DeepAI AI Chat
Log In Sign Up

MOAT: Towards Safe BPF Kernel Extension

01/31/2023
by   Hongyi Lu, et al.
0

The Linux kernel makes considerable use of Berkeley Packet Filter (BPF) to allow user-written BPF applications to execute in the kernel space. BPF employs a verifier to statically check the security of user-supplied BPF code. Recent attacks show that BPF programs can evade security checks and gain unauthorized access to kernel memory, indicating that the verification process is not flawless. In this paper, we present MOAT, a system that isolates potentially malicious BPF programs using Intel Memory Protection Keys (MPK). Enforcing BPF program isolation with MPK is not straightforward; MOAT is carefully designed to alleviate technical obstacles, such as limited hardware keys and supporting a wide variety of kernel BPF helper functions. We have implemented MOAT in a prototype kernel module, and our evaluation shows that MOAT delivers low-cost isolation of BPF programs under various real-world usage scenarios, such as the isolation of a packet-forwarding BPF program for the memcached database with an average throughput loss of 6

READ FULL TEXT
02/28/2023

Protected Data Plane OS Using Memory Protection Keys and Lightweight Activation

Increasing data center network speed coupled with application requiremen...
01/21/2018

ERIM: Secure and Efficient In-process Isolation with Memory Protection Keys

Many applications can benefit from isolating sensitive data in a secure ...
10/10/2021

Garmr: Defending the gates of PKU-based sandboxing

Memory Protection Keys for Userspace (PKU) is a recent hardware feature ...
05/12/2021

Semantics, Verification, and Efficient Implementations for Tristate Numbers

Extended Berkeley Packet Filter(BPF)is an in-kernel, register-based virt...
02/26/2021

Synthesizing Safe and Efficient Kernel Extensions for Packet Processing

Extended Berkeley Packet Filter (BPF) has emerged as a powerful method t...
06/15/2022

Designing a Provenance Analysis for SGX Enclaves

Intel SGX enables memory isolation and static integrity verification of ...
12/13/2021

FlexOS: Towards Flexible OS Isolation

At design time, modern operating systems are locked in a specific safety...