Getting started with eBPF for detecting supply chain attacks

🔍 Workshop overview

Modern supply chain attacks often bypass static scanners and only reveal themselves at runtime — when malicious code accesses secrets, spawns subprocesses, or sends outbound traffic.
In this hands-on workshop, participants will learn how to use eBPF (Extended Berkeley Packet Filter) to trace real runtime behavior, detect suspicious patterns, and integrate those checks directly into GitHub Actions CI pipelines. No prior kernel or eBPF experience is required — if you know how to use GitHub Actions, you’re good to go.

Note

• This workshop is of 3 hours duration.
• This is an in-person and hands on workshop.
• Only 20 seats are open for workshop participation.
• Recording of the workshop will be made available for Rootconf members.
• This workshop is beginner-friendly.
• Code & materials can be accessed at https://github.com/rohitcoder/rootconf-25-supplychain

🧭 Agenda

1. Introduction & set-up (15 mins)

   • Why static scanning falls short
   • What eBPF is and how it helps
   • Environment setup and running your first tracer

2. Your first eBPF program (30 mins)

   • Understand syscalls, tracepoints, and BCC
   • Track file access using a prewritten openat tracer
   • Filter output by process name (e.g., curl)

3. Simulating a supply chain attack (30 mins)

   • Simulate: reading .env + exfil via curl
   • Modify templates to detect sensitive file access
   • Understand runtime data flow

4. CI integration with GitHub Actions (30 mins)

   • Detect logic bombs and runtime exfil in CI
   • Use the provided GitHub Actions workflow
   • Make builds fail when suspicious behavior is detected

5. Extending to other CI systems (15 mins)

   • Overview: Jenkins, Azure DevOps, GitLab, etc.
   • No setup required — just concepts and minimal script examples
   • Links to learn more

6. Template customization & hack time (30 mins)

   • Try new probes (read, connect)
   • Add your own filters, log formats, or triggers
   • Explore variations based on real attacker behavior
   • Detect postinstall scripts, outbound IP exfil, or unexpected binaries from /tmp

7. Wrap-up; Q&A (15 mins)

   • Recap key learnings
   • Share next steps and resources
   • Open discussion

💻 Prerequisites

• A Linux VM (Ubuntu 20.04 preferred)
• Python 3.8+, clang, and bcc installed
• GitHub account
• GitHub Actions knowledge is helpful, but not required

👥 Who should attend

• DevSecOps, SREs, or engineers curious about eBPF
• Security practitioners who want runtime visibility
• Developers exploring how to catch what static tools miss

📚 What will participants learn?

By the end of this workshop, participants will:

• Understand what eBPF is and how it enables runtime observability without modifying applications
• Write a basic eBPF program to trace file access and process behavior
• Trace file access, network connections, and process behavior in real-time
• Simulate supply chain attacks (e.g., secret exfiltration) and detect them at runtime
• Use prebuilt eBPF templates to trace suspicious behavior like .env reads or outbound network calls
• Integrate eBPF-based runtime detection into GitHub Actions workflows
• Learn how the same approach can be extended to Jenkins, Azure DevOps, or other CI systems
• Gain hands-on experience customizing simple BPF tracers for different threat scenarios

👨 🏫 Instructor bio

Rohit Kumar is a Senior Product Security Engineer at Groww, a BlackHat speaker, a top bug bounty hunter at Meta, and an active open source contributor.

His work sits at the intersection of code, runtime, and security — where offensive research meets practical defense. He specializes in building scalable tooling that helps organizations detect and respond to modern threats across CI/CD pipelines, production environments, and cloud-native infrastructure.

Whether it’s analyzing source code, tracing behavior with eBPF, or catching vulnerabilities in the wild, he brings an attacker-informed, hands-on mindset to security engineering.

How to attend this workshop

This workshop is open for Rootconf members and for Rootconf 2025 ticket buyers

This workshop is open to 20 participants only. Seats will be available on first-come-first-serve basis. 🎟️

Contact information ☎️

For inquiries about the workshop, contact +91-7676332020 or write to info@hasgeek.com