Jules Dejaeghere
ABSTRACT
This paper examines the security of eBPF and WebAssembly (Wasm), two technologies that have gained widespread adoption in recent years, despite being designed for very different use cases and environments. While eBPF is a technology primarily used within operating system kernels such as Linux, Wasm is a binary instruction format designed for a stack-based virtual machine with use cases extending beyond the web. Recognizing the growth and expanding ambitions of eBPF, Wasm may provide instructive insights, given its design around securely executing arbitrary untrusted programs in complex and hostile environments such as web browsers and clouds. We analyze the security goals, community evolution, memory models, and execution models of both technologies, and conduct a comparative security assessment, exploring memory safety, control flow integrity, API access, and side-channels. Our results show that eBPF has a history of focusing on performance first and security second, while Wasm puts more emphasis on security at the cost of some runtime overheads. Considering language-based restrictions for eBPF and a security model for API access are fruitful directions for future work.
Supplemental Material
Available for Download
zip
p35-dejaeghere-supp.zip (8.7 KB)
Supplemental material.
- Marco Abbadini, Michele Beretta, Dario Facchinetti, Gianluca Oldani, Matthew Rossi, and Stefano Paraboschi. 2023. POSTER: Leveraging eBPF to enhance sandboxing of WebAssembly runtimes. In ACM ASIA Conference on Computer and Communications Security (ASIA CCS '23) (Melbourne, VIC, Australia). Google Scholar
Digital Library
- Bytecode Alliance. 2023. Bytecode Alliance. https://bytecodealliance.org/ accessed 2023-06-08.Google Scholar
- Bytecode Alliance. 2023. Cranelift. https://cranelift.dev/ accessed 2023-06-09.Google Scholar
- Bytecode Alliance. 2023. WAMR: WebAssembly Micro Runtime. https://wamr.dev/ accessed 2023-06-09.Google Scholar
- Bytecode Alliance. 2023. Wasmtime: A fast and secure runtime for WebAssembly. https://wasmtime.dev/ accessed 2023-06-09.Google Scholar
- John Bergbom. 2018. Memory safety: old vulnerabilities become new with WebAssembly. Technical report, Forcepoint.Google Scholar
- Dave Bogle. 2023. eBPF: A new frontier for malware. https://redcanary.com/blog/ebpf-malware/ accessed 2023-05-22.Google Scholar
- Daniel Borkmann. 2023. BPF and Spectre: Mitigating transient execution attacks - Daniel Borkmann, Isovalent. https://www.youtube.com/watch?v=6N30Yp5f9c4 accessed 2023-06-09.Google Scholar
- Jay Bosamiya, Wen Shih Lim, and Bryan Parno. 2022. Provably-Safe Multilingual Software Sandboxing using WebAssembly. In USENIX Security.Google Scholar
- Cyril Renaud Cassagnes, Lucian Trestioreanu, Clement Joly, and Radu State. 2020. The rise of eBPF for non-intrusive performance monitoring. In NOMS 2020 - IEEE/IFIP Network Operations and Management Symposium, Budapest, Hungary, April 20--24, 2020.Google ScholarDigital Library
- Cilium. 2023. Cilium - Cloud Native, eBPF-based Networking, Observability, and Security. https://cilium.io/ accessed 2023-06-09.Google Scholar
- CloudFlare. 2023. CloudFlare Docs: WebAssembly (Wasm). https://developers.cloudflare.com/workers/platform/webassembly/ accessed 2023-06-09.Google Scholar
- Jonathan Corbet. 2019. Concurrency management in BPF. https://lwn.net/Articles/779120/Google Scholar
- Jonathan Corbet. 2019. Reconsidering unprivileged BPF [LWN.net]. https://lwn.net/Articles/796328/ accessed 2023-06-09.Google Scholar
- Quentin De Coninck, François Michel, Maxime Piraux, Florentin Rochet, Thomas Given-Wilson, Axel Legay, Olivier Pereira, and Olivier Bonaventure. 2019. Pluginizing QUIC. In Proceedings of the ACM Special Interest Group on Data Communication (Beijing, China) (SIGCOMM '19). Association for Computing Machinery, New York, NY, USA, 59--74. Google ScholarDigital Library
- eBPF.io authors. 2022. eBPF Documentation: What is eBPF? https://ebpf.io/what-is-ebpf/ accessed 2023-05-22.Google Scholar
- Authors Falco. 2023. Falco. https://falco.org.Google Scholar
- Fastly. 2023. Fastly Compute@Edge. https://docs.fastly.com/products/compute-at-edge accessed 2023-06-09.Google Scholar
- William Findlay, David Barrera, and Anil Somayaji. 2021. BPFContain: Fixing the Soft Underbelly of Container Security. arXiv preprint arXiv:2102.06972 (2021).Google Scholar
- William Findlay, Anil Somayaji, and David Barrera. 2020. Bpfbox: Simple Precise Process Confinement with EBPF. In Proceedings of the 2020 ACM SIGSAC Conference on Cloud Computing Security Workshop (Virtual Event, USA) (CCSW'20). Association for Computing Machinery, New York, NY, USA, 91--103. Google ScholarDigital Library
- Phani Kishore Gadepalli, Sean McBride, Gregor Peach, Ludmilla Cherkasova, and Gabriel Parmer. 2020. Sledge: A Serverless-First, Light-Weight Wasm Runtime for the Edge. In Proceedings of the 21st International Middleware Conference (Delft, Netherlands) (Middleware '20). Association for Computing Machinery, New York, NY, USA, 265--279. Google ScholarDigital Library
- Elazar Gershuni, Nadav Amit, Arie Gurfinkel, Nina Narodytska, Jorge A Navas, Noam Rinetzky, Leonid Ryzhyk, and Mooly Sagiv. 2019. Simple and precise static analysis of untrusted linux kernel extensions. In Proceedings of the 40th ACM SIGPLAN Conference on Programming Language Design and Implementation. 1069--1084.Google ScholarDigital Library
- WebAssembly Community Group. 2023. WebAssembly System Interface. https://github.com/WebAssembly/WASI accessed 2023-05-08.Google Scholar
- Andreas Haas, Andreas Rossberg, Derek L. Schuff, Ben L. Titzer, Michael Holman, Dan Gohman, Luke Wagner, Alon Zakai, and J. F. Bastien. 2017. Bringing the web up to speed with WebAssembly. In PLDI.Google Scholar
- Yutaro Hayakawa. 2018. eBPF implementation for FreeBSD. In Proc. BSDCan. 1--33.Google Scholar
- hBPF project. 2023. hBPF = eBPF in hardware. https://github.com/rprinz08/hBPF accessed 2023-06-09.Google Scholar
- Aaron Hilbig, Daniel Lehmann, and Michael Pradel. 2021. An Empirical Study of Real-World WebAssembly Binaries: Security, Languages, Use Cases. In WWW.Google Scholar
- Toke Høiland-Jørgensen, Jesper Dangaard Brouer, Daniel Borkmann, John Fastabend, Tom Herbert, David Ahern, and David Miller. 2018. The express data path: Fast programmable packet processing in the operating system kernel. In Proceedings of the 14th international conference on emerging networking experiments and technologies. 54--66.Google ScholarDigital Library
- Wenjun Huang and Marcus Paradies. 2021. An Evaluation of WebAssembly and eBPF as Offloading Mechanisms in the Context of Computational Storage. CoRR abs/2111.01947 (2021). https://arxiv.org/abs/2111.01947Google Scholar
- IETF. [n. d.]. Charter for proposed Working Group BPF. https://datatracker.ietf.org/group/bpf/about/ accessed 2023-06-09.Google Scholar
- Abhinav Jangda, Bobby Powers, Emery D. Berger, and Arjun Guha. 2019. Not So Fast: Analyzing the Performance of WebAssembly vs. Native Code. In USENIX ATC.Google Scholar
- Jinghao Jia, YiFei Zhu, Dan Williams, Andrea Arcangeli, Claudio Canella, Hubertus Franke, Tobin Feldman-Fitzthum, Dimitrios Skarlatos, Daniel Gruss, and Tianyin Xu. 2023. Programmable System Call Security with eBPF. arXiv preprint arXiv:2302.10366 (2023).Google Scholar
- Evan Johnson, Evan Laufer, Zijie Zhao, Dan Gohman, Shravan Narayan, Stefan Savage, Deian Stefan, and Fraser Brown. 2023. WaVe: a verifiably secure WebAssembly sandboxing runtime. In IEEE Symposium on Security and Privacy (SP).Google ScholarCross Ref
- The kernel development community. 2023. How to interact with BPF subsystem. https://docs.kernel.org/bpf/bpf_devel_QA.html accessed 2023-06-06.Google Scholar
- Ofek Kirzner and Adam Morrison. 2021. An Analysis of Speculative Type Confusion Vulnerabilities in the Wild. In USENIX Security.Google Scholar
- Paul Kocher, Jann Horn, Anders Fogh, Daniel Genkin, Daniel Gruss, Werner Haas, Mike Hamburg, Moritz Lipp, Stefan Mangard, Thomas Prescher, et al. 2020. Spectre attacks: Exploiting speculative execution. Commun. ACM 63, 7 (2020), 93--101.Google ScholarDigital Library
- Daniel Lehmann, Johannes Kinder, and Michael Pradel. 2020. Everything Old is New Again: Binary Security of WebAssembly. In USENIX Security.Google Scholar
- Hongyi Lu, Shuai Wang, Yechang Wu, Wanning He, and Fengwei Zhang. 2023. MOAT: Towards Safe BPF Kernel Extension. CoRR abs/2301.13421 (2023).Google Scholar
- Soares Luis. 2023. eBPF: The Emerging Linux Kernel Technology Explained. https://medium.com/@luishrsoares/ebpf-the-emerging-linux-kernel-technology-explained-d9e86a3bf0ef accessed 2023-06-05.Google Scholar
- Andy Lutomirski. 2019. [WIP 0/4] bpf: A bit of progress toward unprivileged use. https://lwn.net/ml/linux-kernel/[email protected]/ accessed 2023-06-10.Google Scholar
- Brian McFadden, Tyler Lukasiewicz, Jeff Dileo, and Justin Engler. 2018. Security chasms of wasm. NCC Group Whitepaper (2018).Google Scholar
- Microsoft. 2023. eBPF for Windows. https://microsoft.github.io/ebpf-for-windows/ accessed 2023-06-09.Google Scholar
- Shravan Narayan, Craig Disselkoen, Tal Garfinkel, Nathan Froyd, Eric Rahm, Sorin Lerner, Hovav Shacham, and Deian Stefan. 2020. Retrofitting Fine Grain Isolation in the Firefox Renderer. In 29th USENIX Security Symposium (USENIX Security 20). USENIX Association, 699--716. https://www.usenix.org/conference/usenixsecurity20/presentation/narayanGoogle Scholar
- Matherson Nate. 2021. What is eBPF? https://www.airplane.dev/blog/ebpfGoogle Scholar
- Luke Nelson, Jacob Van Geffen, Emina Torlak, and Xi Wang. 2020. Specification and verification in the field: Applying formal methods to BPF just-in-time compilers in the Linux kernel. In 14th USENIX Symposium on Operating Systems Design and Implementation, OSDI2020, Virtual Event, November 4--6, 2020.Google Scholar
- Big Switch Networks. 2023. uBPF. https://github.com/iovisor/ubpf accessed 2023-06-09.Google Scholar
- Linux Kernel Organization. 2023. bpf-helpers.7 « man7 - man-pages/man-pages.git. https://git.kernel.org/pub/scm/docs/man-pages/man-pages.git/tree/man7/bpf-helpers.7 accessed 2023-06-09.Google Scholar
- Linux Kernel Organization. 2023. BPF maps --- The Linux Kernel documentation. https://docs.kernel.org/bpf/maps.html accessed 2023-06-09.Google Scholar
- Linux Kernel Organization. 2023. eBPF Instruction Set Specification, v1.0. https://docs.kernel.org/bpf/instruction-set.html accessed 2023-06-09.Google Scholar
- Linux Kernel Organization. 2023. https://docs.kernel.org/bpf/btf.html. https://docs.kernel.org/bpf/btf.html accessed 2023-06-09.Google Scholar
- Linux Kernel Organization. 2023. verifier.c « bpf « kernel - kernel/git/torvalds/linux.git. https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/kernel/bpf/verifier.c accessed 2023-05-24.Google Scholar
- Gragor Peach, Runyu Pan, Zhuoyi Wu, Gabriel Parmer, Christopher Haster, and Ludmila Cherkasova. 2020. eWASM: Practical Software Fault Isolation for Reliable Embedded Devices. IEEE Transactions on Computer-Aided Design of Integrated Circuits and Systems 39, 11 (2020), 3492--3505. Google ScholarCross Ref
- Samsung. 2020. Hardening Hostile Code in eBPF - Analysis on Kernel Self-Protection: Understanding Security and Performance Implication. https://samsung.github.io/kspp-study/bpf.html accessed 2023-05-12.Google Scholar
- Harishankar Vishwanathan, Matan Shachnai, Srinivas Narayana, and Santosh Nagarakatte. 2022. Sound, precise, and fast abstract interpretation with tristate numbers. In 2022 IEEE/ACM International Symposium on Code Generation and Optimization (CGO). IEEE, 254--265.Google ScholarDigital Library
- Perry Wagle, Crispin Cowan, et al. 2003. Stackguard: Simple stack smash protection for gcc. In Proceedings of the GCC Developers Summit. 243--255.Google Scholar
- Wasmer. 2023. Wasmer - Runtime. https://wasmer.io/products/runtime accessed 2023-06-09.Google Scholar
- Wasmtime. 2023. Config::consume_fuel in wasmtime - Rust. https://docs.wasmtime.dev/api/wasmtime/struct.Config.html#method.consume_fuel accessed 2023-06-09.Google Scholar
- Wasmtime. 2023. Security - Wasmtime. https://docs.wasmtime.dev/security.html accessed 2023-05-09.Google Scholar
- WebAssembly Community Group. 2023. Security - WebAssembly. https://webassembly.org/docs/security/ accessed 2023-05-09.Google Scholar
- WebAssembly Community Group. 2023. WebAssembly Specification. Draft Release 2.0 (Draft 2023-04-24). https://webassembly.github.io/spec/Google Scholar
- WebAssembly Community Group. 2023. WebAssembly W3C Process. https://github.com/WebAssembly/meetings/blob/main/process/phases.md original-date: 2017-05-04T04:32:02Z.Google Scholar
- Thomas Wirtgen, Tom Rousseaux, Quentin De Coninck, Nicolas Rybowski, Randy Bush, Laurent Vanbever, Axel Legay, and Olivier Bonaventure. 2023. xBGP: Faster Innovation in Routing Protocols. In 20th USENIX Symposium on Networked Systems Design and Implementation (NSDI 23). USENIX Association, Boston, MA, 575--592. https://www.usenix.org/conference/nsdi23/presentation/wirtgenGoogle Scholar
Index Terms
Comparing Security in eBPF and WebAssembly
Recommendations
Unleashing Unprivileged eBPF Potential with Dynamic Sandboxing
eBPF '23: Proceedings of the 1st Workshop on eBPF and Kernel ExtensionsFor safety reasons, unprivileged users today have only limited ways to customize the kernel through the extended Berkeley Packet Filter (eBPF). This is unfortunate, especially since the eBPF framework itself has seen an increase in scope over the ...
RingGuard: Guard io_uring with eBPF
eBPF '23: Proceedings of the 1st Workshop on eBPF and Kernel Extensionsio_uring offers a flexible yet efficient asynchronous I/O paradigm for Linux. Despite a significant performance improvement, it also brings many security concerns to the kernel. Not only does io_uring itself contain multiple vulnerabilities, but it ...
Seeing the Invisible: Auditing eBPF Programs in Hypervisor with HyperBee
eBPF '23: Proceedings of the 1st Workshop on eBPF and Kernel ExtensionsThe flexibility of eBPF makes it widely used in performance, security, and monitoring. However, this flexibility is a double-edged sword, allowing attackers to use eBPF for malicious purposes. Security researchers have discovered multiple backdoors ...
Comments