BEGIN:VCALENDAR VERSION:2.0 PRODID:-//HasGeek//NONSGML Funnel//EN DESCRIPTION:Hands-on workshop X-WR-CALDESC:Hands-on workshop NAME:Getting started with eBPF for detecting supply chain attacks X-WR-CALNAME:Getting started with eBPF for detecting supply chain attacks REFRESH-INTERVAL;VALUE=DURATION:PT12H SUMMARY:Getting started with eBPF for detecting supply chain attacks TIMEZONE-ID:Asia/Kolkata X-PUBLISHED-TTL:PT12H X-WR-TIMEZONE:Asia/Kolkata BEGIN:VEVENT SUMMARY:Getting started with eBPF for detecting supply chain attacks DTSTART:20250822T090000Z DTEND:20250822T123000Z DTSTAMP:20260420T034247Z UID:session/SyP9cZgqrBt4aC315AnMcX@hasgeek.com SEQUENCE:19 CREATED:20250805T070653Z DESCRIPTION:**This workshop was conducted as part of [Rootconf 2025 Annual Conference on 16 May](https://hasgeek.com/rootconf/2025).** \n![workshop 1](https://images.hasgeek.com/embed/file/67c8d95884bf4ef9a527038a76f4af8e? size=320x240#img-half-width+align-left)![workshop 2](https://images.hasgee k.com/embed/file/4becbd58b52647feaad2d40c02a37f0b?size=320x240#img-half-wi dth+align-right)\n\n## πŸ” Workshop overview\nModern supply chain attacks often bypass static scanners and only reveal themselves at runtime - when malicious code accesses secrets\, spawns subprocesses\, or sends outbound traffic.\nIn this hands-on workshop\, participants will learn how to use eBPF (Extended Berkeley Packet Filter) to trace real runtime behavior\, de tect suspicious patterns\, and integrate those checks directly into GitHub Actions CI pipelines. **No prior kernel or eBPF experience is required β€” if you know how to use GitHub Actions\, you’re good to go.**\n\n## N ote\n* This workshop is of 3 hours duration. \n* This is an in-person and hands on workshop.\n* This workshop is beginner-friendly.\n* Code & materi als can be accessed at https://github.com/rohitcoder/rootconf-25-supplycha in\n\nThe workshop was house full. By popular demand\, the instructor - Ro hit Kumar - has agreed to repeat the workshop\, and go deeper into the han ds-on exercises.\n\n![Group Photo](https://images.hasgeek.com/embed/file/d b2ea73552e74284a7a2b1e1ab0d03ff)\n\n## 🧭 Agenda\n\n1. **Introduction & set-up (15 mins)**\n - Why static scanning falls short\n - What eBPF i s and how it helps\n - Environment setup and running your first tracer\n \n2. **Your first eBPF program (30 mins)**\n - Understand syscalls\, tra cepoints\, and BCC\n - Track file access using a prewritten `openat` tra cer\n - Filter output by process name (e.g.\, `curl`)\n\n3. **Simulating a supply chain attack (30 mins)**\n - Simulate: reading `.env` + exfil via `curl`\n - Modify templates to detect sensitive file access\n - Un derstand runtime data flow\n\n4. **CI integration with GitHub Actions (30 mins)**\n - Detect logic bombs and runtime exfil in CI\n - Use the pro vided GitHub Actions workflow\n - Make builds fail when suspicious behav ior is detected\n\n5. **Extending to other CI systems (15 mins)**\n - Ov erview: Jenkins\, Azure DevOps\, GitLab\, etc.\n - No setup required β€” just concepts and minimal script examples\n - Links to learn more\n\n6. **Template customization & hack time (30 mins)**\n - Try new probes (`r ead`\, `connect`)\n - Add your own filters\, log formats\, or triggers\n - Explore variations based on real attacker behavior\n - Detect posti nstall scripts\, outbound IP exfil\, or unexpected binaries from /tmp\n\n7 . **Wrap-up\; Q&A (15 mins)**\n - Recap key learnings\n - Share next s teps and resources\n - Open discussion\n\n## πŸ’» Prerequisites\n- A Lin ux VM (Ubuntu 20.04 preferred)\n- Python 3.8+\, `clang`\, and `bcc` instal led\n- GitHub account\n- GitHub Actions knowledge is helpful\, but not req uired\n\n## πŸ‘₯ Who should attend\n- DevSecOps\, SREs\, or engineers curi ous about eBPF\n- Security practitioners who want runtime visibility\n- De velopers exploring how to catch what static tools miss\n\n## πŸ“š What wil l participants learn?\nBy the end of this workshop\, participants will:\n\ n- Understand what eBPF is and how it enables runtime observability withou t modifying applications\n- Write a basic eBPF program to trace file acces s and process behavior\n- Trace file access\, network connections\, and pr ocess behavior in real-time\n- Simulate supply chain attacks (e.g.\, secre t exfiltration) and detect them at runtime\n- Use prebuilt eBPF templates to trace suspicious behavior like `.env` reads or outbound network calls\n - Integrate eBPF-based runtime detection into GitHub Actions workflows\n- Learn how the same approach can be extended to Jenkins\, Azure DevOps\, or other CI systems\n- Gain hands-on experience customizing simple BPF trace rs for different threat scenarios\n\n## Testimonials from past participant s\n> I enjoyed the workshop. Both theory and practical were covered.\n - *Software engineer from Nutanix*\n\n> In the eBPF workshop\, we also built an observability tool by the end of the workshop.\n - *Architect\, Fr eshworks*\n\n## πŸ‘¨β€πŸ« Instructor bio\nRohit Kumar is the founder of a stealth cybersecurity startup working closely with top fintech companies and banks to solve complex supply chain security challenges.\n\nPreviousl y a Senior Product Security Engineer at Groww\, he has spoken at BlackHat\ , ranked among the top bug bounty hunters at Meta\, and actively contribut es to the open-source security ecosystem.\n\nRohit's work bridges offensiv e research and real-world defense\, focusing on scalable tools that detect and mitigate threats across CI/CD pipelines\, production systems\, and cl oud-native infrastructure. From analyzing source code to tracing runtime b ehavior with eBPF\, he brings an attacker-informed\, engineering-first app roach to modern security problems.\n\n## How to attend this workshop\nThis workshop is open for participation for **[Rootconf members](https://hasge ek.com/rootconf#memberships)**.\n\n**30 participants will be admitted in-p erson\, on first-come-first-serve basis.** 🎟️ \n\n## Contact infor mation ☎️\nFor inquiries about the workshop\, contact +91-7676332020 o r write to info@hasgeek.com LAST-MODIFIED:20250821T031945Z LOCATION:Bangalore - https://hasgeek.com/rootconf/ebpf-for-supply-chain-at tacks-workshop-aug-2025/ ORGANIZER;CN=Rootconf:MAILTO:no-reply@hasgeek.com URL:https://hasgeek.com/rootconf/ebpf-for-supply-chain-attacks-workshop-au g-2025/ BEGIN:VALARM ACTION:display DESCRIPTION:Getting started with eBPF for detecting supply chain attacks i n 5 minutes TRIGGER:-PT5M END:VALARM END:VEVENT END:VCALENDAR