Austin Gadient is CTO and cofounder of Vali Cyber.
Extended Berkeley Packet Filter (eBPF) is a new technology shaking up the cloud security industry. eBPF is a capability in Linux that enables security and other introspection products to gather deep insights into the operating system’s activities. The technology is already gaining popularity in the cloud security market. Many vendors are pitching it as a panacea for cloud security.
eBPF was originally developed for network packet introspection. Speed and stability were critical for this application, but security was not as important. As eBPF has gained functionality, vendors have repurposed it for security. However, the original architecture of the system was not designed for security, creating key architectural dilemmas.
Some are touting eBPF as a flawless technology, but there is no such thing as a perfect solution. There are trade-offs to using eBPF, especially for a security product, and it’s important to understand the potential risks and mitigation techniques before implementing an eBPF-based security solution in your company.
Key eBPF Vulnerabilities And Mitigations
Resource Constraints
• Challenge: One of the main limitations of eBPF is that, like any capability on an operating system, it is resource-constrained. As eBPF processes various system events, such as file operations and network connections, it must do so quickly and efficiently. If it fails to process events fast enough, it can miss new events. In short, eBPF can reach its capacity limit, rendering your system blind to potentially malicious activities. Attackers can exploit this vulnerability to execute actions without detection, compromising your security.
• Mitigation technique: Allocate as many system resources as you can to the eBPF security tool, minimizing the probability that it will run out of space to process all events. But be aware that this approach does have a performance penalty and may be unsuitable for some environments.
Limited Event Interception
• Challenge: eBPF doesn’t truly intercept events in real time. It receives notifications after an event has occurred, which is problematic when you are managing critical events, such as deleting an important file on the system or shutting down security software. The response is always retroactive, which creates potential security risks and leaves the system vulnerable to attackers bypassing tools.
• Mitigation Technique: Supplement eBPF-based security solutions with other security tools, such as those that use mandatory access control and allow you to govern when certain files, IP addresses and URLs can be accessed. These tools can help protect the eBPF security tool from being subverted and make it more difficult for attackers to complete malicious actions.
Vulnerabilities in the eBPF Verifier
• Challenge: The eBPF verifier, which plays a crucial role in ensuring the safety and security of eBPF programs, has been associated with a number of Common Vulnerabilities and Exposures (CVEs), a list of publicly disclosed information security flaws. Exposing a Linux system to eBPF opens it up to a range of vulnerabilities, including an out-of-bounds access flaw and a missing indicator for insufficient resources, which could potentially be exploited by attackers.
• Mitigation Technique: Regularly update and patch your system to address vulnerabilities found in the eBPF verifier. Keeping the system up-to-date can address CVEs and enhance overall system security.
As the adoption of eBPF-based security solutions increases, it’s critical to develop a more nuanced understanding of their strengths and weaknesses. eBPF offers advantages, but it also has vulnerabilities that you must mitigate to keep your systems secure.
Forbes Technology Council is an invitation-only community for world-class CIOs, CTOs and technology executives. Do I qualify?
Read the full article here
