Papers
Topics
Authors
Recent
Gemini 2.5 Flash
Gemini 2.5 Flash
184 tokens/sec
GPT-4o
7 tokens/sec
Gemini 2.5 Pro Pro
45 tokens/sec
o3 Pro
4 tokens/sec
GPT-4.1 Pro
38 tokens/sec
DeepSeek R1 via Azure Pro
28 tokens/sec
2000 character limit reached

When eBPF Meets Machine Learning: On-the-fly OS Kernel Compartmentalization (2401.05641v1)

Published 11 Jan 2024 in cs.OS, cs.CR, and cs.LG

Abstract: Compartmentalization effectively prevents initial corruption from turning into a successful attack. This paper presents O2C, a pioneering system designed to enforce OS kernel compartmentalization on the fly. It not only provides immediate remediation for sudden threats but also maintains consistent system availability through the enforcement process. O2C is empowered by the newest advancements of the eBPF ecosystem which allows to instrument eBPF programs that perform enforcement actions into the kernel at runtime. O2C takes the lead in embedding a machine learning model into eBPF programs, addressing unique challenges in on-the-fly compartmentalization. Our comprehensive evaluation shows that O2C effectively confines damage within the compartment. Further, we validate that decision tree is optimally suited for O2C owing to its advantages in processing tabular data, its explainable nature, and its compliance with the eBPF ecosystem. Last but not least, O2C is lightweight, showing negligible overhead and excellent sacalability system-wide.

Definition Search Book Streamline Icon: https://streamlinehq.com
References (82)
  1. 2015. Tracing: Attach eBPF Programs to Kprobes [LWN.net] — lwn.net. https://lwn.net/Articles/636224/.
  2. 2022. PWN2OWN VANCOUVER 2022 - THE RESULTS. https://www.zerodayinitiative.com/blog/2022/5/18/pwn2own-vancouver-2022-the-results.
  3. 2023. A software reverse engineering (SRE) suite of tools developed by NSA’s Research Directorate in support of the Cybersecurity mission. https://ghidra-sre.org/.
  4. 2023. all experimental results for O2C. https://tinyurl.com/z434xmu8.
  5. 2023. eBPF for Windows: Main Page — microsoft.github.io. https://microsoft.github.io/ebpf-for-windows/.
  6. 2023. syzbot — syzkaller.appspot.com. https://syzkaller.appspot.com/.
  7. Abraham A Clements and Naif Saleh Almakhdhub and Saurabh Bagchi and Mathias Payer. 2018. ACES: Automatic Compartments for Embedded Systems. In 27th USENIX Security Symposium (USENIX Security’18).
  8. Adam Belay and Andrea Bittau and Ali Mashtizadeh and David Terei and David Mazières and Christos Kozyrakis. 2012. Dune: Safe User-level Access to Privileged CPU Features. In 10th USENIX Symposium on Operating Systems Design and Implementation (OSDI’12).
  9. Preventing Memory Error Exploits with WIT. In 2008 IEEE Symposium on Security and Privacy (SP’08).
  10. SKEE: A lightweight Secure Kernel-level Execution Environment for ARM. In Proceedings of 23th Network and Distributed System Security (NDSS’16).
  11. Automatic Inference and Enforcement of Kernel Data Structure Invariants. In 2008 Annual Computer Security Applications Conference (ACSAC’08).
  12. Hardware assisted randomization of data. In International Symposium on Research in Attacks, Intrusions, and Defenses (RAID’18).
  13. Data space randomization. In International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment.
  14. SecureCells: A Secure Compartmentalized Architecture. In 2023 IEEE Symposium on Security and Privacy (SP’23).
  15. Tolerating malicious device drivers in linux. In 2010 USENIX Annual Technical Conference (USENIX ATC’10).
  16. Leo Breiman. 2001. Random forests. Machine learning (2001).
  17. API design for machine learning software: experiences from the scikit-learn project. arXiv preprint arXiv:1309.0238 (2013).
  18. Fast byte-granularity software fault isolation. In Proceedings of the ACM SIGOPS 22nd symposium on Operating systems principles (SOSP’09).
  19. Iago Attacks: Why the System Call API is a Bad Untrusted RPC Interface. In Proceedings of the 18th International Conference on Architectural Support for Programming Languages and Operating Systems (ASPLOS’13).
  20. Tianqi Chen and Carlos Guestrin. 2016. Xgboost: A scalable tree boosting system. In Proceedings of the 22nd acm sigkdd international conference on knowledge discovery and data mining.
  21. Protecting Bare-Metal Embedded Systems with Privilege Overlays. In 2017 IEEE Symposium on Security and Privacy (SP’17).
  22. PT-Rand: Practical Mitigation of Data-only Attacks against Page Tables. In Proceedings of 24th Network and Distributed System Security (NDSS’17).
  23. XFI: Software guards for system address spaces. In Proceedings of the 7th symposium on Operating systems design and implementation (SOSP’06).
  24. BMC: Accelerating Memcached using Safe In-kernel Caching and Pre-stack Processing. In 18th USENIX Symposium on Networked Systems Design and Implementation, (NSDI’21).
  25. Yutaro Hayakawa. 2018. eBPF Implementation for FreeBSD :: FreeBSD Presentations and Papers — papers.freebsd.org. https://papers.freebsd.org/2018/bsdcan/hayakawa-ebpf_implementation_for_freebsd/.
  26. RapidPatch: Firmware Hotpatching for Real-Time Embedded Devices. In 31st USENIX Security Symposium (Usenix Security’22).
  27. KSplit: Automating Device Driver Isolation. In 16th USENIX Symposium on Operating Systems Design and Implementation (OSDI’22).
  28. Syrup: User-Defined Scheduling Across the Stack. In ACM SIGOPS 28th Symposium on Operating Systems Principles,(SOSP’21).
  29. Net-dnf: Effective deep modeling of tabular data. In International conference on learning representations.
  30. M2MON: Building an MMIO-based Security Reference Monitor for Unmanned Vehicles. In 30th USENIX Security Symposium (USENIX Security’21).
  31. EC: Embedded Systems Compartmentalization via Intra-Kernel Isolation. In 2023 IEEE Symposium on Security and Privacy (SP’23).
  32. Low-Cost Privilege Separation with Compile Time Compartmentalization for Embedded Systems. In 2023 IEEE Symposium on Security and Privacy (SP’23).
  33. Securing Real-Time Microcontroller Systems through Customized Memory View Switching. In Proceedings 2018 Network and Distributed System Security Symposium (NDSS’18).
  34. Assessing the Impact of Interface Vulnerabilities in Compartmentalized Software. In Proceedings of 30th Network and Distributed System Security (NDSS’23).
  35. FlexOS: Towards Flexible OS Isolation. In Proceedings of the 27th ACM International Conference on Architectural Support for Programming Languages and Operating Systems (ASPLOS’22).
  36. GREBE: Unveiling Exploitation Potential for Linux Kernel Bugs. In 43rd IEEE Symposium on Security and Privacy (SP’22).
  37. Kangjie Lu. 2023. Practical Program Modularization with Type-Based Dependence Analysis. In 2023 IEEE Symposium on Security and Privacy (SP’23).
  38. Where Does It Go? Refining Indirect-Call Targets with Multi-Layer Type Analysis. In Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security (CCS’19).
  39. Goshawk: Hunting Memory Corruptions via Structure-Aware and Object-Centric Memory Operation Synopsis. In 2022 IEEE Symposium on Security and Privacy (SP’22).
  40. Software Fault Isolation with API Integrity and Multi-Principal Modules. In Proceedings of the Twenty-Third ACM Symposium on Operating Systems Principles (SOSP’11).
  41. Marco Bonola and Giacomo Belocchi and Angelo Tulumello and Marco Spaziani Brunella and Giuseppe Siracusano and Giuseppe Bianchi and Roberto Bifulco. 2022. Faster Software Packet Processing on FPGA NICs with eBPF Program Warping. In 2022 USENIX Annual Technical Conference (USENIX ATC’22).
  42. Marco Spaziani Brunella and Giacomo Belocchi and Marco Bonola and Salvatore Pontarelli and Giuseppe Siracusano and Giuseppe Bianchi and Aniello Cammarano and Alessandro Palumbo and Luca Petrucci and Roberto Bifulco. 2020. hXDP: Efficient Software Packet Processing on FPGA NICs. In 14th USENIX Symposium on Operating Systems Design and Implementation (OSDI’20).
  43. Maximilian Bachl and Joachim Fabini and Tanja Zseby. 2022. A flow-based IDS using Machine Learning in eBPF. arXiv:2102.09980 [cs.CR]
  44. Preventing kernel hacks with hakc. In Proceedings 2022 Network and Distributed System Security Symposium (NDSS’22).
  45. lmbench: Portable Tools for Performance Analysis. In USENIX annual technical conference (USENIX ATC’96).
  46. Phoronix Media. 2023. Phoronix test suites: Open-Source, Automated Benchmarking. https://www.phoronix-test-suite.com/.
  47. The common vulnerability scoring system (CVSS) and its applicability to federal agency systems. National Institute of Standards and Technology (2007).
  48. D-Box: DMA-enabled Compartmentalization for Embedded Applications. In Proceedings 2022 Network and Distributed System Security Symposium (NDSS’22).
  49. Interpretable machine learning–a brief history, state-of-the-art and challenges. In Joint European conference on machine learning and knowledge discovery in databases.
  50. LXDs: Towards Isolation of Kernel Subsystems. In 2019 USENIX Annual Technical Conference (USENIX ATC’19).
  51. Lightweight Kernel Isolation with Virtualization and VM Functions. In Proceedings of the 16th ACM SIGPLAN/SIGOPS International Conference on Virtual Execution Environments (VEE’20).
  52. Application-Informed Kernel Synchronization Primitives. In 16th USENIX Symposium on Operating Systems Design and Implementation (OSDI’22).
  53. Neural oblivious decision ensembles for deep learning on tabular data. arXiv preprint arXiv:1909.06312 (2019).
  54. SPRIGHT: Extracting the Server from Serverless Computing! High-Performance EBPF-Based Event-Driven, Shared-Memory Processing. In Proceedings of the ACM SIGCOMM 2022 Conference (SIGCOMM ’22).
  55. EHDL: Turning EBPF/XDP Programs into Hardware Designs for the NIC. In Proceedings of the 28th ACM International Conference on Architectural Support for Programming Languages and Operating Systems (ASPLOS’23).
  56. μ𝜇\muitalic_μSCOPE: A Methodology for Analyzing Least-Privilege Compartmentalization in Large Software Artifacts. In Proceedings of the 24th International Symposium on Research in Attacks, Intrusions and Defenses (RAID ’21).
  57. Lossless instruction-to-object memory tracing in the Linux kernel. In Proceedings of the 14th ACM International Conference on Systems and Storage.
  58. SCALPEL: Exploring the Limits of Tag-Enforced Compartmentalization. J. Emerg. Technol. Comput. Syst. (2021).
  59. Ravid Shwartz-Ziv and Amitai Armon. 2022. Tabular data: Deep learning is not all you need. Information Fusion 81 (2022), 84–90.
  60. Abhinav Srivastava and Jonathon T Giffin. 2011. Efficient Monitoring of Untrusted Kernel-Mode Execution. In Proceedings of 18th Network and Distributed System Security (NDSS’11). Citeseer.
  61. CARAT: A Case for Virtual Memory through Compiler- and Runtime-Based Address Translation. In Proceedings of the 41st ACM SIGPLAN Conference on Programming Language Design and Implementation (PLDI’20).
  62. CARAT CAKE: Replacing Paging via Compiler/Kernel Cooperation. In Proceedings of the 27th ACM International Conference on Architectural Support for Programming Languages and Operating Systems (ASPLOS’22).
  63. SIDE: Isolated and efficient execution of unmodified device drivers. In 2013 43rd Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN’13).
  64. Intra-Unikernel Isolation with Intel Memory Protection Keys. In Proceedings of the 16th ACM SIGPLAN/SIGOPS International Conference on Virtual Execution Environments (VEE’20).
  65. Sungbae Yoo and Jinbum Park and Seolheui Kim and Yeji Kim and Taesoo Kim. 2022. In-Kernel Control-Flow Integrity on Commodity OSes using ARM Pointer Authentication. In 31st USENIX Security Symposium (USENIX Security’22).
  66. Improving the Reliability of Commodity Operating Systems. In Proceedings of the Nineteenth ACM Symposium on Operating Systems Principles (SOSP ’03).
  67. syzbot. 2020. WARNING: ODEBUG bug in route4_change. https://syzkaller.appspot.com/bug?id=1bba967ec4596833317399ba8d6f7d655bd655e8.
  68. syzbot. 2023. general protection fault in nft_tunnel_get_init. https://syzkaller.appspot.com/bug?extid=76d0b80493ac881ff77b.
  69. syzbot. 2023a. KASAN: invalid-free in nf_tables_newset. https://syzkaller.appspot.com/bug?id=caed28f292ccd32eef950b27d68cf16852303b7f.
  70. syzbot. 2023b. KASAN: stack-out-of-bounds in ipip6_tunnel_locate. https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=b95211e066fc.
  71. syzbot. 2023c. UBSAN: array-index-out-of-bounds in nfnetlink_unbind. https://syzkaller.appspot.com/bug?extid=4903218f7fba0a2d6226.
  72. Efficient software-based fault isolation. In Proceedings of the fourteenth ACM symposium on Operating systems principles (SOSP’93).
  73. Improving Integer Security for Systems with KINT. In 10th USENIX Symposium on Operating Systems Design and Implementation, (OSDI’12).
  74. Practical Protection of Kernel Integrity for Commodity OS from Untrusted Extensions. In Proceedings of 18th Network and Distributed System Security (NDSS’11).
  75. SILVER: Fine-grained and transparent protection domain primitives in commodity OS kernel. In Research in Attacks, Intrusions, and Defenses: 16th International Symposium (RAID’13).
  76. RegVault: Hardware Assisted Selective Data Randomization for Operating System Kernels. In Proceedings of the 59th ACM/IEEE Design Automation Conference (DAC’22).
  77. Yang Zhou and Zezhou Wang and Sowmya Dharanipragada and Minlan Yu. 2023. Electrode: Accelerating Distributed Protocols with eBPF. In 20th USENIX Symposium on Networked Systems Design and Implementation (NSDI’23).
  78. Zhe Yang and Youyou Lu and Xiaojian Liao and Youmin Chen and Junru Li and Siyu He and Jiwu Shu. 2023. λ𝜆\lambdaitalic_λ-IO: A Unified IO Stack for Computational Storage. In 21st USENIX Conference on File and Storage Technologies (FAST’23).
  79. Zhenpeng Lin and Yueqi Chen and Xinyu Xing and Kang Li. 2021. Your Trash Kernel Bug, My Precious 0-day (Blackhat’21). https://zplin.me/talks/BHEU21_trash_kernel_bug.pdf.
  80. XRP:In-Kernel Storage Functions with eBPF. In 16th USENIX Symposium on Operating Systems Design and Implementation (OSDI’22).
  81. OPEC: Operation-Based Security Isolation for Bare-Metal Embedded Systems. In Proceedings of the Seventeenth European Conference on Computer Systems (EuroSys ’22).
  82. Zicheng Wang and Yueqi Chen and Qingkai Zeng. 2023. PET: Prevent Discovered Errors from Being Triggered in the Linux Kernel. In 32nd USENIX Security Symposium (USENIX Security’23).

Summary

We haven't generated a summary for this paper yet.

Ai Sparkles Streamline Icon: https://streamlinehq.com Summarize Now
X Twitter Logo Streamline Icon: https://streamlinehq.com

Tweets