TL;DR
VeriFence enhances Linux kernel's Spectre defenses, allowing all real-world BPF programs to run securely without rejection, significantly improving performance and security in untrusted kernel extensions.
Contribution
It introduces VeriFence, a novel enhancement to Spectre defenses that eliminates false positives and rejections of BPF programs, enabling secure, high-performance kernel extensions.
Findings
VeriFence reduces rejected BPF programs from 54% to zero.
It maintains low overhead for performance-sensitive BPF applications.
VeriFence prevents transient execution attacks while supporting real-world use cases.
Abstract
High-performance IO demands low-overhead communication between user- and kernel space. This demand can no longer be fulfilled by traditional system calls. Linux's extended Berkeley Packet Filter (BPF) avoids user-/kernel transitions by just-in-time compiling user-provided bytecode and executing it in kernel mode with near-native speed. To still isolate BPF programs from the kernel, they are statically analyzed for memory- and type-safety, which imposes some restrictions but allows for good expressiveness and high performance. However, to mitigate the Spectre vulnerabilities disclosed in 2018, defenses which reject potentially-dangerous programs had to be deployed. We find that this affects 31% to 54% of programs in a dataset with 844 real-world BPF programs from popular open-source projects. To solve this, users are forced to disable the defenses to continue using the programs, which…
Peer Reviews
No public reviews on file for this paper yet. If you reviewed it on a platform where reviews are public (OpenReview, ICLR, NeurIPS, ICML), you can paste yours below so the community can read it here.
Code & Models
Videos
No videos yet. Explain this paper in a talk, walkthrough, or lecture? Add one.
