Abstract
The emergence of verified eBPF bytecode is ushering in a new era of safe kernel extensions. In this paper, we argue that eBPF's verifier - -the source of its safety guarantees - -has become a liability. In addition to the well-known bugs and vulnerabilities stemming from the complexity and ad hoc nature of the in-kernel verifier, we highlight a concerning trend in which escape hatches to unsafe kernel functions (in the form of helper functions) are being introduced to bypass verifier-imposed limitations on expressiveness, unfortunately also bypassing its safety guarantees. We propose safe kernel extension frameworks using a balance of not just static but also lightweight runtime techniques. We describe a design centered around kernel extensions in safe Rust that will eliminate the need of the in-kernel verifier, improve expressiveness, allow for reduced escape hatches, and ultimately improve the safety of kernel extensions.
Author supplied keywords
Cite
CITATION STYLE
Jia, J., Sahu, R., Oswald, A., Williams, D., Le, M. V., & Xu, T. (2023). Kernel extension verification is untenable. In HotOS 2023 - Proceedings of the 19th Workshop on Hot Topics in Operating Systems (pp. 150–157). Association for Computing Machinery, Inc. https://doi.org/10.1145/3593856.3595892
Register to see more suggestions
Mendeley helps you to discover research relevant for your work.
