Disclaimer: This project is a Proof-of-Concept (PoC) developed strictly for academic research, cyber defense education, and authorized security testing. Its purpose is to demonstrate how advanced persistent threats (APTs) might abuse eBPF and network timing channels, enabling Blue Teams and security analysts to develop better detection systems (EDR/IDS). Unauthorized use on production systems is strictly prohibited.
Project Chronos is a conceptual research framework that explores how eBPF (Extended Berkeley Packet Filter) XDP (Express Data Path) hooks can be utilized to bypass traditional Firewalls and Deep Packet Inspection (DPI) appliances. Instead of modifying packet payloads, the project introduces an asymmetric Covert Timing Channel architecture that modulates data into the Inter-Packet Arrival Time (IAT) of legitimate-looking traffic.
- Kernel-Level Passive Monitoring (XDP): Utilizing lock-free, zero-copy Per-CPU maps to measure nanosecond-precision packet arrival times without altering the network stream.
- IAT Modulation (Timing Channel): Encoding
0and1bits by injecting artificial delays (e.g., 12ms threshold) between legitimate-looking DNS packets (google.com). - Decoupled Persistence: Pinning eBPF maps to the BPF virtual filesystem (
/sys/fs/bpf) to ensure the kernel hook survives the termination of user-space processes. - Process Masquerading: Exploring techniques user-space processes use to spoof their
argv[0]andprctl(PR_SET_NAME)to deceive operating system monitors likepsandtop. - Anti-Forensics: Demonstrating self-melting (executable deletion) and secure memory wiping (
explicit_bzero) to hinder post-mortem incident response.
This PoC highlights critical blind spots in traditional security monitoring. Defense teams should focus on the following to catch asymmetric threats:
- Network Entropy and Jitter Analysis: Covert timing channels degrade the natural entropy of network traffic. Network Security Monitoring (NSM) tools like Zeek should be configured to detect bimodal latency distributions.
- eBPF Telemetry and Restrictions: System calls related to
bpf()(especiallybpf_object__loadand map pinning) must be strictly monitored by EDR systems. Prevent unprivileged eBPF usage viasysctl -w kernel.unprivileged_bpf_disabled=1. - Executable and Cmdline Auditing: EDR agents must continuously cross-reference the
argv[0](display name) with the actual disk path in/proc/[pid]/exe. Mismatches should trigger masquerading alerts. - Syscall and Filesystem Monitoring: Monitor
unlinkandfopensyscalls. A running process attempting to overwrite or delete its own binary on disk is a strong indicator of Self-Melt (Wiper/Rootkit) behavior.
Requires Linux Kernel 5.15+ and libbpf.
# Install Dependencies (Ubuntu/Debian)
sudo apt install clang llvm libelf-dev libbpf-dev linux-headers-$(uname -r) build-essential
# Compile
make
# Prepare BPF Filesystem and Attach XDP Hook
sudo ./chronos_setup.sh
# Launch User-space (Decoder/Orchestrator)
sudo ./chronos_ghost