Project 12: SSL/TLS Key Logger (Encrypted Traffic Visibility)

A tool that uses uprobes to intercept SSL/TLS encryption functions and capture pre-encryption plaintext, enabling visibility into encrypted traffic for debugging—without needing certificates.

Quick Reference

Attribute	Value
Primary Language	C (libbpf)
Alternative Languages	Go (cilium/ebpf), Rust (aya)
Difficulty	Level 4: Expert
Time Estimate	2-3 weeks
Knowledge Area	Security / Cryptography / Debugging
Tooling	libbpf, uprobes, OpenSSL
Prerequisites	Projects 1-7 completed, basic TLS understanding

What You Will Build

A tool that uses uprobes to intercept SSL/TLS encryption functions and capture pre-encryption plaintext, enabling visibility into encrypted traffic for debugging—without needing certificates.

Why It Matters

This demonstrates the power of uprobes for userspace tracing. You’ll hook into library functions, understand how encryption works, and see why eBPF is both powerful and potentially dangerous.

Core Challenges

Finding the right functions → maps to SSL_read, SSL_write in OpenSSL
Reading encrypted/plaintext data → maps to buffer parameters, return values
Supporting multiple libraries → maps to OpenSSL, BoringSSL, GnuTLS
Handling high throughput → maps to ring buffers, filtering

Key Concepts

uprobe Tracing: “Learning eBPF” Chapter 7 - Liz Rice
SSL/TLS Internals: “Serious Cryptography” Chapter 15 - Aumasson
sslsniff Tool: BCC sslsniff

Real-World Outcome

$ sudo ./sslsniff -p 1234  # PID of curl or browser
Tracing SSL/TLS in PID 1234...

FUNC       DIRECTION  LEN    DATA
────────────────────────────────────────────────────────────────
SSL_write  →          156    GET / HTTP/1.1\r\nHost: example.com\r\n...
SSL_read   ←          1234   HTTP/1.1 200 OK\r\nContent-Type: text/html...
SSL_write  →          89     GET /api/data HTTP/1.1\r\nAuth: Bearer eyJ...
SSL_read   ←          567    {"status":"ok","data":[{"id":1,"name":"...

# Save to file in SSLKEYLOGFILE format for Wireshark
$ sudo ./sslsniff --keylog > sslkeys.log

Implementation Guide

Reproduce the simplest happy-path scenario.
Build the smallest working version of the core feature.
Add input validation and error handling.
Add instrumentation/logging to confirm behavior.
Refactor into clean modules with tests.

Milestones

Milestone 1: Minimal working program that runs end-to-end.
Milestone 2: Correct outputs for typical inputs.
Milestone 3: Robust handling of edge cases.
Milestone 4: Clean structure and documented usage.

Validation Checklist

Output matches the real-world outcome example
Handles invalid inputs safely
Provides clear errors and exit codes
Repeatable results across runs

References

Main guide: LEARN_BPF_EBPF_LINUX.md
“BPF Performance Tools” by Brendan Gregg