Understanding the Security of Linux eBPF Subsystem
Mohamed Husain Noor Mohamed, Xiaoguang Wang, Binoy Ravindran
Abstract
Linux eBPF allows a userspace application to execute code inside the Linux kernel without modifying the kernel code or inserting a kernel module. An in-kernel eBPF verifier pre-verifies any untrusted eBPF bytecode before running it in kernel context. Currently, users trust the verifier to block malicious bytecode from being executed.
Topics & Concepts
BytecodeComputer scienceConfigfsOperating systemKernel (algebra)Linux kernelsysfsCode (set theory)Context (archaeology)Programming languageEmbedded systemVirtual machineBiologyMathematicsCombinatoricsSet (abstract data type)PaleontologySecurity and Verification in ComputingAdvanced Data Storage TechnologiesAdvanced Malware Detection Techniques