Litcius/Paper detail

bpfbox

William Findlay, Anil Somayaji, David Barrera

202028 citationsDOIOpen Access PDF

Abstract

Process confinement is a key requirement for workloads in the cloud and in other contexts. Existing process confinement mechanisms on Linux, however, are complex and inflexible because they are implemented using a combination of primitive abstractions (e.g., namespaces, cgroups) and complex security mechanisms (e.g., SELinux, AppArmor) that were designed for purposes beyond basic process confinement. We argue that simple, efficient, and flexible confinement can be better implemented today using eBPF, an emerging technology for safely extending the Linux kernel. We present a proof-of-concept confinement application, bpfbox, that uses less than 2000 lines of kernelspace code and allows for confinement at the userspace function, system call, LSM hook, and kernelspace function boundaries---something that no existing process confinement mechanism can do. Further, it does so using a policy language simple enough to use for ad-hoc confinement purposes. This paper presents the motivation, design, implementation, and benchmarks of bpfbox, including a sample web server confinement policy.

Topics & Concepts

Computer scienceSystem callSimple (philosophy)Linux kernelOperating systemProcess (computing)Function (biology)Code (set theory)Cloud computingKernel (algebra)Source lines of codeKey (lock)Distributed computingProgramming languageSoftwareSet (abstract data type)CombinatoricsEpistemologyMathematicsPhilosophyBiologyEvolutionary biologyCloud Data Security SolutionsSecurity and Verification in ComputingCloud Computing and Resource Management
bpfbox | Litcius