Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

When eBPF Meets Machine Learning: On-the-fly OS Kernel Compartmentalization

Zicheng Wang, Tiejin Chen, Qinrun Dai, Yueqi Chen, Hua Wei, Qingkai Zeng

TL;DR

This work introduces O2C, a system that achieves on-the-fly OS kernel compartmentalization by instrumenting the kernel at runtime with eBPF programs and embedding a machine learning model directly in kernel space. To manage the transition from untracked objects, O2C creates private stack/heap regions and enforces software fault isolation, while using a three-phase workflow that culminates in a fully tracked compartment. The authors justify a decision-tree model for in-kernel inference due to its handling of tabular data, explainability, and compatibility with eBPF constraints, and they validate security benefits and minimal system-wide overhead through extensive evaluation against real-world vulnerabilities and performance benchmarks. Overall, O2C demonstrates practical, scalable, and reusable on-the-fly compartmentalization with an emphasis on live remediation and minimal disruption, marking a significant advance over offline, hardware-, or hypervisor-based approaches.

Abstract

Compartmentalization effectively prevents initial corruption from turning into a successful attack. This paper presents O2C, a pioneering system designed to enforce OS kernel compartmentalization on the fly. It not only provides immediate remediation for sudden threats but also maintains consistent system availability through the enforcement process. O2C is empowered by the newest advancements of the eBPF ecosystem which allows to instrument eBPF programs that perform enforcement actions into the kernel at runtime. O2C takes the lead in embedding a machine learning model into eBPF programs, addressing unique challenges in on-the-fly compartmentalization. Our comprehensive evaluation shows that O2C effectively confines damage within the compartment. Further, we validate that decision tree is optimally suited for O2C owing to its advantages in processing tabular data, its explainable nature, and its compliance with the eBPF ecosystem. Last but not least, O2C is lightweight, showing negligible overhead and excellent sacalability system-wide.

When eBPF Meets Machine Learning: On-the-fly OS Kernel Compartmentalization

TL;DR

This work introduces O2C, a system that achieves on-the-fly OS kernel compartmentalization by instrumenting the kernel at runtime with eBPF programs and embedding a machine learning model directly in kernel space. To manage the transition from untracked objects, O2C creates private stack/heap regions and enforces software fault isolation, while using a three-phase workflow that culminates in a fully tracked compartment. The authors justify a decision-tree model for in-kernel inference due to its handling of tabular data, explainability, and compatibility with eBPF constraints, and they validate security benefits and minimal system-wide overhead through extensive evaluation against real-world vulnerabilities and performance benchmarks. Overall, O2C demonstrates practical, scalable, and reusable on-the-fly compartmentalization with an emphasis on live remediation and minimal disruption, marking a significant advance over offline, hardware-, or hypervisor-based approaches.

Abstract

Compartmentalization effectively prevents initial corruption from turning into a successful attack. This paper presents O2C, a pioneering system designed to enforce OS kernel compartmentalization on the fly. It not only provides immediate remediation for sudden threats but also maintains consistent system availability through the enforcement process. O2C is empowered by the newest advancements of the eBPF ecosystem which allows to instrument eBPF programs that perform enforcement actions into the kernel at runtime. O2C takes the lead in embedding a machine learning model into eBPF programs, addressing unique challenges in on-the-fly compartmentalization. Our comprehensive evaluation shows that O2C effectively confines damage within the compartment. Further, we validate that decision tree is optimally suited for O2C owing to its advantages in processing tabular data, its explainable nature, and its compliance with the eBPF ecosystem. Last but not least, O2C is lightweight, showing negligible overhead and excellent sacalability system-wide.
Paper Structure (24 sections, 4 figures, 7 tables)

This paper contains 24 sections, 4 figures, 7 tables.

Table of Contents

  1. Introduction
  2. Background and Related Works
  3. (Kernel) Compartmentalization
  4. The eBPF Ecosystem
  5. Motivating Example & Challenges
  6. A Security Incident
  7. Challenges in On-the-fly Compartmentalization
  8. Design Overview
  9. Security Model and Policy
  10. Three-phase Workflow
  11. Code Analyzer and eBPF Programs
  12. Identifying Instructions for Enforcement
  13. Enforcement Actions via eBPF programs
  14. Optimization for Efficiency
  15. eBPF-powered Machine Learning
  16. ...and 9 more sections

Figures (4)

  • Figure 1: Distribution of object, profiled in 20 minutes.
  • Figure 2: Three-phase workflow of O2C. In Phase (-1), O2C lays the groundwork. In Phase 0, compartmentalization is initialized yet require ML-based audition for untracked objects. Finally, in Phase 1, all objects are tracked, obviating the need for audition.
  • Figure 3: The interaction protocol among the kernel, the eBPF programs, and the component.
  • Figure 4: Compartment-wise performance overhead, compared with the state-of-the-art HAKC (w.r.t., RQ2).