Incomplete by Design by Gabriel Parmer | DC Systems 012 скачать в хорошем качестве

Incomplete by Design by Gabriel Parmer | DC Systems 012

Gabriel Parmer, Associate Professor at George Washington University, presents a technical deep-dive into the evolution of endpoint detection and response (EDR) systems, moving from traditional rule-based pattern matching to eBPF-powered provenance tracking. The talk begins with a real-world incident involving his co-founder's company being compromised through Log4Shell, highlighting the limitations of existing security products that provided no warnings or useful incident response data. Gabriel traces the evolution through three generations: first-generation systems based on OSSEC with log analysis and audit rules, second-generation systems using system call hooking (which suffers from race conditions and easy bypass techniques), and third-generation eBPF-based solutions. He demonstrates how current security products can be defeated by simple techniques like relative paths and symbolic links, and explains the technical challenges with eBPF including verification limitations, inability to block for backpressure, and the complexity of deep kernel hooking. The presentation concludes with Bitbison's approach to full system provenance tracking, which monitors all interactions between processes and VFS objects to create a comprehensive security graph, achieving promising performance results with only 10% overhead while dramatically reducing storage requirements through intelligent event filtering.