The Linux kernel makes considerable use of Berkeley Packet Filter (BPF) to allow user-written BPF applications to execute in the kernel space. BPF employs a verifier to statically check the security of user-supplied BPF code. Recent attacks show that BPF programs can evade security checks and gain unauthorized access to kernel memory, indicating that the verification process is not flawless. In this paper, we present MOAT, a system that isolates potentially malicious BPF programs using Intel Memory Protection Keys (MPK). Enforcing BPF program isolation with MPK is not straightforward; MOAT is carefully designed to alleviate technical obstacles, such as limited hardware keys and supporting a wide variety of kernel BPF helper functions. We have implemented MOAT in a prototype kernel module, and our evaluation shows that MOAT delivers low-cost isolation of BPF programs under various real-world usage scenarios, such as the isolation of a packet-forwarding BPF program for the memcached database with an average throughput loss of 6%.
翻译:Linux内核大量使用Berkeley Packet过滤器(BPF),使用户编写的BPF应用程序能够在内核空间执行。BPF使用一个核查器,静态检查用户提供的BPF代码的安全性。最近的袭击表明,BPF程序可以逃避安全检查并获得未经授权的内核内存访问,这表明核查过程并非完美无缺。在本文中,我们介绍了MOAT,这个系统利用Intel内存保护键(MPK)孤立潜在恶意的BPF程序。用MPK(MPK)隔离BPF程序并非直截了当;MOAT是精心设计的,以缓解技术障碍,例如有限的硬件钥匙和支持广泛的BPFF帮助功能。我们在一个原型内核内核模块中实施了MOAT,我们的评估显示,MOAT在各种实际使用情景下,如将BPF方案以低成本方式隔离,例如将BPF程序与BPF程序隔开,用于混凝数据库,平均造成6%的负载损失。