VeriFence: Lightweight and Precise Spectre Defenses for Untrusted Linux Kernel Extensions

Gerhorst L, Herzog H, Wägemann P, Ott M, Kapitza R, Hönig T (2024)


Publication Language: English

Publication Type: Conference contribution

Publication year: 2024

Book Volume: 5

Pages Range: 644-659

Conference Proceedings Title: Proceedings of the 27th International Symposium on Research in Attacks, Intrusions and Defenses, RAID

Event location: Padua IT

URI: https://arxiv.org/pdf/2405.00078

DOI: 10.1145/3678890.3678907

Open Access Link: https://arxiv.org/pdf/2405.00078

Abstract

High-performance IO demands low-overhead communication between user- and kernel space. This demand can no longer be fulfilled by traditional system calls. Linux’s extended Berkeley Packet Filter (BPF) avoids user-/kernel transitions by just-in-time compiling user-provided bytecode and executing it in kernel mode with near-native speed. To still isolate BPF programs from the kernel, they are statically analyzed for memory- and type-safety, which imposes some restrictions but allows for good expressiveness and high performance. However, to mitigate the Spectre vulnerabilities disclosed in 2018, defenses which reject potentially-dangerous programs had to be deployed. We find that this affects 31% to 54% of programs in a dataset with 844 real-world BPF programs from popular open-source projects. To solve this, users are forced to disable the defenses to continue using the programs, which puts the entire system at risk.

To enable secure and expressive untrusted Linux kernel extensions, we propose VeriFence, an enhancement to the kernel’s Spectre defenses that reduces the number of BPF application programs rejected from 54% to zero. We measure VeriFence’s overhead for all mainstream performance-sensitive applications of BPF (i.e., event tracing, profiling, and packet processing) and find that it improves significantly upon the status-quo where affected BPF programs are either unusable or enable transient execution attacks on the kernel.

Authors with CRIS profile

Related research project(s)

Involved external institutions

How to cite

APA:

Gerhorst, L., Herzog, H., Wägemann, P., Ott, M., Kapitza, R., & Hönig, T. (2024). VeriFence: Lightweight and Precise Spectre Defenses for Untrusted Linux Kernel Extensions. In Proceedings of the 27th International Symposium on Research in Attacks, Intrusions and Defenses, RAID (pp. 644-659). Padua, IT.

MLA:

Gerhorst, Luis, et al. "VeriFence: Lightweight and Precise Spectre Defenses for Untrusted Linux Kernel Extensions." Proceedings of the RAID'24: The 27th International Symposium on Research in Attacks, Intrusions and Defenses, Padua 2024. 644-659.

BibTeX: Download