Unsafe Nesting in BPF Programs

Safe kernel extensions are crucial for adding features like networking filters, security policies, and monitoring capabilities that organizations require in production environments. The Linux kernel traditionally lacked mechanisms for safe runtime extensions. BPF addressed this problem by enabling dynamic kernel extensions with safety guarantees enforced by an in-kernel verifier, ensuring kernel stability. The verifier verifies each BPF program without considering its interactions with other BPF programs, assuming these interactions will be safe. This assumption relies on both static limits enforced by the verifier and runtime checks in the kernel. However, this verification approach leaves the kernel vulnerable to safety issues when BPF programs nest within each other. This work identifies such safety issues, including stack overflows, deadlocks, performance issues, and missed events. To address these challenges, this research presents an approach for providing a global system view to the verifier to prevent uncontrolled nesting. We explored the first steps in this direction through a helper-rooted callgraph approach that provides a global view of BPF program interactions, enabling the prevention of these safety issues.