DeepAI AI Chat
Log In Sign Up

Programmable System Call Security with eBPF

02/20/2023
by   Jinghao Jia, et al.
0

System call filtering is a widely used security mechanism for protecting a shared OS kernel against untrusted user applications. However, existing system call filtering techniques either are too expensive due to the context switch overhead imposed by userspace agents, or lack sufficient programmability to express advanced policies. Seccomp, Linux's system call filtering module, is widely used by modern container technologies, mobile apps, and system management services. Despite the adoption of the classic BPF language (cBPF), security policies in Seccomp are mostly limited to static allow lists, primarily because cBPF does not support stateful policies. Consequently, many essential security features cannot be expressed precisely and/or require kernel modifications. In this paper, we present a programmable system call filtering mechanism, which enables more advanced security policies to be expressed by leveraging the extended BPF language (eBPF). More specifically, we create a new Seccomp eBPF program type, exposing, modifying or creating new eBPF helper functions to safely manage filter state, access kernel and user state, and utilize synchronization primitives. Importantly, our system integrates with existing kernel privilege and capability mechanisms, enabling unprivileged users to install advanced filters safely. Our evaluation shows that our eBPF-based filtering can enhance existing policies (e.g., reducing the attack surface of early execution phase by up to 55.4 real-world vulnerabilities, and accelerate filters.

READ FULL TEXT

page 1

page 2

page 3

page 4

09/26/2019

Fine-Grained, Language-Based Access Control for Database-Backed Applications

Context: Database-backed applications often run queries with more author...
07/15/2021

Deriving Static Security Testing from Runtime Security Protection for Web Applications

Context: Static Application Security Testing (SAST) and Runtime Applicat...
02/13/2021

BPFContain: Fixing the Soft Underbelly of Container Security

Linux containers currently provide limited isolation guarantees. While c...
11/19/2022

Investigating the Security of EV Charging Mobile Applications As an Attack Surface

The adoption rate of EVs has witnessed a significant increase in recent ...
02/20/2018

A Reliable and Practical Approach to Kernel Attack Surface Reduction of Commodity OS

Commodity OS kernels are known to have broad attack surfaces due to the ...
03/28/2013

Semantic Matching of Security Policies to Support Security Experts

Management of security policies has become increasingly difficult given ...
11/14/2017

Practical Whole-System Provenance Capture

Data provenance describes how data came to be in its present form. It in...