Skip to content
/ bpfbox Public

🐝 BPFBox πŸ“¦ Exploring process confinement in eBPF

License

GPL-3.0 license
101 stars 9 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

willfindlay/bpfbox

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

Β 

History

203 Commits
.bcc
.bcc
Β 
Β 
.github/ISSUE_TEMPLATE
.github/ISSUE_TEMPLATE
Β 
Β 
bin
bin
Β 
Β 
bpfbox
bpfbox
Β 
Β 
sample_policy
sample_policy
Β 
Β 
tests
tests
Β 
Β 
.ccls
.ccls
Β 
Β 
.gitignore
.gitignore
Β 
Β 
LICENSE
LICENSE
Β 
Β 
Makefile
Makefile
Β 
Β 
Pipfile
Pipfile
Β 
Β 
Pipfile.lock
Pipfile.lock
Β 
Β 
README.md
README.md
Β 
Β 
requirements.txt
requirements.txt
Β 
Β 
setup.py
setup.py
Β 
Β 

Repository files navigation

🐝 bpfbox πŸ“¦

bpfbox is a policy enforcement engine written in eBPF to confine process access to security-sensitive system resources.

bpfbox is EOL

BPFBox is being replaced by BPFContain, a new confinement solution written in Rust using libbpf-rs.

Links

Our research paper: https://www.cisl.carleton.ca/~will/written/conference/bpfbox-ccsw2020.pdf

Disclaimer

bpfbox is very much a research prototype at this stage. Not recommended for production use before version 1.0.0.

Roadmap / TODO

  • Implement auto attachment of uprobes/kprobes for process state
  • Fully implement the uprobe/kprobe support in the policy language (see below)
  • Re-visit policy langugage
    • Move to yaml / rego?
  • Document final version of policy language
  • Add more unit tests / document code coverage

Requirements

  1. Linux 5.8+ compiled with at least CONFIG_BPF=y, CONFIG_BPF_SYSCALL=y, CONFIG_BPF_JIT=y, CONFIG_TRACEPOINTS=y, CONFIG_BPF_LSM=y, CONFIG_DEBUG_INFO=y, CONFIG_DEBUG_INFO_BTF=y, CONFIG_LSM="bpf". pahole >= 0.16 must be installed for the kernel to be built with BTF info.
  2. Either the latest version of bcc from https://github.com/iovisor/bcc or bcc version 0.16+. If building from source, be sure to include -DPYTHON_CMD=python3 in your the cmake flags
  3. Python 3.8+

Installation

  • Coming soon, for now just run from the bin directory in this repository.

Usage

  1. Install policy files in /var/lib/bpfbox/policy
  2. Run the daemon using sudo bpfboxd
  3. Inspect audit logs with tail -f /var/log/bpfbox/bpfbox.log

Citation

If you would like to cite this work, we request that you use the following bibtex entry:

@inproceedings{findlay2020_bpfbox,
    author    = {Findlay, William and Somayaji, Anil and Barrera, David},
    title     = {{bpfbox: Simple Precise Process Confinement with eBPF}},
    year      = {2020},
    isbn      = {9781450380843},
    publisher = {Association for Computing Machinery},
    address   = {New York, NY, USA},
    doi       = {10.1145/3411495.3421358},
    booktitle = {Proceedings of the 2020 ACM SIGSAC Conference on Cloud Computing Security Workshop},
    pages     = {91–103},
    numpages  = {13},
    keywords  = {ebpf, application confinement, access control, sandboxing, operating system security, linux},
    location  = {Virtual Event, USA},
    series    = {CCSW'20}
}

About

🐝 BPFBox πŸ“¦ Exploring process confinement in eBPF

Topics

linux security sandbox linux-kernel ebpf bcc runtime-security

Resources

Readme

License

GPL-3.0 license
Activity

Stars

101 stars

Watchers

13 watching

Forks

9 forks
Report repository

Releases

No releases published

Packages

No packages published

Contributors 2

  •  
  •  

Languages
pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy