Linux Security Summit North America 2026

eBPF has become one of the most powerful security building blocks in Linux, yet that same power makes it a high-value target. This session is a technical deep dive into emerging eBPF threat patterns we’re seeing across modern fleets: privilege escalation paths that hinge on BPF/JIT behavior, abuse of tracing hooks for stealthy data access, and ways attackers hide activity by tampering with observability pipelines. Then we flip to defense: concrete kernel and distro hardening moves that actually change the risk profile (unprivileged BPF controls, JIT hardening settings, capability boundaries, LSM integration, and runtime guardrails). I’ll include short, readable kernel-level snippets and user-space examples using standard BPF tooling so you can reproduce the behaviors in a lab and validate mitigations. The goal is practical: leave with a checklist you can apply to production Linux systems and a mental model for what "safe eBPF" looks like going forward.