Breaking eBPF Security: How Kernel Rootkits Blind Observability Tools

eBPF programs cannot protect themselves from kernel-level manipulation eBPF verifier only ensures memory safety, not security guarantees All eBPF data flow mechanisms (iterators, ringbuffers, maps) are implemented as kernel functions Kernel functions can be hooked via ftrace The moment an attacker has kernel-level access, observability becomes optional.