Evaluating eBPF as an Alternative to Virtual Machine Introspection for High-Interaction Honeypot Implementation

Niku Waltteri Saulinpoika Nuutinen; Miguel Faísco; Milan Petrusic; Ibéria Medeiros; Hans P. Reiser

Evaluating eBPF as an Alternative to Virtual Machine Introspection for High-Interaction Honeypot Implementation

Niku Waltteri Saulinpoika Nuutinen Reykjavik University
Miguel Faísco Reykjavik University / University of Lisbon
Milan Petrusic Reykjavik University
Ibéria Medeiros University of Lisbon
Hans P. Reiser Reykjavik University

Resumo

Virtual machine introspection (VMI) has been widely used for stealthy monitoring of guest systems. However, context switching between monitoring system and monitored target introduces considerable overhead, especially for tracing common system calls, and deployment of VMI-based setups is complex. This work investigates whether extended Berkeley Packet Filter (eBPF) based tracing, a low-overhead kernel-level monitoring technique, can serve as an alternative. We compare the two paradigms in terms of performance, stealthiness, and practical applicability. Using micro-benchmarks and a prototype high-interaction SSH honeypot, we evaluate the capabilities and limitations of eBPF-based monitoring in adversarial settings. Our results highlight advantages and limitations of both, providing insights for the design of future security monitoring systems.

Springer (English)

Publicado

27/10/2025

Como Citar

Selecione um Formato

NUUTINEN, Niku Waltteri Saulinpoika; FAÍSCO, Miguel; PETRUSIC, Milan; MEDEIROS, Ibéria; REISER, Hans P.. Evaluating eBPF as an Alternative to Virtual Machine Introspection for High-Interaction Honeypot Implementation. In: LATIN-AMERICAN SYMPOSIUM ON DEPENDABLE COMPUTING (LADC), 14. , 2025, Valparaíso/Chile. Anais [...]. Porto Alegre: Sociedade Brasileira de Computação, 2025 . p. 238-254.