arXiv Open Access 2023

Unleashing Unprivileged eBPF Potential with Dynamic Sandboxing

Soo Yee Lim Xueyuan Han Thomas Pasquier

Lihat Sumber

Abstrak

For safety reasons, unprivileged users today have only limited ways to customize the kernel through the extended Berkeley Packet Filter (eBPF). This is unfortunate, especially since the eBPF framework itself has seen an increase in scope over the years. We propose SandBPF, a software-based kernel isolation technique that dynamically sandboxes eBPF programs to allow unprivileged users to safely extend the kernel, unleashing eBPF's full potential. Our early proof-of-concept shows that SandBPF can effectively prevent exploits missed by eBPF's native safety mechanism (i.e., static verification) while incurring 0%-10% overhead on web server benchmarks.

Topik & Kata Kunci

cs.OS cs.CR

Penulis (3)

Soo Yee Lim

Xueyuan Han

Thomas Pasquier

Format Sitasi

APA MLA BibTeX

Lim, S.Y., Han, X., Pasquier, T. (2023). Unleashing Unprivileged eBPF Potential with Dynamic Sandboxing. https://arxiv.org/abs/2308.01983

Akses Cepat

Lihat di Sumber

Informasi Jurnal

Tahun Terbit: 2023
Bahasa: en
Sumber Database: arXiv
Akses: Open Access ✓