Kernel extension verification is untenable
| dc.contributor.author | Jia, Jinghao | en |
| dc.contributor.author | Sahu, Raj | en |
| dc.contributor.author | Oswald, Adam | en |
| dc.contributor.author | Williams, Dan | en |
| dc.contributor.author | Le, Michael V. | en |
| dc.contributor.author | Xu, Tianyin | en |
| dc.date.accessioned | 2023-07-11T13:45:30Z | en |
| dc.date.available | 2023-07-11T13:45:30Z | en |
| dc.date.issued | 2023-06-22 | en |
| dc.date.updated | 2023-07-01T08:03:11Z | en |
| dc.description.abstract | The emergence of verified eBPF bytecode is ushering in a new era of safe kernel extensions. In this paper, we argue that eBPF’s verifier—the source of its safety guarantees—has become a liability. In addition to the well-known bugs and vulnerabilities stemming from the complexity and ad hoc nature of the in-kernel verifier, we highlight a concerning trend in which escape hatches to unsafe kernel functions (in the form of helper functions) are being introduced to bypass verifier-imposed limitations on expressiveness, unfortunately also bypassing its safety guarantees. We propose safe kernel extension frameworks using a balance of not just static but also lightweight runtime techniques. We describe a design centered around kernel extensions in safe Rust that will eliminate the need of the in-kernel verifier, improve expressiveness, allow for reduced escape hatches, and ultimately improve the safety of kernel extensions. | en |
| dc.description.version | Published version | en |
| dc.format.mimetype | application/pdf | en |
| dc.identifier.doi | https://doi.org/10.1145/3593856.3595892 | en |
| dc.identifier.uri | http://hdl.handle.net/10919/115720 | en |
| dc.language.iso | en | en |
| dc.publisher | ACM | en |
| dc.rights | In Copyright | en |
| dc.rights.holder | The author(s) | en |
| dc.rights.uri | http://rightsstatements.org/vocab/InC/1.0/ | en |
| dc.title | Kernel extension verification is untenable | en |
| dc.type | Article - Refereed | en |
| dc.type.dcmitype | Text | en |