Return to search

On the implications of unsafe eBPF composition

In the era of Linux being omnipresent, the demand for dynamically extending kernel capabil- ities without requiring changes to kernel source code or loading kernel modules at runtime is increasing. This is driven by numerous use cases such as observability, security, and network- ing, which can be efficiently addressed at the system level, underscoring the importance of such extensions. Any extension requires programmers to possess high levels of skill and thor- ough testing to ensure complete safety. The eBPF subsystem in the Linux kernel addresses this challenge by allowing applications to enhance the kernel's capabilities at runtime, while ensuring stability and security. This guaranteed safety is facilitated by the verifier engine, which statically verifies BPF code. In this thesis, we identify that the verifier implicitly relies on safety assumptions about its runtime execution environment, which are not being upheld in certain scenarios. One such critical aspect of the execution environment is the availability of stack space for use while executing the BPF program. Specifically, we high- light this fundamental issue in certain configuration of the BPF runtime environment within the Linux kernel and how this unsafe composition allowed for kernel stack overflow, thus violating safety guarantees. To tackle this problem, we propose a stack switching approach to ensure stack safety and evaluate its effectiveness. / Master of Science / Many platforms worldwide, including Meta, Netflix, Google, Cloudflare, and others, rely on the Linux kernel to manage their servers. To ensure system security, improve monitoring, and enhance networking efficiency, various kernel capabilities are dynamically added or re- moved at runtime without the need for reboots, thus minimizing downtime for users. The Linux Extended Berkeley Packet Filter (eBPF) subsystem facilitates dynamic and safe ex- tension by securely verifying the code injected into the kernel. This eases server maintenance tasks, eliminating concerns about system crashes when making runtime changes as eBPF is guaranteeing safety at all times. In our research, we demonstrate that if we attach verified eBPF in a certain manner, we can potentially stack overflow the kernel stack and crash the whole kernel due to unsafe composition with the Kernel. We also propose two solutions to this problem, which can ensure that eBPF remains safe while adhering to the guarantees it provides.

Identiferoai:union.ndltd.org:VTETD/oai:vtechworks.lib.vt.edu:10919/120634
Date10 June 2024
CreatorsSomaraju, Sai Roop
ContributorsElectrical and Computer Engineering, Jones, Creed Farris, Williams, Daniel John, Min, Chang Woo
PublisherVirginia Tech
Source SetsVirginia Tech Theses and Dissertation
LanguageEnglish
Detected LanguageEnglish
TypeThesis
FormatETD, application/pdf
RightsIn Copyright, http://rightsstatements.org/vocab/InC/1.0/

Page generated in 0.0217 seconds