HIVE: A Hardware-assisted Isolated Execution Environment for eBPF on AArch64

Authors: 

Peihua Zhang, SKLP, Institute of Computing Technology, CAS; University of Chinese Academy of Sciences; Chenggang Wu, SKLP, Institute of Computing Technology, CAS; University of Chinese Academy of Sciences; Zhongguancun Laboratory; Xiangyu Meng, Northwestern Polytechnical University; Yinqian Zhang, Southern University of Science and Technology; Mingfan Peng, Shiyang Zhang, and Bing Hu, SKLP, Institute of Computing Technology, CAS; University of Chinese Academy of Sciences; Mengyao Xie, SKLP, Institute of Computing Technology, CAS; Yuanming Lai and Yan Kang, SKLP, Institute of Computing Technology, CAS; University of Chinese Academy of Sciences; Zhe Wang, SKLP, Institute of Computing Technology, CAS; University of Chinese Academy of Sciences; Zhongguancun Laboratory

Abstract: 

eBPF has become a critical component in Linux. To ensure kernel security, BPF programs are statically verified before being loaded and executed in the kernel. However, the state-of-the-art eBPF verifier has both security and complexity issues. To this end, we choose to look at BPF programs from a new perspective and regard them as a new type of kernel-mode application, thus an isolation-based rather than a verificationbased approach is needed. In this paper, we propose HIVE, an isolation execution environment for BPF programs on AArch64. To provide the equivalent security guarantees, we systematize the security aims of the eBPF verifier and categorize two types of pointers in eBPF: the inclusive type pointer that points to BPF objects and the exclusive type pointer that points to kernel objects. For the former, HIVE compartmentalizes all BPF memory from the kernel and de-privileges the memory accesses in the BPF programs by leveraging the load/store unprivileged instructions; for the latter, HIVE utilizes the pointer authentication feature to enforce access controls of kernel objects. Evaluation results show that HIVE is not only efficient but also supports complex BPF programs.

Open Access Media

USENIX is committed to Open Access to the research presented at our events. Papers and proceedings are freely available to everyone once the event begins. Any video, audio, and/or slides that are posted after the event are also free and open to everyone. Support USENIX and our commitment to Open Access.

BibTeX
@inproceedings {299748,
author = {Peihua Zhang and Chenggang Wu and Xiangyu Meng and Yinqian Zhang and Mingfan Peng and Shiyang Zhang and Bing Hu and Mengyao Xie and Yuanming Lai and Yan Kang and Zhe Wang},
title = {{HIVE}: A Hardware-assisted Isolated Execution Environment for {eBPF} on {AArch64}},
booktitle = {33rd USENIX Security Symposium (USENIX Security 24)},
year = {2024},
isbn = {978-1-939133-44-1},
address = {Philadelphia, PA},
pages = {163--180},
url = {https://www.usenix.org/conference/usenixsecurity24/presentation/zhang-peihua},
publisher = {USENIX Association},
month = aug
}

Presentation Video