[IAmPaigeAT]

I heard about some recent eBPF vulnerabilities and while I was looking at the kernel code for eBPF I noticed there was some relatively new IMA additions. It seems there’s quite a number of new security mechanisms that can be used with eBPF. Mostly the fact that they added IMA support just stood out to me and seems to say “you should definitely use it if you’re going to use eBPF.”

https://lwn.net/Articles/886575/

https://blog.cloudflare.com/live-patch-security-vulnerabilit...

https://github.com/robertosassu/diglim-ebpf

Of course IMA doesn’t really help much if it’s not used correctly

https://lore.kernel.org/lkml/YtgQKHwPAVBSHjcY@kroah.com/T/

It is interesting to hear about the problems that eBPF has but it would be helpful to see more people talking about ways that you can minimize the problems or reasons why you can’t

EDIT

This is also kind of interesting

https://grsecurity.net/tetragone_a_lesson_in_security_fundam...

https://github.com/cilium/tetragon