Abstract
To avoid potential bugs and vulnerabilities, it is crucial to confine process execution within well-defined boundaries, specifying which resources are accessible and what operations are allowed. Numerous technologies have emerged in Linux environments to address process confinement or isolation. However, these solutions often lacked tailored support, leading to a fragmented landscape of complex implementations. Given the need to support different security abstractions, the Extended Berkeley Packet Filter (eBPF) has emerged as a promising technology for extending the capabilities of the Linux kernel functionalities, offering a simple and flexible approach for process confinement. This paper introduces a framework that leverages eBPF to achieve flexible and secure process confinement. We developed a prototype implementation and evaluated its overhead in limiting filesystem capabilities. Experimental findings underscore the effectiveness of our framework, demonstrating that it can seamlessly integrate into Linux systems without incurring remarkable overhead.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Abbadini, M., Facchinetti, D., Oldani, G., Rossi, M., Paraboschi, S.: Cage4deno: a fine-grained sandbox for deno subprocesses. In: Proceedings of the 2023 ACM Asia Conference on Computer and Communications Security, ASIA CCS 2023, pp. 149–162. Association for Computing Machinery, New York (2023). https://doi.org/10.1145/3579856.3595799
Bazm, M.M., Lacoste, M., Südholt, M., Menaud, J.M.: Isolation in cloud computing infrastructures: new security challenges. Ann. Telecommun. 74(3), 197–209 (2019)
Bélair, M., Laniepce, S., Menaud, J.M.: Snappy: programmable kernel-level policies for containers. In: Proceedings of the 36th Annual ACM Symposium on Applied Computing, SAC 221, pp. 1636–1645. Association for Computing Machinery, New York (2021). https://doi.org/10.1145/3412841.3442037
Brimhall, B., Garrard, J., De La Garza, C., Coffman, J.: A comparative analysis of linux mandatory access control policy enforcement mechanisms. In: Proceedings of the 16th European Workshop on System Security, EUROSEC 2023, pp. 1–7. Association for Computing Machinery, New York (2023). https://doi.org/10.1145/3578357.3589454
Connor, R.J., McDaniel, T., Smith, J.M., Schuchard, M.: PKU pitfalls: attacks on pku-based memory isolation systems. In: 29th USENIX Security Symposium (USENIX Security 2020), pp. 1409–1426. USENIX Association (2020). https://www.usenix.org/conference/usenixsecurity20/presentation/connor
Dejaeghere, J., Gbadamosi, B., Pulls, T., Rochet, F.: Comparing security in eBPF and WebAssembly. In: Proceedings of the 1st Workshop on EBPF and Kernel Extensions, eBPF 2023, pp. 35–41. Association for Computing Machinery, New York (2023). https://doi.org/10.1145/3609021.3609306
eBPF Documentation: eBPF (2024). https://ebpf.io/ . Accessed 2 May 2024
Findlay, W., Barrera, D., Somayaji, A.: Bpfcontain: fixing the soft underbelly of container security. arXiv preprint arXiv:2102.06972 (2021)
Findlay, W., Somayaji, A., Barrera, D.: bpfbox: simple precise process confinement with eBPF. In: Proceedings of the 2020 ACM SIGSAC Conference on Cloud Computing Security Workshop, CCSW 2020, pp. 91–103. Association for Computing Machinery, New York (2020). https://doi.org/10.1145/3411495.3421358
Fried, J., et al.: Making Kernel bypass practical for the cloud with junction. In: 21st USENIX Symposium on Networked Systems Design and Implementation (NSDI 2024), pp. 55–73 (2024)
Hung, H.W., Liu, Y., Sani, A.A.: Sifter: protecting security-critical kernel modules in Android through attack surface reduction. In: Proceedings of the 28th Annual International Conference on Mobile Computing And Networking, MobiCom 2022, pp. 623–635. Association for Computing Machinery, New York (2022). https://doi.org/10.1145/3495243.3560548
Jia, J., et al.: Programmable system call security with ebpf. arXiv preprint arXiv:2302.10366 (2023)
Kernel, T.L.: Seccomp BPF (SECure COMPuting with filters) (2024). https://www.kernel.org/doc/html/v4.19/userspace-api/seccomp_filter.html. Accessed 2 May 2024
Miano, S., Bertrone, M., Risso, F., Tumolo, M., Bernal, M.V.: Creating complex network services with eBPF: experience and lessons learned. In: 2018 IEEE 19th International Conference on High Performance Switching and Routing (HPSR), pp. 1–8 (2018). https://doi.org/10.1109/HPSR.2018.8850758
manual page, L.: seccomp(2) (2024). https://man7.org/linux/man-pages/man2/seccomp.2.html. Accessed 2 May 2024
Rosa, L., Garbugli, A., Corradi, A., Bellavista, P.: INSANE: a unified middleware for QoS-aware network acceleration in edge cloud computing. In: Proceedings of the 24th International Middleware Conference, pp. 57–70 (2023)
Rosen, R.: Resource management: linux kernel namespaces and cgroups. Haifux 186, 70 (2013)
Shu, R., et al.: A study of security isolation techniques. ACM Comput. Surv. 49(3) (2016). https://doi.org/10.1145/2988545
Vahldiek-Oberwagner, A., Elnikety, E., Duarte, N.O., Sammler, M., Druschel, P., Garg, D.: ERIM: secure, efficient in-process isolation with protection keys (MPK). In: 28th USENIX Security Symposium (USENIX Security 2019), pp. 1221–1238. USENIX Association, Santa Clara (2019). https://www.usenix.org/conference/usenixsecurity19/presentation/vahldiek-oberwagner
Wright, C., Cowan, C., Smalley, S., Morris, J., Kroah-Hartman, G.: Linux security modules: general security support for the linux kernel. In: 11th USENIX Security Symposium (USENIX Security 2002) (2002)
Acknowledgments
This work was partially supported by the project SERICS (PE00000014) under the MUR National Recovery and Resilience Plan program funded by the European Union - NextGenerationEU.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2025 The Author(s), under exclusive license to Springer Nature Switzerland AG
About this paper
Cite this paper
Mazzocca, C., Garbugli, A., Armillotta, M., Montanari, R., Bellavista, P. (2025). Flexible and Secure Process Confinement with eBPF. In: Martinelli, F., Rios, R. (eds) Security and Trust Management. STM 2024. Lecture Notes in Computer Science, vol 15235. Springer, Cham. https://doi.org/10.1007/978-3-031-76371-7_7
Download citation
DOI: https://doi.org/10.1007/978-3-031-76371-7_7
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-031-76370-0
Online ISBN: 978-3-031-76371-7
eBook Packages: Computer ScienceComputer Science (R0)