Abstract
eBPF (extended Berkeley Packet Filter) is regarded as a secure alternative to kernel modules for enhancing kernel functionalities. As an emerging kernel subsystem, eBPF should not be exploited by kernel vulnerabilities to bypass established protection. Unfortunately, the exploitability of eBPF has not been fully studied so far. This paper investigates the exploitability of eBPF. Our study uncovers a previously unidentified security risk: eBPF bytecode lacks injection and hijack prevention, thus eBPF interpretation flow can be hijacked to execute malicious bytecode. To understand the risk, we propose Interp-flow Hijacking, a novel attack that hijacks the eBPF interpretation flow to circumvent kernel code and Control Flow Integrity (CFI) protections, thereby enabling arbitrary code execution within the kernel. To realize the attack, we propose a novel technique named Tailcall Trampoline for hijacking the interpretation flow without violating CFI. To evaluate the exploitability, we formulate CVE requirements and give techniques to pivot different types of CVEs. The evaluation of 16 real CVEs from different kernel subsystems shows that Interp-flow Hijacking can enhance all their capabilities in bypassing kernel protection. Finally, we design and implement a protection mechanism to safeguard against Interp-flow Hijacking. We are communicating with the Linux community to address the identified issues.
Original language | English (US) |
---|---|
Title of host publication | Computer Security – ESORICS 2024 - 29th European Symposium on Research in Computer Security, Proceedings |
Editors | Joaquin Garcia-Alfaro, Rafał Kozik, Michał Choraś, Sokratis Katsikas |
Publisher | Springer Science and Business Media Deutschland GmbH |
Pages | 194-214 |
Number of pages | 21 |
ISBN (Print) | 9783031708954 |
DOIs | |
State | Published - 2024 |
Event | 29th European Symposium on Research in Computer Security, ESORICS 2024 - Bydgoszcz, Poland Duration: Sep 16 2024 → Sep 20 2024 |
Publication series
Name | Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics) |
---|---|
Volume | 14984 LNCS |
ISSN (Print) | 0302-9743 |
ISSN (Electronic) | 1611-3349 |
Conference
Conference | 29th European Symposium on Research in Computer Security, ESORICS 2024 |
---|---|
Country/Territory | Poland |
City | Bydgoszcz |
Period | 9/16/24 → 9/20/24 |
Bibliographical note
Publisher Copyright:© The Author(s), under exclusive license to Springer Nature Switzerland AG 2024.
Keywords
- Bug exploitation
- Bypassing CFI
- eBPF
- Linux kernel