Back to Projects
eBPFGoReactKernelRuntime Security
ECRSM
ECRSM is an educational eBPF-based Cloud Runtime Security Monitor. It provides a synthetic, read-only runtime visibility stack combining kernel eBPF, a Go agent, and a React dashboard.
01. Problem
Understanding runtime security at the kernel level is complex. ECRSM provides a safe, educational platform to learn eBPF-based monitoring.
02. Solution Overview
- Implemented eBPF hooks for safe syscall tracepoints
- Built a Go agent to collect and enrich metadata
- Created a real-time React dashboard for visualization
- Designed safe synthetic attack simulations
Build
Tech Stack
eBPF (C)Go (Agent)React (Dashboard)Kubernetes (Helm)
- • Kernel tracepoints (execve, connect, ptrace, mmap)
- • Go agent for enrichment & rules
- • Live WebSocket dashboard
- • Kubernetes DaemonSet deployment
Secure
- Read-only introspection (no kernel writes)
- Metadata only (no payloads/secrets)
- Least privilege (BPF/SYS_ADMIN caps only)
- Safe synthetic simulations
03. Proof & Verification
Verified Claims
- >Detects reverse shells, process injection, suspicious execs
- >Low-overhead perf buffer data transmission
- >Container/K8s metadata enrichment
- >Verifiable via synthetic attack scripts