在 Linux BPF 中使用投机障碍缓解 Spectre-PHT

Luis Gerhorst, Henriette Herzog, Peter Wägemann, Maximilian Ott, Rüdiger Kapitza, Timo Hönig
{"title":"在 Linux BPF 中使用投机障碍缓解 Spectre-PHT","authors":"Luis Gerhorst, Henriette Herzog, Peter Wägemann, Maximilian Ott, Rüdiger Kapitza, Timo Hönig","doi":"arxiv-2405.00078","DOIUrl":null,"url":null,"abstract":"High-performance IO demands low-overhead communication between user- and\nkernel space. This demand can no longer be fulfilled by traditional system\ncalls. Linux's extended Berkeley Packet Filter (BPF) avoids user-/kernel\ntransitions by just-in-time compiling user-provided bytecode and executing it\nin kernel mode with near-native speed. To still isolate BPF programs from the\nkernel, they are statically analyzed for memory- and type-safety, which imposes\nsome restrictions but allows for good expressiveness and high performance.\nHowever, to mitigate the Spectre vulnerabilities disclosed in 2018, defenses\nwhich reject potentially-dangerous programs had to be deployed. We find that\nthis affects 24% to 54% of programs in a dataset with 844 real-world BPF\nprograms from popular open-source projects. To solve this, users are forced to\ndisable the defenses to continue using the programs, which puts the entire\nsystem at risk. To enable secure and expressive untrusted Linux kernel extensions, we propose\nBerrify, an enhancement to the kernel's Spectre defenses that reduces the\nnumber of BPF application programs rejected from 54% to zero. We measure\nBerrify's overhead for all mainstream performance-sensitive applications of BPF\n(i.e., event tracing, profiling, and packet processing) and find that it\nimproves significantly upon the status-quo where affected BPF programs are\neither unusable or enable transient execution attacks on the kernel.","PeriodicalId":501333,"journal":{"name":"arXiv - CS - Operating Systems","volume":"23 1","pages":""},"PeriodicalIF":0.0000,"publicationDate":"2024-04-30","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":"{\"title\":\"Mitigating Spectre-PHT using Speculation Barriers in Linux BPF\",\"authors\":\"Luis Gerhorst, Henriette Herzog, Peter Wägemann, Maximilian Ott, Rüdiger Kapitza, Timo Hönig\",\"doi\":\"arxiv-2405.00078\",\"DOIUrl\":null,\"url\":null,\"abstract\":\"High-performance IO demands low-overhead communication between user- and\\nkernel space. This demand can no longer be fulfilled by traditional system\\ncalls. Linux's extended Berkeley Packet Filter (BPF) avoids user-/kernel\\ntransitions by just-in-time compiling user-provided bytecode and executing it\\nin kernel mode with near-native speed. To still isolate BPF programs from the\\nkernel, they are statically analyzed for memory- and type-safety, which imposes\\nsome restrictions but allows for good expressiveness and high performance.\\nHowever, to mitigate the Spectre vulnerabilities disclosed in 2018, defenses\\nwhich reject potentially-dangerous programs had to be deployed. We find that\\nthis affects 24% to 54% of programs in a dataset with 844 real-world BPF\\nprograms from popular open-source projects. To solve this, users are forced to\\ndisable the defenses to continue using the programs, which puts the entire\\nsystem at risk. To enable secure and expressive untrusted Linux kernel extensions, we propose\\nBerrify, an enhancement to the kernel's Spectre defenses that reduces the\\nnumber of BPF application programs rejected from 54% to zero. We measure\\nBerrify's overhead for all mainstream performance-sensitive applications of BPF\\n(i.e., event tracing, profiling, and packet processing) and find that it\\nimproves significantly upon the status-quo where affected BPF programs are\\neither unusable or enable transient execution attacks on the kernel.\",\"PeriodicalId\":501333,\"journal\":{\"name\":\"arXiv - CS - Operating Systems\",\"volume\":\"23 1\",\"pages\":\"\"},\"PeriodicalIF\":0.0000,\"publicationDate\":\"2024-04-30\",\"publicationTypes\":\"Journal Article\",\"fieldsOfStudy\":null,\"isOpenAccess\":false,\"openAccessPdf\":\"\",\"citationCount\":\"0\",\"resultStr\":null,\"platform\":\"Semanticscholar\",\"paperid\":null,\"PeriodicalName\":\"arXiv - CS - Operating Systems\",\"FirstCategoryId\":\"1085\",\"ListUrlMain\":\"https://doi.org/arxiv-2405.00078\",\"RegionNum\":0,\"RegionCategory\":null,\"ArticlePicture\":[],\"TitleCN\":null,\"AbstractTextCN\":null,\"PMCID\":null,\"EPubDate\":\"\",\"PubModel\":\"\",\"JCR\":\"\",\"JCRName\":\"\",\"Score\":null,\"Total\":0}","platform":"Semanticscholar","paperid":null,"PeriodicalName":"arXiv - CS - Operating Systems","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/arxiv-2405.00078","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}
引用次数: 0

摘要

高性能 IO 要求在用户空间和内核空间之间进行低开销通信。传统的系统调用已无法满足这一要求。Linux 的扩展伯克利包过滤器(BPF)通过即时编译用户提供的字节码,并以接近原生的速度在内核模式下执行,避免了用户与内核之间的转换。为了仍然将 BPF 程序与内核隔离开来,它们被静态分析以确保内存和类型安全,这虽然会带来一些限制,但却能实现良好的表现力和高性能。然而,为了缓解 2018 年披露的 Spectre 漏洞,必须部署拒绝潜在危险程序的防御措施。我们发现,在一个包含 844 个来自流行开源项目的真实世界 BPF 程序的数据集中,24% 到 54% 的程序会受到影响。为了解决这个问题,用户不得不关闭防御功能才能继续使用这些程序,这就给整个系统带来了风险。为了实现安全且富有表现力的不受信任的 Linux 内核扩展,我们提出了 Berrify,它是对内核 Spectre 防御的一种增强,可将被拒绝的 BPF 应用程序数量从 54% 降为零。我们测量了 BPF 所有主流性能敏感应用(即事件跟踪、剖析和数据包处理)的 Berrify 开销,发现它大大改善了受影响的 BPF 程序要么无法使用、要么能对内核发起瞬时执行攻击的现状。
本文章由计算机程序翻译,如有差异,请以英文原文为准。
Mitigating Spectre-PHT using Speculation Barriers in Linux BPF
High-performance IO demands low-overhead communication between user- and kernel space. This demand can no longer be fulfilled by traditional system calls. Linux's extended Berkeley Packet Filter (BPF) avoids user-/kernel transitions by just-in-time compiling user-provided bytecode and executing it in kernel mode with near-native speed. To still isolate BPF programs from the kernel, they are statically analyzed for memory- and type-safety, which imposes some restrictions but allows for good expressiveness and high performance. However, to mitigate the Spectre vulnerabilities disclosed in 2018, defenses which reject potentially-dangerous programs had to be deployed. We find that this affects 24% to 54% of programs in a dataset with 844 real-world BPF programs from popular open-source projects. To solve this, users are forced to disable the defenses to continue using the programs, which puts the entire system at risk. To enable secure and expressive untrusted Linux kernel extensions, we propose Berrify, an enhancement to the kernel's Spectre defenses that reduces the number of BPF application programs rejected from 54% to zero. We measure Berrify's overhead for all mainstream performance-sensitive applications of BPF (i.e., event tracing, profiling, and packet processing) and find that it improves significantly upon the status-quo where affected BPF programs are either unusable or enable transient execution attacks on the kernel.
求助全文
通过发布文献求助,成功后即可免费获取论文全文。 去求助
来源期刊
自引率
0.00%
发文量
0
×
引用
GB/T 7714-2015
复制
MLA
复制
APA
复制
导出至
BibTeX EndNote RefMan NoteFirst NoteExpress
×
提示
您的信息不完整,为了账户安全,请先补充。
现在去补充
×
提示
您因"违规操作"
具体请查看互助需知
我知道了
×
提示
确定
请完成安全验证×
copy
已复制链接
快去分享给好友吧!
我知道了
右上角分享
点击右上角分享
0
联系我们:info@booksci.cn Book学术提供免费学术资源搜索服务,方便国内外学者检索中英文文献。致力于提供最便捷和优质的服务体验。 Copyright © 2023 布克学术 All rights reserved.
京ICP备2023020795号-1
ghs 京公网安备 11010802042870号
Book学术文献互助
Book学术文献互助群
群 号:481959085
Book学术官方微信