SunnyDayBPF: Post-Syscall User-Buffer Telemetry Deception with eBPF Security tools do not observe reality directly. They observe telemetry. And telemetry is only as trustworthy as the path that produced it. SunnyDayBPF is a research technique that explores what happens when that path can be influenced after a read-like syscall has already completed. What is SunnyDayBPF? SunnyDayBPF is an eBPF-based post-syscall user-buffer telemetry deception research technique originally proposed and researched by Azizcan Daştan . The technique investigates whether data observed by user-space security, logging, or telemetry agents can be altered after a read-like syscall has completed , but before the agent parses, analyzes, or forwards that data to a downstream security pipeline. In simple terms: The event still happens. The monitoring agent still reads data. But the data observed by the agent may no longer fully represent the original event. SunnyDayBPF focuses on the gap between ground truth and observed telemetry .…