[nightowl_games]

When I read about eBPF for kernel extension, it immediately made me think it would be full of security problems. I don't even know anything about the kernel, eBPF validation and barely anything about security, but just from a theoretical level, it seems highly insecure to run someone else's code in the kernel. "Verifying" it seems impossible from a theoretical level. Am I wrong? What's the limits of security in eBPF kernel extensions?

[lcvw]

1. Using eBPF requires root

2. The verifier checks memory bounds access, guarantees termination in a certain number of instructions, and restricts function calls to a limited number of helper functions provided by the kernel.

3. BPF code runs on a vm, think like the jvm. It’s impossible to express a lot of nasty stuff given the restrictive bytecode language.

There have been bugs in the verifier, but overall it works very well, the biggest issue being that it drastically limits the complexity of your program.

[insanitybit]

> 1. Using eBPF requires root

Unprivileged eBPF has been around for a long time.

[tptacek]

Except that it's been almost universally disabled, for many years. Nobody trusts it.

[insanitybit]

Idk if I'd call 2 years "many", but yes.

[sgt]

In eBPF years, 2 years is an eternity.