Unleashing Unprivileged eBPF Potential with Dynamic Sandboxing
Soo Yee Lim, Xueyuan Han, Thomas Pasquier
TL;DR
This paper introduces SandBPF, a dynamic sandboxing technique that enhances the safety of unprivileged eBPF programs, enabling safer kernel extensions with minimal performance overhead.
Contribution
It presents a novel software-based sandboxing method for eBPF, allowing unprivileged users to safely extend kernel functionalities beyond existing safety measures.
Findings
SandBPF effectively prevents exploits missed by static verification.
It incurs only 0%-10% overhead on web server benchmarks.
SandBPF enables safer kernel customization for unprivileged users.
Abstract
For safety reasons, unprivileged users today have only limited ways to customize the kernel through the extended Berkeley Packet Filter (eBPF). This is unfortunate, especially since the eBPF framework itself has seen an increase in scope over the years. We propose SandBPF, a software-based kernel isolation technique that dynamically sandboxes eBPF programs to allow unprivileged users to safely extend the kernel, unleashing eBPF's full potential. Our early proof-of-concept shows that SandBPF can effectively prevent exploits missed by eBPF's native safety mechanism (i.e., static verification) while incurring 0%-10% overhead on web server benchmarks.
Peer Reviews
No public reviews on file for this paper yet. If you reviewed it on a platform where reviews are public (OpenReview, ICLR, NeurIPS, ICML), you can paste yours below so the community can read it here.
Videos
No videos yet. Explain this paper in a talk, walkthrough, or lecture? Add one.
Taxonomy
TopicsSecurity and Verification in Computing · Network Security and Intrusion Detection · Internet Traffic Analysis and Secure E-voting