all InfoSec news
MOAT: Towards Safe BPF Kernel Extension. (arXiv:2301.13421v1 [cs.CR])
cs.CR updates on arXiv.org arxiv.org
The Linux kernel makes considerable use of Berkeley Packet Filter (BPF) to
allow user-written BPF applications to execute in the kernel space. BPF employs
a verifier to statically check the security of user-supplied BPF code. Recent
attacks show that BPF programs can evade security checks and gain unauthorized
access to kernel memory, indicating that the verification process is not
flawless. In this paper, we present MOAT, a system that isolates potentially
malicious BPF programs using Intel Memory Protection Keys (MPK). …
access applications attacks berkeley packet filter bpf check code evade extension filter kernel linux linux kernel malicious memory packet process safe security space system unauthorized access verification