返回目录

Aegis-BPF

一个使用 eBPF(扩展伯克利包过滤器)并支持 CO-RE(一次编译,到处运行)的安全策略执行原型。

C++CeBPFSecurityLinux Kernel

系统架构

Aegis-BPF architecture diagram

仓库证据

基于 2026 年 5 月 31 日的公开 GitHub 仓库数据测量。

GitHub
主要语言
C++
最后公开更新
2026-05-24
跟踪中的 issue
11
仓库大小
5.4 MB
语言组成
C++ShellCGoPython

Case Study

Problem

Host security policies are difficult to enforce consistently when user-space agents can miss kernel-level behavior.

Architecture

A user-space policy controller feeds pinned BPF maps and ring buffers while eBPF LSM hooks enforce or audit file, process, and socket activity.

Security Approach

CO-RE portability, kernel verifier checks, policy signing, and audit-first rollout reduce the risk of unsafe kernel instrumentation.

Outcome

The prototype shows a path to low-overhead kernel-level policy enforcement with observable audit output.

Evidence

eBPF LSM hooksPinned BPF mapsAudit and deny modes

Lessons Learned

  • Kernel controls should start in audit mode before enforcement.
  • CO-RE support is essential for deployable eBPF security tooling.

技术概览

该项目使用 C++ 和 eBPF 技术开发。它通过 CO-RE 在不同 Linux 内核版本之间实现无需重新编译的可移植性,并提供低开销的内核级安全策略执行能力。

价值主张

内核级企业安全能力。Aegis 以极低开销提供对系统行为的深度可见性与控制,帮助您利用先进的 eBPF 技术保护基础设施免受高级持续性威胁。