Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

SafeBPF: Hardware-assisted Defense-in-depth for eBPF Kernel Extensions

Soo Yee Lim, Tanya Prasad, Xueyuan Han, Thomas Pasquier

TL;DR

This work introduces SafeBPF, a general design that isolates eBPF programs from the rest of the kernel to prevent memory safety vulnerabilities from being exploited and shows that SafeBPF incurs up to 4% overhead on macrobenchmarks while achieving desired security properties.

Abstract

The eBPF framework enables execution of user-provided code in the Linux kernel. In the last few years, a large ecosystem of cloud services has leveraged eBPF to enhance container security, system observability, and network management. Meanwhile, incessant discoveries of memory safety vulnerabilities have left the systems community with no choice but to disallow unprivileged eBPF programs, which unfortunately limits eBPF use to only privileged users. To improve run-time safety of the framework, we introduce SafeBPF, a general design that isolates eBPF programs from the rest of the kernel to prevent memory safety vulnerabilities from being exploited. We present a pure software implementation using a Software-based Fault Isolation (SFI) approach and a hardware-assisted implementation that leverages ARM's Memory Tagging Extension (MTE). We show that SafeBPF incurs up to 4% overhead on macrobenchmarks while achieving desired security properties.

SafeBPF: Hardware-assisted Defense-in-depth for eBPF Kernel Extensions

TL;DR

This work introduces SafeBPF, a general design that isolates eBPF programs from the rest of the kernel to prevent memory safety vulnerabilities from being exploited and shows that SafeBPF incurs up to 4% overhead on macrobenchmarks while achieving desired security properties.

Abstract

The eBPF framework enables execution of user-provided code in the Linux kernel. In the last few years, a large ecosystem of cloud services has leveraged eBPF to enhance container security, system observability, and network management. Meanwhile, incessant discoveries of memory safety vulnerabilities have left the systems community with no choice but to disallow unprivileged eBPF programs, which unfortunately limits eBPF use to only privileged users. To improve run-time safety of the framework, we introduce SafeBPF, a general design that isolates eBPF programs from the rest of the kernel to prevent memory safety vulnerabilities from being exploited. We present a pure software implementation using a Software-based Fault Isolation (SFI) approach and a hardware-assisted implementation that leverages ARM's Memory Tagging Extension (MTE). We show that SafeBPF incurs up to 4% overhead on macrobenchmarks while achieving desired security properties.
Paper Structure (34 sections, 9 figures, 6 tables)

This paper contains 34 sections, 9 figures, 6 tables.

Table of Contents

  1. Introduction
  2. Background & Motivation
  3. An Overview of eBPF
  4. The eBPF Verifier
  5. eBPF Lacks Run-time Memory Safety
  6. Improving the eBPF Verifier Is No Panacea
  7. Our Proposed Approach
  8. Threat Model
  9. Sandbox Design
  10. Requirements
  11. Sandbox Construction
  12. eBPF Maps
  13. eBPF Program Private Data
  14. Helper functions
  15. Sandbox Enforcement Mechanisms
  16. ...and 19 more sections

Figures (9)

  • Figure 1: An overview of eBPF workflow.
  • Figure 2: A summary of the types of CVEs reported in each component of eBPF from 2010 to 2023.
  • Figure 3: The evolution of the eBPF verifier's size in source lines of code (SLOC) from v5.0 in March 2019 ($5,245$ SLOC) to v6.9 in May 2024 ($15,274$ SLOC).
  • Figure 4: An illustration of the SafeBPF design.
  • Figure 5: An overview of the MTE mechanism.
  • ...and 4 more figures