Enabling eBPF on Embedded Systems Through Decoupled Verification

Proceedings of the 1st Workshop on eBPF and Kernel Extensions Pub Date : 2023-09-10 DOI:10.1145/3609021.3609299

Milo Craun, Adam Oswald, Daniel W. Williams

{"title":"Enabling eBPF on Embedded Systems Through Decoupled Verification","authors":"Milo Craun, Adam Oswald, Daniel W. Williams","doi":"10.1145/3609021.3609299","DOIUrl":null,"url":null,"abstract":"eBPF (Extended Berkeley Packet Filter) is a Linux kernel subsystem that aims to allow developers to write safe and efficient kernel extensions by employing an in-kernel verifier and just-in-time compiler (JIT). We find that verification is prohibitively expensive for resource-constrained embedded systems. To solve this we describe a system that allows for verification to occur outside of the embedded kernel and before BPF program load time. The in-kernel verifier and JIT are coupled so they must be decoupled together. A designated verifier kernel accepts a BPF program, then verifies, compiles, and signs a native precompiled executable. The executable can then be loaded onto an embedded device without needing the verifier and JIT on the embedded device. Decoupling verification and JIT from load-time opens the door to much more than running BPF programs on embedded devices. It allows larger and more expressive BPF programs to be verified, provides a way for new approaches to verification to be used without extensive kernel modification and creates the possibility for BPF program verification as a service.","PeriodicalId":206230,"journal":{"name":"Proceedings of the 1st Workshop on eBPF and Kernel Extensions","volume":"21 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2023-09-10","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"Proceedings of the 1st Workshop on eBPF and Kernel Extensions","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1145/3609021.3609299","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}

引用次数: 0

Abstract

eBPF (Extended Berkeley Packet Filter) is a Linux kernel subsystem that aims to allow developers to write safe and efficient kernel extensions by employing an in-kernel verifier and just-in-time compiler (JIT). We find that verification is prohibitively expensive for resource-constrained embedded systems. To solve this we describe a system that allows for verification to occur outside of the embedded kernel and before BPF program load time. The in-kernel verifier and JIT are coupled so they must be decoupled together. A designated verifier kernel accepts a BPF program, then verifies, compiles, and signs a native precompiled executable. The executable can then be loaded onto an embedded device without needing the verifier and JIT on the embedded device. Decoupling verification and JIT from load-time opens the door to much more than running BPF programs on embedded devices. It allows larger and more expressive BPF programs to be verified, provides a way for new approaches to verification to be used without extensive kernel modification and creates the possibility for BPF program verification as a service.

查看原文本刊更多论文

通过解耦验证在嵌入式系统上实现eBPF

eBPF(扩展伯克利包过滤器)是一个Linux内核子系统，旨在允许开发人员通过使用内核内验证器和即时编译器(JIT)来编写安全高效的内核扩展。我们发现，对于资源受限的嵌入式系统，验证是非常昂贵的。为了解决这个问题，我们描述了一个允许在嵌入式内核之外和在BPF程序加载时间之前进行验证的系统。内核内验证器和JIT是耦合的，因此它们必须解耦在一起。指定的验证器内核接受BPF程序，然后验证、编译和签名本机预编译的可执行文件。然后可以将可执行文件加载到嵌入式设备上，而不需要嵌入式设备上的验证器和JIT。将验证和JIT从加载时解耦，为在嵌入式设备上运行BPF程序打开了一扇大门。它允许对更大、更具表现力的BPF程序进行验证，提供了一种无需大量修改内核即可使用的新验证方法，并创造了将BPF程序验证作为服务的可能性。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

Proceedings of the 1st Workshop on eBPF and Kernel Extensions

自引率

0.00%

发文量