel introspection mechanisms to detect potential abuse:
- 🎯 eBPF Program Validation - Tracks all eBPF programs loaded into the kernel, analyzing their purpose, permissions, and behavior patterns to identify potentially malicious usage
- 📊 Perf Subsystem Monitoring - Observes access to performance monitoring interfaces that could be exploited for side-channel attacks or information gathering
- 🔍 Ftrace/Kprobe Auditing - Maintains a comprehensive inventory of all active kernel tracing mechanisms to detect unauthorized debugging or information collection
🕵️ Advanced Rootkit Detection
Jibril employs sophisticated techniques to identify hidden malicious components:
- 👻 Hidden Process Identification - Uses kernel-level visibility to identify processes that have been unlinked from standard process lists but remain active in the system
- 💾 Memory-resident Malware Detection - Scans for code execution from unusual memory regions that might indicate fileless malware or advanced persistent threats
- 📦 Kernel Module Verification - Validates the authenticity and integrity of loaded kernel modules against known-good signatures and behaviors
🧩 Correlation Engine
Jibril establishes comprehensive context around suspicious kernel activities:
- Leverages Jibril's eBPF-based data collection to correlate suspicious kernel modifications with other system activities
- Maintains historical records of kernel structure states to identify subtle, incremental changes that might indicate a sophisticated attack
- Establishes complete attack timelines from initial compromise to full system infiltration
📍 Where Probes and Traces Monitoring Operates
Jibril's Probes or Traces monitoring operates at the deepest levels of the Linux system:
🧠 Kernel Memory Space
Directly monitors critical kernel structures and memory regions
🚪 System Call Interface
Verifies the integrity of the boundary between user and kernel space
📦 Kernel Module Loading Paths
Observes the introduction of new code into the kernel
🔧 Debug and Tracing Subsystems
Monitors legitimate kernel introspection mechanisms for abuse
💾 Memory Management Structures
Identifies unauthorized modifications to memory mappings and permissions
✨ Why Probes and Traces Monitoring Is Important
🛡️ Advanced Threat Detection
By focusing on kernel-level manipulation techniques, Jibril can detect sophisticated attacks that specifically attempt to evade traditional security monitoring.
🕵️ Rootkit Identification
The comprehensive monitoring of kernel structures enables detection of modern rootkits designed to maintain persistence while hiding their presence from the operating system.
⚡ Zero-Day Exploitation Detection
Even when attackers use previously unknown techniques, the monitoring of fundamental kernel structures can reveal unauthorized modifications indicative of exploitation.
🌐 Complete Attack Surface Coverage
This monitoring approach addresses a critical blind spot in many security solutions that focus primarily on user-space activities while neglecting kernel-level manipulations.
🔬 Forensic Value
The detailed records of kernel structure modifications provide invaluable evidence for incident response teams investigating sophisticated breaches.