TY - GEN
T1 - Verifed Programs Can Party
T2 - 17th European Conference on Computer Systems, EuroSys 2022
AU - Kuo, Hsuan Chi
AU - Chen, Kai Hsun
AU - Lu, Yicheng
AU - Williams, Dan
AU - Mohan, Sibin
AU - Xu, Tianyin
N1 - We thank the anonymous reviewers of EuroSys’22 and our shepherd, Baptiste Lepers, for the valuable feedback. We thank Neil Zhao for the discussion on speculative attacks as well as hardware and software defenses. Mohan’s group is supported in part by Office of Naval Research (ONR) grant N00014-17-1-2889. Xu’s group is supported in part by NSF CNS-1956007, CCF-2029049, CNS-2130560, CNS-2145295, and CCF-1816615.
PY - 2022/3/28
Y1 - 2022/3/28
N2 - Operating system (OS) extensions are more popular than ever. For example, Linux BPF is marketed as a "superpower"that allows user programs to be downloaded into the kernel, verified to be safe and executed at kernel hook points. So, BPF extensions have high performance and are often placed at performance-critical paths for tracing and filtering. However, although BPF extension programs execute in a shared kernel environment and are already individually verified, they are often executed independently in chains. We observe that the chain pattern has large performance overhead, due to indirect jumps penalized by security mitigations (e.g., Spectre), loops, and memory accesses. In this paper, we argue for a separation of concerns. We propose to decouple the execution of BPF extensions from their verification requirements-BPF extension programs can be collectively optimized, after each BPF extension program is individually verified and loaded into the shared kernel. We present KFuse, a framework that dynamically and automatically merges chains of BPF programs by transforming indirect jumps into direct jumps, unrolling loops, and saving memory accesses, without loss of security or flexibility. KFuse can merge BPF programs that are (1) installed by multiple principals, (2) maintained to be modular and separate, (3) installed at different points of time, and (4) split into smaller, verifiable programs via BPF tail calls. KFuse demonstrates 85% performance improvement of BPF chain execution and 7% of application performance improvement over existing BPF use cases (systemd's Seccomp BPF filters). It achieves more significant benefits for longer chains.
AB - Operating system (OS) extensions are more popular than ever. For example, Linux BPF is marketed as a "superpower"that allows user programs to be downloaded into the kernel, verified to be safe and executed at kernel hook points. So, BPF extensions have high performance and are often placed at performance-critical paths for tracing and filtering. However, although BPF extension programs execute in a shared kernel environment and are already individually verified, they are often executed independently in chains. We observe that the chain pattern has large performance overhead, due to indirect jumps penalized by security mitigations (e.g., Spectre), loops, and memory accesses. In this paper, we argue for a separation of concerns. We propose to decouple the execution of BPF extensions from their verification requirements-BPF extension programs can be collectively optimized, after each BPF extension program is individually verified and loaded into the shared kernel. We present KFuse, a framework that dynamically and automatically merges chains of BPF programs by transforming indirect jumps into direct jumps, unrolling loops, and saving memory accesses, without loss of security or flexibility. KFuse can merge BPF programs that are (1) installed by multiple principals, (2) maintained to be modular and separate, (3) installed at different points of time, and (4) split into smaller, verifiable programs via BPF tail calls. KFuse demonstrates 85% performance improvement of BPF chain execution and 7% of application performance improvement over existing BPF use cases (systemd's Seccomp BPF filters). It achieves more significant benefits for longer chains.
KW - BPF
KW - Indirect jump
KW - Kernel extension
KW - Retpoline
KW - Spectre
KW - Transient attack
KW - eBPF
UR - http://www.scopus.com/inward/record.url?scp=85128027701&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=85128027701&partnerID=8YFLogxK
U2 - 10.1145/3492321.3519562
DO - 10.1145/3492321.3519562
M3 - Conference contribution
AN - SCOPUS:85128027701
T3 - EuroSys 2022 - Proceedings of the 17th European Conference on Computer Systems
SP - 283
EP - 299
BT - EuroSys 2022 - Proceedings of the 17th European Conference on Computer Systems
PB - Association for Computing Machinery
Y2 - 5 April 2022
ER -