[NEW!] Unleashing Unprivileged eBPF Potential with Dynamic Sandboxing

sandBPF Architecture

Abstract

For safety reasons, unprivileged users today have only limited ways to customize the kernel through the extended Berkeley Packet Filter (eBPF). This is unfortunate, especially since the eBPF framework itself has seen an increase in scope over the years. We propose SandBPF, a software-based kernel isolation technique that dynamically sandboxes eBPF programs to allow unprivileged users to safely extend the kernel, unleashing eBPF’s full potential. Our early proof-of-concept shows that SandBPF can effectively prevent exploits missed by eBPF’s native safety mechanism (i.e., static verification) while incurring 0%-10% overhead on web server benchmarks.

Publication
In ACM Special Interest Group on Data Communication (SIGCOMM) 1st Workshop on eBPF and Kernel Extensions
Xueyuan Michael Han-Vanbastelaer
Xueyuan Michael Han-Vanbastelaer
Assistant Professor

My research interests include systems security and privacy, data provenance, and graph analysis.

Related