eBPF-PATROL: Protective Agent for Threat Recognition and Overreach Limitation using eBPF in Containerized and Virtualized Environments
Sangam Ghimire, Nirjal Bhurtel, Roshan Sahani, Sudan Jha
TL;DR
eBPF-PATROL introduces a kernel-level, context-aware runtime security agent that uses eBPF to monitor and enforce policies in containerized and virtualized environments. By enabling syscall-argument filtering and inline enforcement, it blocks attacks such as reverse shells, container escapes, and privilege escalation with overheads under 2.5%, validated across real-world scenarios. The architecture combines a Probe Manager, Policy Engine, Event Analyzer, and Enforcement module, with declarative YAML policies and exemplars demonstrating practical applicability in production stacks like Kubernetes. The evaluation shows strong detection accuracy, low latency, and clear advantages over detection-only tools, highlighting the potential for adaptive, distributed, and cross-platform eBPF-based security in modern cloud-native infrastructures.
Abstract
With the increasing use and adoption of cloud and cloud-native computing, the underlying technologies (i.e., containerization and virtualization) have become foundational. However, strict isolation and maintaining runtime security in these environments has become increasingly challenging. Existing approaches like seccomp and Mandatory Access Control (MAC) frameworks offer some protection up to a limit, but often lack context awareness, syscall argument filtering, and adaptive enforcement, providing the ability to adjust decisions at runtime based on observed application behavior, workload changes, or detected anomalies rather than relying solely on static or predefined rules.This paper introduces eBPF-PATROL (eBPF-Protective Agent for Threat Recognition and Overreach Limitation), an extensible lightweight runtime security agent that uses extended Berkeley Packet Filter (eBPF) technology to monitor and enforce policies in containerized and virtualized environments. By intercepting system calls, analyzing execution context, and applying user-defined rules, eBPF-PATROL detects and prevents real-time boundary violations, such as reverse shells, privilege escalation, and container escape attempts. We describe the architecture, implementation, and evaluation of eBPF-PATROL, demonstrating its low overhead (< 2.5 percent) and high detection accuracy across real-world attack scenarios.