内核扩展验证站不住脚

Proceedings of the 19th Workshop on Hot Topics in Operating Systems Pub Date : 2023-06-22 DOI:10.1145/3593856.3595892

Jinghao Jia, R. Sahu, Adam Oswald, Daniel W. Williams, Michael V. Le, Tianyi Xu

{"title":"内核扩展验证站不住脚","authors":"Jinghao Jia, R. Sahu, Adam Oswald, Daniel W. Williams, Michael V. Le, Tianyi Xu","doi":"10.1145/3593856.3595892","DOIUrl":null,"url":null,"abstract":"The emergence of verified eBPF bytecode is ushering in a new era of safe kernel extensions. In this paper, we argue that eBPF's verifier---the source of its safety guarantees---has become a liability. In addition to the well-known bugs and vulnerabilities stemming from the complexity and ad hoc nature of the in-kernel verifier, we highlight a concerning trend in which escape hatches to unsafe kernel functions (in the form of helper functions) are being introduced to bypass verifier-imposed limitations on expressiveness, unfortunately also bypassing its safety guarantees. We propose safe kernel extension frameworks using a balance of not just static but also lightweight runtime techniques. We describe a design centered around kernel extensions in safe Rust that will eliminate the need of the in-kernel verifier, improve expressiveness, allow for reduced escape hatches, and ultimately improve the safety of kernel extensions.","PeriodicalId":330470,"journal":{"name":"Proceedings of the 19th Workshop on Hot Topics in Operating Systems","volume":"37 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2023-06-22","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"6","resultStr":"{\"title\":\"Kernel extension verification is untenable\",\"authors\":\"Jinghao Jia, R. Sahu, Adam Oswald, Daniel W. Williams, Michael V. Le, Tianyi Xu\",\"doi\":\"10.1145/3593856.3595892\",\"DOIUrl\":null,\"url\":null,\"abstract\":\"The emergence of verified eBPF bytecode is ushering in a new era of safe kernel extensions. In this paper, we argue that eBPF's verifier---the source of its safety guarantees---has become a liability. In addition to the well-known bugs and vulnerabilities stemming from the complexity and ad hoc nature of the in-kernel verifier, we highlight a concerning trend in which escape hatches to unsafe kernel functions (in the form of helper functions) are being introduced to bypass verifier-imposed limitations on expressiveness, unfortunately also bypassing its safety guarantees. We propose safe kernel extension frameworks using a balance of not just static but also lightweight runtime techniques. We describe a design centered around kernel extensions in safe Rust that will eliminate the need of the in-kernel verifier, improve expressiveness, allow for reduced escape hatches, and ultimately improve the safety of kernel extensions.\",\"PeriodicalId\":330470,\"journal\":{\"name\":\"Proceedings of the 19th Workshop on Hot Topics in Operating Systems\",\"volume\":\"37 1\",\"pages\":\"0\"},\"PeriodicalIF\":0.0000,\"publicationDate\":\"2023-06-22\",\"publicationTypes\":\"Journal Article\",\"fieldsOfStudy\":null,\"isOpenAccess\":false,\"openAccessPdf\":\"\",\"citationCount\":\"6\",\"resultStr\":null,\"platform\":\"Semanticscholar\",\"paperid\":null,\"PeriodicalName\":\"Proceedings of the 19th Workshop on Hot Topics in Operating Systems\",\"FirstCategoryId\":\"1085\",\"ListUrlMain\":\"https://doi.org/10.1145/3593856.3595892\",\"RegionNum\":0,\"RegionCategory\":null,\"ArticlePicture\":[],\"TitleCN\":null,\"AbstractTextCN\":null,\"PMCID\":null,\"EPubDate\":\"\",\"PubModel\":\"\",\"JCR\":\"\",\"JCRName\":\"\",\"Score\":null,\"Total\":0}","platform":"Semanticscholar","paperid":null,"PeriodicalName":"Proceedings of the 19th Workshop on Hot Topics in Operating Systems","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1145/3593856.3595892","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}

引用次数: 6

摘要

经过验证的eBPF字节码的出现开启了安全内核扩展的新时代。在本文中，我们认为eBPF的验证者——其安全保证的来源——已经成为一种责任。除了众所周知的源于内核内验证器的复杂性和特殊性质的错误和漏洞之外，我们还强调了一个令人担忧的趋势，即引入了不安全内核函数(以辅助函数的形式)的逃逸口，以绕过验证器对表达性施加的限制，不幸的是也绕过了它的安全保证。我们提出安全的内核扩展框架，不仅使用静态技术，而且使用轻量级运行时技术。我们描述了一种在安全Rust中以内核扩展为中心的设计，它将消除对内核内验证器的需求，改善表达性，允许减少逃生口，并最终提高内核扩展的安全性。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

查看原文

微信好友朋友圈 QQ好友复制链接

本刊更多论文

Kernel extension verification is untenable

The emergence of verified eBPF bytecode is ushering in a new era of safe kernel extensions. In this paper, we argue that eBPF's verifier---the source of its safety guarantees---has become a liability. In addition to the well-known bugs and vulnerabilities stemming from the complexity and ad hoc nature of the in-kernel verifier, we highlight a concerning trend in which escape hatches to unsafe kernel functions (in the form of helper functions) are being introduced to bypass verifier-imposed limitations on expressiveness, unfortunately also bypassing its safety guarantees. We propose safe kernel extension frameworks using a balance of not just static but also lightweight runtime techniques. We describe a design centered around kernel extensions in safe Rust that will eliminate the need of the in-kernel verifier, improve expressiveness, allow for reduced escape hatches, and ultimately improve the safety of kernel extensions.

求助全文

通过发布文献求助，成功后即可免费获取论文全文。去求助

来源期刊

Proceedings of the 19th Workshop on Hot Topics in Operating Systems

自引率

0.00%

发文量

期刊最新文献

Fabric-Centric Computing FBMM: Using the VFS for Extensibility in Kernel Memory Management Evolving Operating System Kernels Towards Secure Kernel-Driver Interfaces Prefetching Using Principles of Hippocampal-Neocortical Interaction HotGPT: How to Make Software Documentation More Useful with a Large Language Model?