Litcius/Paper detail

Kernel extension verification is untenable

Jinghao Jia, Raj Sahu, A. Oswald, Dan Williams, Michael Le, Tianyin Xu

202321 citationsDOIOpen Access PDF

Abstract

The emergence of verified eBPF bytecode is ushering in a new era of safe kernel extensions. In this paper, we argue that eBPF's verifier---the source of its safety guarantees---has become a liability. In addition to the well-known bugs and vulnerabilities stemming from the complexity and ad hoc nature of the in-kernel verifier, we highlight a concerning trend in which escape hatches to unsafe kernel functions (in the form of helper functions) are being introduced to bypass verifier-imposed limitations on expressiveness, unfortunately also bypassing its safety guarantees. We propose safe kernel extension frameworks using a balance of not just static but also lightweight runtime techniques. We describe a design centered around kernel extensions in safe Rust that will eliminate the need of the in-kernel verifier, improve expressiveness, allow for reduced escape hatches, and ultimately improve the safety of kernel extensions.

Topics & Concepts

Computer scienceKernel (algebra)Extension (predicate logic)Programming languageTheoretical computer scienceLinux kernelMemory safetyBytecodeComputer securityOperating systemVirtual machineSoftwareDiscrete mathematicsMathematicsSecurity and Verification in ComputingParallel Computing and Optimization Techniques
Kernel extension verification is untenable | Litcius