VeriFence: Lightweight and Precise Spectre Defenses for Untrusted Linux Kernel Extensions

TL;DR

This work addresses Spectre-based vulnerabilities in high-performance Linux BPF by enabling secure unprivileged kernel extensions. It introduces VeriFence, a practical enhancement to the Linux eBPF verifier that optimistically analyzes speculative execution paths and only inserts speculation barriers when unsafe behavior is detected. Domain analysis on 844 real-world BPF programs shows that full defenses reject many useful programs, and VeriFence reduces rejections dramatically while incurring minimal invocation-time overhead. Real-world evaluations across event tracing, continuous profiling, and network load balancing demonstrate VeriFence's low performance impact, making unprivileged BPF extensions feasible in production. The authors provide patches for the Linux v6.5 verifier and demonstrate significant security and usability gains for practical in-kernel programmable extensions.

Abstract

High-performance IO demands low-overhead communication between user- and kernel space. This demand can no longer be fulfilled by traditional system calls. Linux's extended Berkeley Packet Filter (BPF) avoids user-/kernel transitions by just-in-time compiling user-provided bytecode and executing it in kernel mode with near-native speed. To still isolate BPF programs from the kernel, they are statically analyzed for memory- and type-safety, which imposes some restrictions but allows for good expressiveness and high performance. However, to mitigate the Spectre vulnerabilities disclosed in 2018, defenses which reject potentially-dangerous programs had to be deployed. We find that this affects 31% to 54% of programs in a dataset with 844 real-world BPF programs from popular open-source projects. To solve this, users are forced to disable the defenses to continue using the programs, which puts the entire system at risk. To enable secure and expressive untrusted Linux kernel extensions, we propose VeriFence, an enhancement to the kernel's Spectre defenses that reduces the number of BPF application programs rejected from 54% to zero. We measure VeriFence's overhead for all mainstream performance-sensitive applications of BPF (i.e., event tracing, profiling, and packet processing) and find that it improves significantly upon the status-quo where affected BPF programs are either unusable or enable transient execution attacks on the kernel.

Figures (8)

• Figure 1: Reasons for program rejection in Linux when enabling defenses against transient execution attacks for 364 real-world test, example, and application object files. While the Spectre-BTB and -STL defenses do not trigger program rejections, enabling Spectre-PHT defenses (Full, i.e., PHT+STL+BTB) prevents 31 of all objects (and even 54 of application objects) from being used.
• Figure 2: Example from a program that contains a speculative type confusion gadget and is rejected by the Linux v6.5 verifier without Veri-Fence.
• Figure 3: Percentage of speculation barriers in 844 programs as a fraction of the total number of machine instructions with Spectre-STL defenses active.
• Figure 4: Execution paths through the program from Figure \ref{['fig_stc']}. Paths marked with $\rightarrow$ denote architectural execution, while a dashed arrow indicates speculative execution. ⚡indicates unsafe behavior the verifier must prevent.
• Figure 5: Veri-Fence successfully applies to all real-world application programs without modifications. Analyzing all 364 object files, defenses only fail to apply to 4 which is a significant improvement over the upstream verifier's 31. Veri-Fence only rejects 15 test programs from the Linux selftests which exhibit unverifiable architectural behavior that could easily be avoided in real applications.