Problem
Host security policies are difficult to enforce consistently when user-space agents can miss kernel-level behavior.
Back to Directory
GitHub
Aegis-BPF
A prototype for enforcing security policies using eBPF (Extended Berkeley Packet Filter) with CO-RE (Compile Once - Run Everywhere) support.
C++CeBPFSecurityLinux Kernel
System Architecture
Repository Evidence
Measured from GitHub public repository data on May 31, 2026.
Primary language
C++
Last public update
2026-05-24
Tracked issues
11
Repository size
5.4 MB
Language mix
C++ShellCGoPython
Case Study
Architecture
A user-space policy controller feeds pinned BPF maps and ring buffers while eBPF LSM hooks enforce or audit file, process, and socket activity.
Security Approach
CO-RE portability, kernel verifier checks, policy signing, and audit-first rollout reduce the risk of unsafe kernel instrumentation.
Outcome
The prototype shows a path to low-overhead kernel-level policy enforcement with observable audit output.
Evidence
eBPF LSM hooksPinned BPF mapsAudit and deny modes
Lessons Learned
- Kernel controls should start in audit mode before enforcement.
- CO-RE support is essential for deployable eBPF security tooling.
Technical Overview
Developed using C++ and eBPF technology. It utilizes CO-RE (Compile Once - Run Everywhere) to ensure portability across different Linux kernel versions without recompilation, providing low-overhead, kernel-level security enforcement.
Value Proposition
Enterprise-grade security at the kernel level. Aegis provides deep visibility and control over system behavior with zero overhead. Protect your infrastructure from advanced persistent threats with our cutting-edge eBPF technology.