Ironclad Kernel: The Next-Generation eBPF Security Platform-
Technical Whitepaper & Architecture Guide
S.M.
11/26/20253 min read
Ironclad Kernel: The Next-Generation eBPF Security Platform
Technical Whitepaper & Architecture Guide
Introduction
In the modern threat landscape, traditional perimeter firewalls are insufficient. Adversaries bypass Layer 3/4 controls using legitimate ports (80/443) and trusted protocols. Once inside, they move laterally, exfiltrate data via DNS tunnels, or establish C2 (Command & Control) channels using standard system binaries.
Ironclad Kernel addresses these challenges by moving security enforcement from the network edge directly into the Linux Kernel using eBPF (Extended Berkeley Packet Filter). This approach provides:
Identity-Aware Micro-segmentation: Policies based on process identity (comm, PID), not just IP/Port.
Zero-Trust Enforcement: A default-deny architecture that blocks all unauthorized outbound traffic.
Deep Observability: Wire-speed inspection of encrypted traffic (TLS) and application protocols (DNS) without heavy user-space proxies.
Core Architecture
Ironclad Kernel operates on a split-plane architecture designed for performance and resilience.
The Data Plane (Kernel Space)
The enforcement engine runs entirely within the Linux Kernel as JIT-compiled eBPF bytecode. This ensures:
Safety: The eBPF Verifier guarantees that the code cannot crash the kernel or access invalid memory.
Performance: Packets are processed before they traverse the full networking stack (skb allocation), minimizing latency.
Tamper Resistance: Security logic resides in kernel memory, making it invisible and inaccessible to user-space malware (even rootkits often struggle to detach BPF links without detection).
Key Hooks:
cgroup/connect4 & connect6: The primary enforcement points. Triggers on every TCP/UDP connection attempt (connect() syscall). This allows blocking before a SYN packet is ever generated.
uprobe/SSL_write: Hooks into user-space libraries (OpenSSL) to capture plaintext data before encryption. This provides visibility into HTTPS traffic without Man-in-the-Middle (MitM) certificates.
kprobe/tcp_sendmsg & udp_sendmsg: Captures traffic volume for bandwidth accounting and DNS query inspection at the socket layer.
The Control Plane (User Space)
A high-concurrency Go daemon manages the lifecycle of the eBPF programs.
Map Management: Dynamically updates kernel maps (Hash Maps, LPM Tries) with rules, threat feeds, and geo-blocking data.
Event Stream: Consumes the Ring Buffer, a high-performance shared memory structure, to receive logs from the kernel without the overhead of perf_event.
Threat Intelligence: Asynchronously fetches and parses threat feeds (Abuse.ch, Proofpoint) and pushes compiled binary keys to the kernel.
Threat Mitigation Capabilities
Identity-Based Zero Trust
Traditional firewalls see "Packet from 10.0.0.5 to 8.8.8.8". Ironclad sees "Process /usr/bin/curl (PID 1234) attempting to reach 8.8.8.8".
Mechanism: The eBPF program reads task_struct->comm to identify the binary.
Benefit: You can allow apt-get to reach the internet for updates while blocking a malicious python script attempting the same connection.
Geo-Fencing with LPM Tries
Blocking entire countries requires checking an IP against thousands of CIDR ranges.
Challenge: Linear scanning of IP lists in the kernel is too slow (O(N)).
Solution: Ironclad uses a Longest Prefix Match (LPM) Trie map.
Performance: Lookup complexity is O(1) relative to the number of rules (bound by key length, i.e., 32 bits for IPv4). This allows blocking 50,000+ subnets with nanosecond-level latency.
TLS Inspection ("God Mode")
Malware increasingly uses HTTPS to hide C2 traffic. Traditional DPI (Deep Packet Inspection) fails here without decryption keys.
Technique: Uprobes (User Probes). Ironclad attaches a probe to the SSL_write function in libssl.so.
Visibility: It captures the buffer passed to the encryption function. This reveals the full HTTP request (Headers, URL, Body) in plaintext.
Privacy: This data is streamed only to the local Ring Buffer for analysis and is not stored or transmitted externally.
Volumetric DDoS Protection
A compromised workload might be used to flood a target.
Mechanism: A Token Bucket rate limiter implemented in eBPF maps.
Granularity: Tracks connection attempts per second.
Enforcement: If the rate exceeds the configured threshold (e.g., 100 conn/s), the kernel drops the connect() syscall immediately, preventing resource exhaustion on the host.
Performance & Hardware Impact
Ironclad is designed for high-density environments (Kubernetes nodes, Edge devices).
Benchmarks (Estimated)
CPU Overhead: < 1% increase in CPU usage at 10Gbps throughput.
Latency: Adds < 500 nanoseconds per connection attempt.
Memory Footprint:
Daemon: ~20MB RAM (Go runtime).
Kernel Maps: ~50MB (configurable based on max entries).
Hardware Requirements
Minimum: 1 vCPU, 512MB RAM (Raspberry Pi Zero capable).
Recommended: 2 vCPU, 2GB RAM for heavy logging loads.
Architecture: Fully compatible with x86_64 (Intel/AMD) and arm64 (AWS Graviton, Raspberry Pi, Apple Silicon Linux VMs).
Resilience
Boot Race Protection: The systemd unit uses After=network-online.target to ensure threat feeds are only downloaded once connectivity is established, preventing startup failures.
Fail-Safe Mode: If the user-space daemon crashes, the eBPF programs remain loaded in the kernel, continuing to enforce the last known good policy (persisting protection).
Deployment
Single Binary: The entire solution (Daemon + CLI + Web UI + eBPF Bytecode) is compiled into a single, statically linked binary. No external dependencies (like Python or Libpcap) are required on the target machine.
Unified Config: A single YAML file (/etc/go-ebpf-firewall/rules.yaml) controls all policies, making it easy to manage via Ansible, Chef, or Puppet.
Conclusion
Ironclad Kernel Firewall transforms standard Linux servers into hardened security bastions. By leveraging eBPF, it provides visibility and control depth that was previously only possible with expensive hardware appliances or heavy kernel modules. It effectively stops supply chain attacks, neutralizes reverse shells, and provides the forensic data needed to understand modern threats.