English

SafeBPF: Hardware-assisted Defense-in-depth for eBPF Kernel Extensions

Cryptography and Security 2024-09-13 v1 Operating Systems

Abstract

The eBPF framework enables execution of user-provided code in the Linux kernel. In the last few years, a large ecosystem of cloud services has leveraged eBPF to enhance container security, system observability, and network management. Meanwhile, incessant discoveries of memory safety vulnerabilities have left the systems community with no choice but to disallow unprivileged eBPF programs, which unfortunately limits eBPF use to only privileged users. To improve run-time safety of the framework, we introduce SafeBPF, a general design that isolates eBPF programs from the rest of the kernel to prevent memory safety vulnerabilities from being exploited. We present a pure software implementation using a Software-based Fault Isolation (SFI) approach and a hardware-assisted implementation that leverages ARM's Memory Tagging Extension (MTE). We show that SafeBPF incurs up to 4% overhead on macrobenchmarks while achieving desired security properties.

Keywords

Cite

@article{arxiv.2409.07508,
  title  = {SafeBPF: Hardware-assisted Defense-in-depth for eBPF Kernel Extensions},
  author = {Soo Yee Lim and Tanya Prasad and Xueyuan Han and Thomas Pasquier},
  journal= {arXiv preprint arXiv:2409.07508},
  year   = {2024}
}

Comments

15 pages, 9 figures

R2 v1 2026-06-28T18:41:38.754Z