SafeBPF: Hardware-assisted Defense-in-depth for eBPF Kernel Extensions

Soo Yee Lim, Tanya Prasad, Xueyuan Han, Thomas Pasquier
{"title":"SafeBPF: Hardware-assisted Defense-in-depth for eBPF Kernel Extensions","authors":"Soo Yee Lim, Tanya Prasad, Xueyuan Han, Thomas Pasquier","doi":"arxiv-2409.07508","DOIUrl":null,"url":null,"abstract":"The eBPF framework enables execution of user-provided code in the Linux\nkernel. In the last few years, a large ecosystem of cloud services has\nleveraged eBPF to enhance container security, system observability, and network\nmanagement. Meanwhile, incessant discoveries of memory safety vulnerabilities\nhave left the systems community with no choice but to disallow unprivileged\neBPF programs, which unfortunately limits eBPF use to only privileged users. To\nimprove run-time safety of the framework, we introduce SafeBPF, a general\ndesign that isolates eBPF programs from the rest of the kernel to prevent\nmemory safety vulnerabilities from being exploited. We present a pure software\nimplementation using a Software-based Fault Isolation (SFI) approach and a\nhardware-assisted implementation that leverages ARM's Memory Tagging Extension\n(MTE). We show that SafeBPF incurs up to 4% overhead on macrobenchmarks while\nachieving desired security properties.","PeriodicalId":501333,"journal":{"name":"arXiv - CS - Operating Systems","volume":"8 1","pages":""},"PeriodicalIF":0.0000,"publicationDate":"2024-09-11","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"arXiv - CS - Operating Systems","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/arxiv-2409.07508","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}
引用次数: 0

Abstract

The eBPF framework enables execution of user-provided code in the Linux kernel. In the last few years, a large ecosystem of cloud services has leveraged eBPF to enhance container security, system observability, and network management. Meanwhile, incessant discoveries of memory safety vulnerabilities have left the systems community with no choice but to disallow unprivileged eBPF programs, which unfortunately limits eBPF use to only privileged users. To improve run-time safety of the framework, we introduce SafeBPF, a general design that isolates eBPF programs from the rest of the kernel to prevent memory safety vulnerabilities from being exploited. We present a pure software implementation using a Software-based Fault Isolation (SFI) approach and a hardware-assisted implementation that leverages ARM's Memory Tagging Extension (MTE). We show that SafeBPF incurs up to 4% overhead on macrobenchmarks while achieving desired security properties.
查看原文
分享 分享
微信好友 朋友圈 QQ好友 复制链接
本刊更多论文
SafeBPF:eBPF 内核扩展的硬件辅助深度防御
eBPF 框架可在 Linux 内核中执行用户提供的代码。在过去几年中,大量云服务生态系统利用 eBPF 增强了容器安全性、系统可观察性和网络管理。与此同时,不断发现的内存安全漏洞让系统社区别无选择,只能禁止非特权eBPF程序的使用,不幸的是,eBPF的使用仅限于特权用户。为了提高框架的运行时安全性,我们引入了 SafeBPF,这是一种通用设计,可以将 eBPF 程序与内核的其他部分隔离,防止内存安全漏洞被利用。我们介绍了使用基于软件的故障隔离(SFI)方法的纯软件实现,以及利用 ARM 的内存标记扩展(MTE)的硬件辅助实现。我们的研究表明,SafeBPF 在实现所需的安全特性的同时,在宏基准测试中的开销仅为 4%。
本文章由计算机程序翻译,如有差异,请以英文原文为准。
求助全文
约1分钟内获得全文 去求助
来源期刊
自引率
0.00%
发文量
0
期刊最新文献
Analysis of Synchronization Mechanisms in Operating Systems Skip TLB flushes for reused pages within mmap's eBPF-mm: Userspace-guided memory management in Linux with eBPF BULKHEAD: Secure, Scalable, and Efficient Kernel Compartmentalization with PKS Rethinking Programmed I/O for Fast Devices, Cheap Cores, and Coherent Interconnects
×
引用
GB/T 7714-2015
复制
MLA
复制
APA
复制
导出至
BibTeX EndNote RefMan NoteFirst NoteExpress
×
×
提示
您的信息不完整,为了账户安全,请先补充。
现在去补充
×
提示
您因"违规操作"
具体请查看互助需知
我知道了
×
提示
现在去查看 取消
×
提示
确定
0
微信
客服QQ
Book学术公众号 扫码关注我们
反馈
×
意见反馈
请填写您的意见或建议
请填写您的手机或邮箱
已复制链接
已复制链接
快去分享给好友吧!
我知道了
×
扫码分享
扫码分享
Book学术官方微信
Book学术文献互助
Book学术文献互助群
群 号:481959085
Book学术
文献互助 智能选刊 最新文献 互助须知 联系我们:info@booksci.cn
Book学术提供免费学术资源搜索服务,方便国内外学者检索中英文文献。致力于提供最便捷和优质的服务体验。
Copyright © 2023 Book学术 All rights reserved.
ghs 京公网安备 11010802042870号 京ICP备2023020795号-1