Threat Model and Independent Verifier Audit Examine the Security of eBPF

Two research reports sponsored by the eBPF Foundation audit the security of eBPF and provide deployment guidance, along with inherent controls and recommendations

SALT LAKE CITY – Cilium + eBPF Day (KubeCon North America) – November 12, 2024 – The eBPF Foundation, which drives the technical vision and direction of eBPF across the open source ecosystem in an independent forum, has announced the release of an eBPF Security Threat Model produced by ControlPlane, as well as an eBPF Verifier Code Audit produced by NCC Group. 

Security Threat Model

Conducted by ControlPlane under sponsorship of the eBPF Foundation, the Security Threat Model examined security guidance for deploying eBPF, and how to mitigate potential threats and vulnerabilities. Generally, the research found that eBPF is a highly secure technology thanks to built-in security features, including a verifier that ensures the safety of eBPF programs. 

The threat modeling approach was structured around:

1. What are we building? This involves understanding what eBPF is, and how eBPF programs work. 
2. What can go wrong? Following the definition of a simple, high-level scenario in the Threat Model Scope, developing attack trees to explore how an attacker could utilize eBPF for nefarious purposes. 
3. What can we do about the things that can go wrong? Once a list of threats has been established, inherent eBPF controls and end-user recommendations are mapped against them.
4. Are we doing a good job? Finally, the threat model's outcomes are reviewed to provide practical guidance for eBPF adopters. 

To address the threats identified, the report authors made several recommendations:

1. Least Privilege Principle: Grant eBPF programs only the necessary permissions.
2. Supply Chain Security: Ensure the integrity of eBPF tools and libraries.
3. Regular Updates: Keep the kernel and eBPF tools up-to-date with the latest security patches.
4. Monitoring and Logging: Implement robust monitoring and logging to detect and respond to security incidents.
5. Threat Modeling: Conduct regular threat modeling exercises to identify potential vulnerabilities and risks.
6. Disabling Unprivileged eBPF: Unprivileged eBPF should be disabled by default to reduce the attack surface.

Download the full eBPF Security Threat Model.

Verifier Code Audit

The eBPF Foundation engaged NCC Group to conduct a security source code review of the eBPF Verifier. The review included:

• Identification of the properties the eBPF Verifier is trying to prove.
• Source code review of the main logic of the eBPF verifier, as (typically) invoked via the do_check() function in kernel/bpf/verifier.c.
• Any issue that could allow eBPF source code to bypass the constraints of the Verifier to compromise the correct operation of the eBPF Verifier, leading to standard confidentiality, integrity, and availability concerns

Overall, the code review found that the eBPF community has been highly effective in identifying bugs, and efficient in fixing them. The report also points out that while the eBPF Verifier is an important tool in ensuring security of eBPF deployments, it is not the only one, as eBPF is “designed to use the Linux privilege model to control access to eBPF, which mitigates the impact of security issues within the verifier.”

The assessment uncovered several code flaws. The most notable finding was a vulnerability enabling a privileged attacker to read and write arbitrary kernel memory (find_equal_scalars).

This vulnerability has been addressed by the community. The report also made additional recommendations for improving security of the Verifier such as refactoring complex functions and adding details about what the Verifier enforces to documentation.

Download the full eBPF Verifier Code Audit.

“While eBPF is a powerful tool, it's crucial to adopt a proactive security approach, like the third party security audit we just completed,” said Thomas Graf, chair of the eBPF Foundation governing board and co-founder and CTO of Isovalent. “Furthermore, by understanding the potential risks and implementing the recommended mitigation strategies from the threat model, organizations can leverage eBPF safely and securely.”

eBPF Foundation Resources

• Learn about membership opportunities
• Explore the landscape of eBPF projects
• Subscribe to the mailing lists
• Access other resources on eBPF’s GitHub or Slack

About the eBPF Foundation

The eBPF Foundation was founded to bring together a cross-platform community of eBPF-related projects from across the open source ecosystem in an independent forum. The Foundation is supported by a dozen members who work collaboratively on a common technical vision, vocabulary, security best practices, and general roadmap, to be applied within separate workstreams, operating system kernels, and enterprise communities. Find further information here: https://www.ebpf.foundation 

Media Contact

Dan Brown
eBPF Foundation

dbrown@contractor.linuxfoundation.org