• ebpf
• linux
• llvm

The collection of statistics and events within the kernel, a core component of an operating system, has seen a significant shift towards the use of eBPF (Extended Berkeley Packet Filter) programs. These programs, crafted in user-mode, operate within kernel-mode without compromising the kernel's memory coherence or execution flow. Once loaded, eBPF programs are linked to specific hooks in the kernel's execution path, activating when the kernel interacts with these hooks and deactivating seamlessly to allow the kernel's usual operational procedures to continue.
eBPF programs are uniquely capable of accessing both kernel and user memory spaces, which, while powerful, can introduce security concerns. Particularly when an operating system incorporates an untrusted eBPF program for data collection, there is a risk that it could access and transmit sensitive information. Given the potential threats, enhancing the security measures of eBPF programs is imperative. This study introduces a novel methodology for bolstering the security of eBPF programs by incorporating automatic security checks within the LLVM (Low-Level Virtual Machine) Intermediate Representation (IR) stage. The approach utilizes an LLVM pass, a programmable step in the LLVM compilation process, to integrate security measures during the compilation of eBPF programs.