Skip to main content

Flexible and Secure Process Confinement with eBPF

  • Conference paper
  • First Online:
Security and Trust Management (STM 2024)

Abstract

To avoid potential bugs and vulnerabilities, it is crucial to confine process execution within well-defined boundaries, specifying which resources are accessible and what operations are allowed. Numerous technologies have emerged in Linux environments to address process confinement or isolation. However, these solutions often lacked tailored support, leading to a fragmented landscape of complex implementations. Given the need to support different security abstractions, the Extended Berkeley Packet Filter (eBPF) has emerged as a promising technology for extending the capabilities of the Linux kernel functionalities, offering a simple and flexible approach for process confinement. This paper introduces a framework that leverages eBPF to achieve flexible and secure process confinement. We developed a prototype implementation and evaluated its overhead in limiting filesystem capabilities. Experimental findings underscore the effectiveness of our framework, demonstrating that it can seamlessly integrate into Linux systems without incurring remarkable overhead.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Subscribe and save

Springer+ Basic
$34.99 /Month
  • Get 10 units per month
  • Download Article/Chapter or eBook
  • 1 Unit = 1 Article or 1 Chapter
  • Cancel anytime
Subscribe now

Buy Now

Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

References

  1. Abbadini, M., Facchinetti, D., Oldani, G., Rossi, M., Paraboschi, S.: Cage4deno: a fine-grained sandbox for deno subprocesses. In: Proceedings of the 2023 ACM Asia Conference on Computer and Communications Security, ASIA CCS 2023, pp. 149–162. Association for Computing Machinery, New York (2023). https://doi.org/10.1145/3579856.3595799

  2. Bazm, M.M., Lacoste, M., Südholt, M., Menaud, J.M.: Isolation in cloud computing infrastructures: new security challenges. Ann. Telecommun. 74(3), 197–209 (2019)

    Article  Google Scholar 

  3. Bélair, M., Laniepce, S., Menaud, J.M.: Snappy: programmable kernel-level policies for containers. In: Proceedings of the 36th Annual ACM Symposium on Applied Computing, SAC 221, pp. 1636–1645. Association for Computing Machinery, New York (2021). https://doi.org/10.1145/3412841.3442037

  4. Brimhall, B., Garrard, J., De La Garza, C., Coffman, J.: A comparative analysis of linux mandatory access control policy enforcement mechanisms. In: Proceedings of the 16th European Workshop on System Security, EUROSEC 2023, pp. 1–7. Association for Computing Machinery, New York (2023). https://doi.org/10.1145/3578357.3589454

  5. Connor, R.J., McDaniel, T., Smith, J.M., Schuchard, M.: PKU pitfalls: attacks on pku-based memory isolation systems. In: 29th USENIX Security Symposium (USENIX Security 2020), pp. 1409–1426. USENIX Association (2020). https://www.usenix.org/conference/usenixsecurity20/presentation/connor

  6. Dejaeghere, J., Gbadamosi, B., Pulls, T., Rochet, F.: Comparing security in eBPF and WebAssembly. In: Proceedings of the 1st Workshop on EBPF and Kernel Extensions, eBPF 2023, pp. 35–41. Association for Computing Machinery, New York (2023). https://doi.org/10.1145/3609021.3609306

  7. eBPF Documentation: eBPF (2024). https://ebpf.io/ . Accessed 2 May 2024

  8. Findlay, W., Barrera, D., Somayaji, A.: Bpfcontain: fixing the soft underbelly of container security. arXiv preprint arXiv:2102.06972 (2021)

  9. Findlay, W., Somayaji, A., Barrera, D.: bpfbox: simple precise process confinement with eBPF. In: Proceedings of the 2020 ACM SIGSAC Conference on Cloud Computing Security Workshop, CCSW 2020, pp. 91–103. Association for Computing Machinery, New York (2020). https://doi.org/10.1145/3411495.3421358

  10. Fried, J., et al.: Making Kernel bypass practical for the cloud with junction. In: 21st USENIX Symposium on Networked Systems Design and Implementation (NSDI 2024), pp. 55–73 (2024)

    Google Scholar 

  11. Hung, H.W., Liu, Y., Sani, A.A.: Sifter: protecting security-critical kernel modules in Android through attack surface reduction. In: Proceedings of the 28th Annual International Conference on Mobile Computing And Networking, MobiCom 2022, pp. 623–635. Association for Computing Machinery, New York (2022). https://doi.org/10.1145/3495243.3560548

  12. Jia, J., et al.: Programmable system call security with ebpf. arXiv preprint arXiv:2302.10366 (2023)

  13. Kernel, T.L.: Seccomp BPF (SECure COMPuting with filters) (2024). https://www.kernel.org/doc/html/v4.19/userspace-api/seccomp_filter.html. Accessed 2 May 2024

  14. Miano, S., Bertrone, M., Risso, F., Tumolo, M., Bernal, M.V.: Creating complex network services with eBPF: experience and lessons learned. In: 2018 IEEE 19th International Conference on High Performance Switching and Routing (HPSR), pp. 1–8 (2018). https://doi.org/10.1109/HPSR.2018.8850758

  15. manual page, L.: seccomp(2) (2024). https://man7.org/linux/man-pages/man2/seccomp.2.html. Accessed 2 May 2024

  16. Rosa, L., Garbugli, A., Corradi, A., Bellavista, P.: INSANE: a unified middleware for QoS-aware network acceleration in edge cloud computing. In: Proceedings of the 24th International Middleware Conference, pp. 57–70 (2023)

    Google Scholar 

  17. Rosen, R.: Resource management: linux kernel namespaces and cgroups. Haifux 186, 70 (2013)

    Google Scholar 

  18. Shu, R., et al.: A study of security isolation techniques. ACM Comput. Surv. 49(3) (2016). https://doi.org/10.1145/2988545

  19. Vahldiek-Oberwagner, A., Elnikety, E., Duarte, N.O., Sammler, M., Druschel, P., Garg, D.: ERIM: secure, efficient in-process isolation with protection keys (MPK). In: 28th USENIX Security Symposium (USENIX Security 2019), pp. 1221–1238. USENIX Association, Santa Clara (2019). https://www.usenix.org/conference/usenixsecurity19/presentation/vahldiek-oberwagner

  20. Wright, C., Cowan, C., Smalley, S., Morris, J., Kroah-Hartman, G.: Linux security modules: general security support for the linux kernel. In: 11th USENIX Security Symposium (USENIX Security 2002) (2002)

    Google Scholar 

Download references

Acknowledgments

This work was partially supported by the project SERICS (PE00000014) under the MUR National Recovery and Resilience Plan program funded by the European Union - NextGenerationEU.

Author information

Authors and Affiliations

Authors

Corresponding author

Correspondence to Michele Armillotta .

Editor information

Editors and Affiliations

Rights and permissions

Reprints and permissions

Copyright information

© 2025 The Author(s), under exclusive license to Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Mazzocca, C., Garbugli, A., Armillotta, M., Montanari, R., Bellavista, P. (2025). Flexible and Secure Process Confinement with eBPF. In: Martinelli, F., Rios, R. (eds) Security and Trust Management. STM 2024. Lecture Notes in Computer Science, vol 15235. Springer, Cham. https://doi.org/10.1007/978-3-031-76371-7_7

Download citation

  • DOI: https://doi.org/10.1007/978-3-031-76371-7_7

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-031-76370-0

  • Online ISBN: 978-3-031-76371-7

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics