Getting started with eBPF for detecting supply chain attacks

This workshop was conducted as part of Rootconf 2025 Annual Conference on 16 May.

🔍 Workshop overview

Modern supply chain attacks often bypass static scanners and only reveal themselves at runtime - when malicious code accesses secrets, spawns subprocesses, or sends outbound traffic.
In this hands-on workshop, participants will learn how to use eBPF (Extended Berkeley Packet Filter) to trace real runtime behavior, detect suspicious patterns, and integrate those checks directly into GitHub Actions CI pipelines. No prior kernel or eBPF experience is required — if you know how to use GitHub Actions, you’re good to go.

Note

• This workshop is of 3 hours duration.
• This is an in-person and hands on workshop.
• This workshop is beginner-friendly.
• Code & materials can be accessed at https://github.com/rohitcoder/rootconf-25-supplychain

The workshop was house full. By popular demand, the instructor - Rohit Kumar - has agreed to repeat the workshop, and go deeper into the hands-on exercises.

🧭 Agenda

1. Introduction & set-up (15 mins)

   • Why static scanning falls short
   • What eBPF is and how it helps
   • Environment setup and running your first tracer

2. Your first eBPF program (30 mins)

   • Understand syscalls, tracepoints, and BCC
   • Track file access using a prewritten openat tracer
   • Filter output by process name (e.g., curl)

3. Simulating a supply chain attack (30 mins)

   • Simulate: reading .env + exfil via curl
   • Modify templates to detect sensitive file access
   • Understand runtime data flow

4. CI integration with GitHub Actions (30 mins)

   • Detect logic bombs and runtime exfil in CI
   • Use the provided GitHub Actions workflow
   • Make builds fail when suspicious behavior is detected

5. Extending to other CI systems (15 mins)

   • Overview: Jenkins, Azure DevOps, GitLab, etc.
   • No setup required — just concepts and minimal script examples
   • Links to learn more

6. Template customization & hack time (30 mins)

   • Try new probes (read, connect)
   • Add your own filters, log formats, or triggers
   • Explore variations based on real attacker behavior
   • Detect postinstall scripts, outbound IP exfil, or unexpected binaries from /tmp

7. Wrap-up; Q&A (15 mins)

   • Recap key learnings
   • Share next steps and resources
   • Open discussion

💻 Prerequisites

• A Linux VM (Ubuntu 20.04 preferred)
• Python 3.8+, clang, and bcc installed
• GitHub account
• GitHub Actions knowledge is helpful, but not required

👥 Who should attend

• DevSecOps, SREs, or engineers curious about eBPF
• Security practitioners who want runtime visibility
• Developers exploring how to catch what static tools miss

📚 What will participants learn?

By the end of this workshop, participants will:

• Understand what eBPF is and how it enables runtime observability without modifying applications
• Write a basic eBPF program to trace file access and process behavior
• Trace file access, network connections, and process behavior in real-time
• Simulate supply chain attacks (e.g., secret exfiltration) and detect them at runtime
• Use prebuilt eBPF templates to trace suspicious behavior like .env reads or outbound network calls
• Integrate eBPF-based runtime detection into GitHub Actions workflows
• Learn how the same approach can be extended to Jenkins, Azure DevOps, or other CI systems
• Gain hands-on experience customizing simple BPF tracers for different threat scenarios

Testimonials from past participants

I enjoyed the workshop. Both theory and practical were covered.
- Software engineer from Nutanix

In the eBPF workshop, we also built an observability tool by the end of the workshop.
- Architect, Freshworks

👨 🏫 Instructor bio

Rohit Kumar is the founder of a stealth cybersecurity startup working closely with top fintech companies and banks to solve complex supply chain security challenges.

Previously a Senior Product Security Engineer at Groww, he has spoken at BlackHat, ranked among the top bug bounty hunters at Meta, and actively contributes to the open-source security ecosystem.

Rohit’s work bridges offensive research and real-world defense, focusing on scalable tools that detect and mitigate threats across CI/CD pipelines, production systems, and cloud-native infrastructure. From analyzing source code to tracing runtime behavior with eBPF, he brings an attacker-informed, engineering-first approach to modern security problems.

How to attend this workshop

This workshop is open for participation for Rootconf members.

30 participants will be admitted in-person, on first-come-first-serve basis. 🎟️

Contact information ☎️

For inquiries about the workshop, contact +91-7676332020 or write to info@hasgeek.com