SafeBPF: Hardware-assisted Defense-in-depth for eBPF Kernel Extensions

TL;DR

SafeBPF enhances the security of eBPF kernel extensions by isolating programs through software and hardware methods, significantly reducing vulnerabilities with minimal performance overhead.

Contribution

It introduces SafeBPF, a novel hardware-assisted and software-based approach to isolate eBPF programs, improving runtime safety in the Linux kernel.

Findings

SafeBPF achieves up to 4% overhead on macrobenchmarks.

It effectively isolates eBPF programs to prevent memory safety exploits.

The hardware-assisted implementation leverages ARM's MTE for enhanced security.

Abstract

The eBPF framework enables execution of user-provided code in the Linux kernel. In the last few years, a large ecosystem of cloud services has leveraged eBPF to enhance container security, system observability, and network management. Meanwhile, incessant discoveries of memory safety vulnerabilities have left the systems community with no choice but to disallow unprivileged eBPF programs, which unfortunately limits eBPF use to only privileged users. To improve run-time safety of the framework, we introduce SafeBPF, a general design that isolates eBPF programs from the rest of the kernel to prevent memory safety vulnerabilities from being exploited. We present a pure software implementation using a Software-based Fault Isolation (SFI) approach and a hardware-assisted implementation that leverages ARM's Memory Tagging Extension (MTE). We show that SafeBPF incurs up to 4% overhead on macrobenchmarks while achieving desired security properties.