Advancing System Call Security with eBPF
Learn how eBPF enhances system call security in Linux.
― 5 min read
Table of Contents
In modern operating systems, System Calls are essential. They allow applications to interact with the OS, enabling tasks like file access, process management, and network communication. However, untrusted applications can misuse these calls, potentially harming the system. This is where system call security comes into play, helping to restrict and control what system calls applications can use.
The Importance of Filtering
System call filtering is one of the primary methods used to secure the OS kernel. It restricts the system calls a program can execute based on predefined rules or policies. This not only helps protect the kernel but also limits the potential damage from malicious applications. The goal is to reduce vulnerabilities by carefully controlling access to system features.
Seccomp: An Overview
Seccomp, short for Secure Computing Mode, is a Linux feature designed for system call filtering. Originally, it only supported a basic mode that blocked all but a few critical system calls. However, over time, it has evolved to allow custom filtering policies. Unfortunately, these policies are often limited in complexity due to the underlying language used for defining them.
Seccomp's filtering operates without needing a userspace agent, thus eliminating the performance overhead associated with context switches between user space and kernel space. It effectively reduces the attack surface, allowing only trusted calls to be made.
The Limitations of cBPF
The classic BPF (cBPF) is the language used to define Seccomp policies. While it has enabled basic filtering, it has significant limitations:
- It is mostly stateless, meaning it cannot keep track of information between different calls.
- It primarily supports allow lists, making it hard to express complex security policies.
- It has a size limit, restricting the number of instructions a filter can have.
Due to these constraints, advanced security measures often require modifications to the kernel itself, making it hard to adopt new features.
The Need for Advanced Filtering
As cyber threats evolve, there is a growing need for more sophisticated filtering mechanisms. Current limitations of cBPF prevent the implementation of advanced security measures that can adapt to different situations. Features like keeping track of call counts, enforcing call sequences, or providing safe access to user memory are hard to achieve with cBPF.
To address these limitations, a programmable system should be able to express more complex policies while maintaining performance and security.
Enter EBPF: A New Hope
Extended BPF (eBPF) takes the concept of cBPF and enhances it. By allowing for more complex instructions and state management, eBPF can help implement advanced security features that cBPF cannot support.
eBPF programs run in the context of the kernel and provide many functionalities:
- Stateful Filters: eBPF can maintain state between calls, allowing for more nuanced filtering based on previous system calls.
- Access to Kernel Utilities: eBPF can invoke kernel functions and access various resources, offering greater programmability.
- Performance: eBPF is designed to be faster than cBPF, which is crucial for performance-sensitive applications.
Setting Up Seccomp-eBPF
Implementing Seccomp with eBPF involves creating a new program type that utilizes eBPF's capabilities. This program type allows unprivileged users to install filters without compromising security.
Key Features of Seccomp-eBPF
- Advanced State Management: eBPF programs can keep track of how often system calls are made or the order in which they are called.
- Synchronization: This feature helps ensure that the system state is not compromised by concurrent access by different processes.
- Safe User Memory Access: eBPF can perform deep dives into user memory, checking values before a system call is completed to prevent race conditions.
Real-World Applications
Seccomp-eBPF can implement various security features that address real-world vulnerabilities. Some use cases include:
Count and Rate Limiting
By keeping track of how many times a specific system call has been executed, filters can prevent abuse. For instance, if an application is only supposed to execute a particular call a limited number of times, the filter can deny further attempts.
Flow Integrity Protection
This feature checks the sequence of system calls. If an application tries to execute a series of calls that are not in the allowed sequence, the filter will block it. This can prevent certain types of attacks that rely on specific sequences of operations.
Temporal Specialization
Applications often have distinct phases where different security policies are applicable. eBPF can switch policies based on the application's current phase, enhancing security without compromising performance.
Performance Insights
Performance is crucial in system call filtering. eBPF not only offers advanced features but can also outperform existing cBPF filters. Evaluations have shown that eBPF filters can execute faster while implementing complex security policies.
Application Performance Evaluation
In various environments, Seccomp-eBPF was tested against applications to measure the impact on performance. Results showed that while the overhead was minimized, significant improvements were noted in response times and throughputs compared to older filtering technologies.
Challenges and Future Directions
Though eBPF offers many advantages, there are challenges to address:
- Complexity in Implementation: Implementing eBPF filters may require more extensive knowledge than cBPF.
- Security Risks: Unprivileged use of eBPF filters raises security concerns, particularly if there are vulnerabilities in the eBPF verifier or JIT compiler.
- Hardware Considerations: Future innovations may seek to leverage hardware capabilities to further reduce filtering overhead.
Conclusion
The ongoing evolution of system call filtering is essential for enhancing Linux kernel security. With eBPF, we see a significant shift towards a more programmable and effective filtering system. By allowing for advanced policies without sacrificing performance or security, Seccomp-eBPF stands poised to address modern security challenges. Future work will likely focus on refining these capabilities and ensuring their safe adoption across various deployment environments.
Title: Programmable System Call Security with eBPF
Abstract: System call filtering is a widely used security mechanism for protecting a shared OS kernel against untrusted user applications. However, existing system call filtering techniques either are too expensive due to the context switch overhead imposed by userspace agents, or lack sufficient programmability to express advanced policies. Seccomp, Linux's system call filtering module, is widely used by modern container technologies, mobile apps, and system management services. Despite the adoption of the classic BPF language (cBPF), security policies in Seccomp are mostly limited to static allow lists, primarily because cBPF does not support stateful policies. Consequently, many essential security features cannot be expressed precisely and/or require kernel modifications. In this paper, we present a programmable system call filtering mechanism, which enables more advanced security policies to be expressed by leveraging the extended BPF language (eBPF). More specifically, we create a new Seccomp eBPF program type, exposing, modifying or creating new eBPF helper functions to safely manage filter state, access kernel and user state, and utilize synchronization primitives. Importantly, our system integrates with existing kernel privilege and capability mechanisms, enabling unprivileged users to install advanced filters safely. Our evaluation shows that our eBPF-based filtering can enhance existing policies (e.g., reducing the attack surface of early execution phase by up to 55.4% for temporal specialization), mitigate real-world vulnerabilities, and accelerate filters.
Authors: Jinghao Jia, YiFei Zhu, Dan Williams, Andrea Arcangeli, Claudio Canella, Hubertus Franke, Tobin Feldman-Fitzthum, Dimitrios Skarlatos, Daniel Gruss, Tianyin Xu
Last Update: 2023-02-20 00:00:00
Language: English
Source URL: https://arxiv.org/abs/2302.10366
Source PDF: https://arxiv.org/pdf/2302.10366
Licence: https://creativecommons.org/licenses/by/4.0/
Changes: This summary was created with assistance from AI and may have inaccuracies. For accurate information, please refer to the original source documents linked here.
Thank you to arxiv for use of its open access interoperability.
Reference Links
- https://elixir.bootlin.com/linux/latest/source/kernel/bpf/syscall.c#L2217
- https://elixir.bootlin.com/linux/latest/source/kernel/bpf/syscall.c#L2221
- https://github.com/xlab-uiuc/seccomp-ebpf/issues/89
- https://elixir.bootlin.com/linux/latest/source/kernel/seccomp.c#L2001
- https://nvd.nist.gov/vuln/detail/CVE-2016-0728
- https://nvd.nist.gov/vuln/detail/CVE-2019-11487
- https://nvd.nist.gov/vuln/detail/CVE-2017-5123
- https://bugs.busybox.net/show_bug.cgi?id=9071
- https://nvd.nist.gov/vuln/detail/CVE-2018-18281
- https://nvd.nist.gov/vuln/detail/CVE-2016-5195
- https://nvd.nist.gov/vuln/detail/CVE-2017-7533
- https://github.com/xlab-uiuc/seccomp-ebpf/issues/63
- https://github.com/xlab-uiuc/seccomp-ebpf/commit/37db937c37f6c67c0b54fb354a06a5ba3acc7658
- https://github.com/xlab-uiuc/seccomp-ebpf/commit/7552df60c87e974628ca1405275b579ad8cc400b
- https://github.com/xlab-uiuc/seccomp-ebpf/blob/f1989ed0601f22bc9b1271621482ee5df1e06c3e/kernel/seccomp.c#L2327
- https://github.com/xlab-uiuc/seccomp-ebpf/blob/f1989ed0601f22bc9b1271621482ee5df1e06c3e/kernel/seccomp.c#L2345
- https://github.com/xlab-uiuc/seccomp-ebpf/blob/f1989ed0601f22bc9b1271621482ee5df1e06c3e/include/uapi/linux/seccomp.h#L52
- https://github.com/xlab-uiuc/seccomp-ebpf/blob/f1989ed0601f22bc9b1271621482ee5df1e06c3e/kernel/entry/syscall_status.c#L31
- https://github.com/xlab-uiuc/seccomp-ebpf/blob/f1989ed0601f22bc9b1271621482ee5df1e06c3e/arch/x86/entry/common.c#L56
- https://github.com/xlab-uiuc/seccomp-ebpf/blob/syscall_serialize/kernel/entry/syscall_status.c
- https://elixir.bootlin.com/linux/latest/source/kernel/ptrace.c#L56
- https://github.com/xlab-uiuc/seccomp-ebpf-upstream
- https://elixir.bootlin.com/linux/latest/source/kernel/bpf/verifier.c#L11165
- https://elixir.bootlin.com/linux/latest/source/kernel/bpf/verifier.c#L11182
- https://elixir.bootlin.com/linux/latest/source/kernel/bpf/bpf_task_storage.c#L62
- https://github.com/xlab-uiuc/seccomp-ebpf/blob/f1989ed0601f22bc9b1271621482ee5df1e06c3e/samples/bpf/CVE-2016-0728_kern.c#L32
- https://elixir.bootlin.com/linux/latest/source/tools/lib/bpf/libbpf.c#L8975
- https://criu.org/Usage_scenarios
- https://elixir.bootlin.com/linux/latest/source/kernel/seccomp.c#L2075
- https://elixir.bootlin.com/linux/latest/source/kernel/seccomp.c#L2113
- https://github.com/checkpoint-restore/criu/blob/f68da4a86fee62af216e9e7520f4916aa29e797b/criu/seccomp.c#L144
- https://github.com/xlab-uiuc/seccomp-ebpf-upstream/commit/2e16e502a13edd4b1d7b2d27b00d33b9713b1d57
- https://github.com/containers/crun/blob/9effaebb429a1aed5ce9a3868c696bc490e669ce/src/libcrun/container.c#L3207-L3223
- https://github.com/opencontainers/runc/blob/master/libcontainer/standard_init_linux.go#L161-L230
- https://github.com/containers/crun/issues/603
- https://docs.google.com/presentation/d/1Mtr8skzFybtGPDJ6AlGzQZQaLyf0zkGicE6ojmzGhek/edit#slide=id.gb664645eb9_0_20
- https://github.com/hckuo/kfuse-linux/tree/pb