Preventing Unintended Data Access: Information Flow Control in eBPF

Abstract

The extended Berkeley Packet Filter (eBPF) technology has become widely adopted by enterprises due to its flexibility and ability to enhance tracing, observability, monitoring, and security within the kernel. However, since the kernel is a critical resource containing sensitive information, eBPF also presents a significant attack surface for malicious actors. One of the challenging-to-detect yet easiest-to-execute attacks is sensitive information leakage, as it does not require additional privileges beyond standard eBPF functionality. Attackers can exfiltrate sensitive data using built-in eBPF mechanisms, such as saving information to a shared data store. Although the eBPF subsystem provides safety guarantees through its verifier, it does not track or restrict access to sensitive data that an eBPF program is not explicitly intended to access. In this research, we propose an information flow control (IFC) system that leverages labels and policies to track and prevent unauthorized access and leakages to sensitive information by third-party eBPF programs. We define sensitive information as any data that a given eBPF program is not explicitly authorized to access. Our approach defines a label-based policy specification that includes an "allow list", IFC-based static analysis to analyze eBPF bytecode, and policy enforcement to prevent malicious programs from loading and attaching into the kernel if they violate predefined security constraints. Results from our implementation show that our framework catches previously undetectable leakage patterns. This work addresses a critical gap in eBPF security by providing a structured mechanism to prevent unintended data access and leakages while maintaining the legitimate use cases of eBPF.