eBPF Offers a New Way to Secure Cloud Native Systems
The eBPF (extended Berkeley packet filter) is being used to solve several security issues in cloud native environments, beyond its initial use of network monitoring.
Its penetration, extending from within the Linux kernel (and on Windows to a lesser extent), across runtimes in a network or environment, makes it an “enhancement” to the Linux operating system, according to Gartner analyst Simon Richard in Gartner’s “Hype Cycle for Compute 2023.”
While running specific instruction sets from within the kernel, eBPF allows organizations to add features to Linux without changing kernel source code or requiring kernel modules, Richard writes.
Specific to security, eBPF offers a very detailed way of monitoring and provides traces for monitoring different potentially suspicious system activities and codes. This all lends itself to the speed of processing or just-in-time processing within its tunnel.
A key aspect is that security providers are using eBPF for observability to prevent attacks, detect and remediate high-priority vulnerabilities (and to distinguish between severe and less severe vulnerabilities), to detect suspicious activity and other uses. This extension, of course, includes analyzing incidents and giving and receiving alerts for vulnerabilities and incidents. , and analyzing or finding potentially risky vulnerabilities and attack vectors. It is the observability aspect that leverages eBPF in order to monitor and detect suspicious activity and to help determine which vulnerabilities have the potential to be exploited.
“eBPF’s increased adoption is indeed changing the game for security companies, enabling access to critical data without changing the kernel,” Shauli Rozen of security provider and open source Kubescape creator ARMO, said. “It should be noted however that we do see companies struggling with the additional resources needed by the environment for some of the eBFP solutions, mainly around CPU consumption and network traffic that is required to take the data traces from eBPF and running analysis on them.”
Part of the magic of eBPF is how it works from within the kernel without changing the kernel code directly.
Since eBPF runs in a closed sandbox environment in which the runtime operates, eBPF is less intrusive and helps to prevent it from interacting directly with the kernel while also originating from inside the kernel. So, it can be used to detect and determine the relevancy and threat level of vulnerabilities and secure potential security issues that might take place within the kernel.
These monitoring and observability aspects from the kernel all the way through runtime environments across a network, including highly distributed Kubernetes environments, nodes, and containers, etc. Or, in other words, eBPF observability extends beyond a single machine and it is useful in distributed systems.
eBPF “allows the developers to write code that can be loaded into the kernel at runtime as such” Vandana Salve, an independent software architect and a software architect for Micron Technology, said during her Open Source Summit Europe talk in September on security the Linux kernel with eBPF.
It also helps make changes to the kernel code or add the logic you would like to incorporate as part of the security enforcement.” The eBPF framework consists of the instruction set. It can be considered as a virtual machine that runs the eBPF program in an isolated sandbox environment. This is done by executing the eBPF bytecode. The verifier ensures that the bytecode loaded by the program maintains its integrity. All the necessary checks are performed by the verifier.
eBPF programs are event-driven and run when the kernel or an application reaches a certain hook point. Predefined hooks include:
- System calls.
- Function entry/exit.
- Kernel trace points.
- Network events.
- Other events, such as scheduling algorithms.
On a large scale, the resulting Linux Security Module (LSM) eBPF programs allow runtime. instrumentation of the LSM hooks by privileged users to implement system-wide Mandatory. Access Control (MAC) and auditing using eBPF. They offer:
- Hooks into appropriate LSM hooks.
- The use of eBPF helpers and access to structure fields.
- Sharing of variables with user spaces.
- Access or denial of functions and operations.
Essentially, this allows you to implement MAC and kernel control policies, Salve said.
I just have Windows on my gaming laptop I brought with le but not to worry: I can do the workshop with my browser, Lin Sun just told me ahead of « Developing Portable eBPF Applications Workshop » @soloio_inc io at #OSS 2023 @thenewstack @linuxfoundationhttps://sched.co/1OGkT pic.twitter.com/nTECcO5Sls
— BC Gain (@bcamerongain) September 21, 2023
eBPF is sometimes incorrectly described as having the ability to change or alter kernel code directly. The fact that this is not true, and that eBPF runs directly from within the kernel. This enables it to overcome a key security challenge of applying patches to running Linux machines when a vulnerability is found in the kernel. This is especially useful in the case of a zero-day vulnerability, where the behavior of the Linux kernel can be modified without altering the Linux kernel code itself. If a version and distribution-independent hotfix can be applied, the security teams can close these holes fast. Otherwise, it takes several months for a Linux code fix to be reviewed, tested, distributed and installed.
“I recall hearing that the process of merging a PR (Pull Request) into the Linux kernel can be quite challenging, as maintainers maintain a high bar for incorporating new features promptly,” said Lin Sun, senior director of open source at solo.io, Istio TOC member and CNCF Ambassador, during the “Developing Portable eBPF Applications” workshop she headed at the Open Source Summit.
“This is where eBPF plays a crucial role — it allows you to expand your capabilities beyond what the kernel can provide without the need to wait for PRs to be merged into the kernel or undergo lengthy waiting periods,” Sun said. “Regardless of your preferred Linux distribution, eBPF is designed with a strong focus on safety. The code undergoes verification by the kernel as it is loaded to ensure it does not compromise or harm the kernel. This is precisely why it operates within a sandboxed environment.”
The fact that an eBPF program runs directly in the kernel interacting with its inner structures potentially limits its ability to run on multiple versions of the kernel. However, security tool providers have addressed this drawback by creating methods to enable eBPF to be written in a way that the same eBPF program can run on multiple kernel versions.
For instance, ARMO, an enterprise-grade Kubernetes security platform powered by the open source Kubescape, utilizes this “Compile Once, Run Everywhere” (CO-RE) feature for eBPF. CO-RE allows the eBPF program to operate on multiple versions of the kernel and be deployed across multiple kernel versions.
The significance of this feature is that it makes the development and deployment of eBPF programs much easier which leads to a broader adoption of the technologies built on eBPF.
“This is super important, one of the major barriers for security adoption and one of the most difficult areas to master in the ‘old’ age of kernel agents was interoperability and coverage,” Rozen said. “These features enable a much more efficient way to get larger coverage and assure interoperability.”