Luis Gerhorst, Henriette Herzog, Peter Wägemann, Maximilian Ott, Rüdiger Kapitza, Timo Hönig
{"title":"Mitigating Spectre-PHT using Speculation Barriers in Linux BPF","authors":"Luis Gerhorst, Henriette Herzog, Peter Wägemann, Maximilian Ott, Rüdiger Kapitza, Timo Hönig","doi":"arxiv-2405.00078","DOIUrl":null,"url":null,"abstract":"High-performance IO demands low-overhead communication between user- and\nkernel space. This demand can no longer be fulfilled by traditional system\ncalls. Linux's extended Berkeley Packet Filter (BPF) avoids user-/kernel\ntransitions by just-in-time compiling user-provided bytecode and executing it\nin kernel mode with near-native speed. To still isolate BPF programs from the\nkernel, they are statically analyzed for memory- and type-safety, which imposes\nsome restrictions but allows for good expressiveness and high performance.\nHowever, to mitigate the Spectre vulnerabilities disclosed in 2018, defenses\nwhich reject potentially-dangerous programs had to be deployed. We find that\nthis affects 24% to 54% of programs in a dataset with 844 real-world BPF\nprograms from popular open-source projects. To solve this, users are forced to\ndisable the defenses to continue using the programs, which puts the entire\nsystem at risk. To enable secure and expressive untrusted Linux kernel extensions, we propose\nBerrify, an enhancement to the kernel's Spectre defenses that reduces the\nnumber of BPF application programs rejected from 54% to zero. We measure\nBerrify's overhead for all mainstream performance-sensitive applications of BPF\n(i.e., event tracing, profiling, and packet processing) and find that it\nimproves significantly upon the status-quo where affected BPF programs are\neither unusable or enable transient execution attacks on the kernel.","PeriodicalId":501333,"journal":{"name":"arXiv - CS - Operating Systems","volume":"23 1","pages":""},"PeriodicalIF":0.0000,"publicationDate":"2024-04-30","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"arXiv - CS - Operating Systems","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/arxiv-2405.00078","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}
引用次数: 0
Abstract
High-performance IO demands low-overhead communication between user- and
kernel space. This demand can no longer be fulfilled by traditional system
calls. Linux's extended Berkeley Packet Filter (BPF) avoids user-/kernel
transitions by just-in-time compiling user-provided bytecode and executing it
in kernel mode with near-native speed. To still isolate BPF programs from the
kernel, they are statically analyzed for memory- and type-safety, which imposes
some restrictions but allows for good expressiveness and high performance.
However, to mitigate the Spectre vulnerabilities disclosed in 2018, defenses
which reject potentially-dangerous programs had to be deployed. We find that
this affects 24% to 54% of programs in a dataset with 844 real-world BPF
programs from popular open-source projects. To solve this, users are forced to
disable the defenses to continue using the programs, which puts the entire
system at risk. To enable secure and expressive untrusted Linux kernel extensions, we propose
Berrify, an enhancement to the kernel's Spectre defenses that reduces the
number of BPF application programs rejected from 54% to zero. We measure
Berrify's overhead for all mainstream performance-sensitive applications of BPF
(i.e., event tracing, profiling, and packet processing) and find that it
improves significantly upon the status-quo where affected BPF programs are
either unusable or enable transient execution attacks on the kernel.
京公网安备 11010802042870号
京ICP备2023020795号-1
分享
求助内容:
应助结果提醒方式:
扫码关注我们
