all InfoSec news
Unleashing Unprivileged eBPF Potential with Dynamic Sandboxing. (arXiv:2308.01983v1 [cs.OS])
cs.CR updates on arXiv.org arxiv.org
For safety reasons, unprivileged users today have only limited ways to
customize the kernel through the extended Berkeley Packet Filter (eBPF). This
is unfortunate, especially since the eBPF framework itself has seen an increase
in scope over the years. We propose SandBPF, a software-based kernel isolation
technique that dynamically sandboxes eBPF programs to allow unprivileged users
to safely extend the kernel, unleashing eBPF's full potential. Our early
proof-of-concept shows that SandBPF can effectively prevent exploits missed by
eBPF's native safety …
berkeley packet filter dynamic ebpf extended berkeley packet filter filter framework isolation kernel packet safety sandboxes sandboxing scope software today