MOAT: Towards Safe BPF Kernel Extension
Hongyi Lu, Shuai Wang, Yechang Wu, Wanning He, Fengwei Zhang
33rd USENIX Security Symposium · Day 1 · USENIX Security '24
The talk "MOAT: Towards Safe BPF Kernel Extension" by Hongyi Lu and colleagues from SASC and HK addresses a critical security challenge within the rapidly expanding **extended Berkeley Packet Filter (eBPF)** ecosystem. eBPF, a powerful **kernel virtual machine** that allows user-space programs to extend kernel functionality, has become ubiquitous in modern Linux systems for tasks ranging from networking and tracing to security. Despite its advantages, including performance comparable to kernel modules and a static **verifier** designed to prevent kernel crashes, eBPF has been plagued by a significant number of kernel vulnerabilities, with over 20 privilege escalation flaws reported in its subsystem.
AI review
This research presents a highly effective and novel approach to securing eBPF kernel extensions using Intel MPK, addressing a critical and growing attack surface. The multi-layered hardware-software design, including clever runtime validation against verifier "sound bonds," provides robust defense against known vulnerabilities with remarkably low performance overhead. This is a crucial advancement for kernel security, demonstrating that practical, hardware-backed isolation for dynamic kernel code is achievable.