Soo Yee Lim, Tanya Prasad, Xueyuan Han, Thomas Pasquier
{"title":"SafeBPF:eBPF 内核扩展的硬件辅助深度防御","authors":"Soo Yee Lim, Tanya Prasad, Xueyuan Han, Thomas Pasquier","doi":"arxiv-2409.07508","DOIUrl":null,"url":null,"abstract":"The eBPF framework enables execution of user-provided code in the Linux\nkernel. In the last few years, a large ecosystem of cloud services has\nleveraged eBPF to enhance container security, system observability, and network\nmanagement. Meanwhile, incessant discoveries of memory safety vulnerabilities\nhave left the systems community with no choice but to disallow unprivileged\neBPF programs, which unfortunately limits eBPF use to only privileged users. To\nimprove run-time safety of the framework, we introduce SafeBPF, a general\ndesign that isolates eBPF programs from the rest of the kernel to prevent\nmemory safety vulnerabilities from being exploited. We present a pure software\nimplementation using a Software-based Fault Isolation (SFI) approach and a\nhardware-assisted implementation that leverages ARM's Memory Tagging Extension\n(MTE). We show that SafeBPF incurs up to 4% overhead on macrobenchmarks while\nachieving desired security properties.","PeriodicalId":501333,"journal":{"name":"arXiv - CS - Operating Systems","volume":"8 1","pages":""},"PeriodicalIF":0.0000,"publicationDate":"2024-09-11","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":"{\"title\":\"SafeBPF: Hardware-assisted Defense-in-depth for eBPF Kernel Extensions\",\"authors\":\"Soo Yee Lim, Tanya Prasad, Xueyuan Han, Thomas Pasquier\",\"doi\":\"arxiv-2409.07508\",\"DOIUrl\":null,\"url\":null,\"abstract\":\"The eBPF framework enables execution of user-provided code in the Linux\\nkernel. In the last few years, a large ecosystem of cloud services has\\nleveraged eBPF to enhance container security, system observability, and network\\nmanagement. Meanwhile, incessant discoveries of memory safety vulnerabilities\\nhave left the systems community with no choice but to disallow unprivileged\\neBPF programs, which unfortunately limits eBPF use to only privileged users. To\\nimprove run-time safety of the framework, we introduce SafeBPF, a general\\ndesign that isolates eBPF programs from the rest of the kernel to prevent\\nmemory safety vulnerabilities from being exploited. We present a pure software\\nimplementation using a Software-based Fault Isolation (SFI) approach and a\\nhardware-assisted implementation that leverages ARM's Memory Tagging Extension\\n(MTE). We show that SafeBPF incurs up to 4% overhead on macrobenchmarks while\\nachieving desired security properties.\",\"PeriodicalId\":501333,\"journal\":{\"name\":\"arXiv - CS - Operating Systems\",\"volume\":\"8 1\",\"pages\":\"\"},\"PeriodicalIF\":0.0000,\"publicationDate\":\"2024-09-11\",\"publicationTypes\":\"Journal Article\",\"fieldsOfStudy\":null,\"isOpenAccess\":false,\"openAccessPdf\":\"\",\"citationCount\":\"0\",\"resultStr\":null,\"platform\":\"Semanticscholar\",\"paperid\":null,\"PeriodicalName\":\"arXiv - CS - Operating Systems\",\"FirstCategoryId\":\"1085\",\"ListUrlMain\":\"https://doi.org/arxiv-2409.07508\",\"RegionNum\":0,\"RegionCategory\":null,\"ArticlePicture\":[],\"TitleCN\":null,\"AbstractTextCN\":null,\"PMCID\":null,\"EPubDate\":\"\",\"PubModel\":\"\",\"JCR\":\"\",\"JCRName\":\"\",\"Score\":null,\"Total\":0}","platform":"Semanticscholar","paperid":null,"PeriodicalName":"arXiv - CS - Operating Systems","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/arxiv-2409.07508","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}
引用次数: 0
摘要
eBPF 框架可在 Linux 内核中执行用户提供的代码。在过去几年中,大量云服务生态系统利用 eBPF 增强了容器安全性、系统可观察性和网络管理。与此同时,不断发现的内存安全漏洞让系统社区别无选择,只能禁止非特权eBPF程序的使用,不幸的是,eBPF的使用仅限于特权用户。为了提高框架的运行时安全性,我们引入了 SafeBPF,这是一种通用设计,可以将 eBPF 程序与内核的其他部分隔离,防止内存安全漏洞被利用。我们介绍了使用基于软件的故障隔离(SFI)方法的纯软件实现,以及利用 ARM 的内存标记扩展(MTE)的硬件辅助实现。我们的研究表明,SafeBPF 在实现所需的安全特性的同时,在宏基准测试中的开销仅为 4%。
SafeBPF: Hardware-assisted Defense-in-depth for eBPF Kernel Extensions
The eBPF framework enables execution of user-provided code in the Linux
kernel. In the last few years, a large ecosystem of cloud services has
leveraged eBPF to enhance container security, system observability, and network
management. Meanwhile, incessant discoveries of memory safety vulnerabilities
have left the systems community with no choice but to disallow unprivileged
eBPF programs, which unfortunately limits eBPF use to only privileged users. To
improve run-time safety of the framework, we introduce SafeBPF, a general
design that isolates eBPF programs from the rest of the kernel to prevent
memory safety vulnerabilities from being exploited. We present a pure software
implementation using a Software-based Fault Isolation (SFI) approach and a
hardware-assisted implementation that leverages ARM's Memory Tagging Extension
(MTE). We show that SafeBPF incurs up to 4% overhead on macrobenchmarks while
achieving desired security properties.
求助内容:
应助结果提醒方式:
京公网安备 11010802042870号
