The eBPF Foundation, which drives the technical vision and direction of eBPF across the open source ecosystem in an independent forum, recently announced an eBPF Security Threat Model produced by ControlPlane, as well as an eBPF Verifier Code Audit produced by NCC Group.

Conducted by ControlPlane under sponsorship of the eBPF Foundation, the Security Threat Model examined security guidance for deploying eBPF, and how to mitigate potential threats and vulnerabilities. Generally, the research found that eBPF is a highly secure technology thanks to built-in security features, including a verifier that ensures the safety of eBPF programs.

The threat modeling approach was structured around:

• What are we building? This involves understanding what eBPF is, and how eBPF programs work.
• What can go wrong? Following the definition of a simple, high-level scenario in the Threat Model Scope, developing attack trees to explore how an attacker could utilize eBPF for nefarious purposes.
• What can we do about the things that can go wrong? Once a list of threats has been established, inherent eBPF controls and end-user recommendations are mapped against them.
• Are we doing a good job? Finally, the threat model’s outcomes are reviewed to provide practical guidance for eBPF adopters.

To address the threats identified, the report authors made several recommendations:

• Least Privilege Principle: Grant eBPF programs only the necessary permissions.
• Supply Chain Security: Ensure the integrity of eBPF tools and libraries.
  Regular Updates: Keep the kernel and eBPF tools up-to-date with the latest security patches.
• Monitoring and Logging: Implement robust monitoring and logging to detect and respond to security incidents.
• Threat Modeling: Conduct regular threat modeling exercises to identify potential vulnerabilities and risks.
• Disabling Unprivileged eBPF: Unprivileged eBPF should be disabled by default to reduce the attack surface.

Verifier Code Audit

The eBPF Foundation engaged NCC Group to conduct a security source code review of the eBPF Verifier. The review included:

• Identification of the properties the eBPF Verifier is trying to prove.
• Source code review of the main logic of the eBPF verifier, as (typically) invoked via the do_check() function in kernel/bpf/verifier.c.
• Any issue that could allow eBPF source code to bypass the constraints of the Verifier to compromise the correct operation of the eBPF Verifier, leading to standard confidentiality, integrity, and availability concerns

Overall, the code review found that the eBPF community has been highly effective in identifying bugs, and efficient in fixing them. The report also points out that while the eBPF Verifier is an important tool in ensuring security of eBPF deployments, it is not the only one, as eBPF is “designed to use the Linux privilege model to control access to eBPF, which mitigates the impact of security issues within the verifier.”

The assessment uncovered several code flaws. The most notable finding was a vulnerability enabling a privileged attacker to read and write arbitrary kernel memory (find_equal_scalars).

This vulnerability has been addressed by the community. The report also made additional recommendations for improving security of the Verifier such as refactoring complex functions and adding details about what the Verifier enforces to documentation.