The Future of Secure Code Execution: Embracing Collaborative eBPF Approaches
In cybersecurity, we’re always searching for robust, reliable ways to run code. Tools like eBPF (extended Berkeley Packet Filter) and specialized sandboxing technologies have become key solutions.
However, two events in the summer of 2024 highlight both the strengths and weaknesses of these tools.
- June 2024: A bug in the enhanced Berkely Packet Filter (eBPF) code verifier allowed the Linux driver for a major EDR (endpoint detection and response) vendor to crash the Linux kernel causing a major outage among their Linux customers.
- July 2024: A bug in that same vendor’s home-grown secure code execution environment allowed an update to crash the kernel and render the system un-bootable. This led to an even more damaging and highly publicized outage for their Windows customers.
These two incidents show two different ways of making low level system updates to live systems, and why we should prefer a unified and open approach to keep code execution secure.
Balancing quick code updates with system stability
In today's fast-moving threat landscape, it’s crucial to quickly send updates to security tools to stop threats before they cause problems. These updates need to reach all security systems within minutes or hours. EDR “sensors” may be live patched remotely by your vendor multiple times per day if threats necessitate such volume.
But there’s a balance:
- Sending updates to security tools that are closely integrated with the operating system can sometimes cause major outages.
- But waiting too long to update could allow malware to spread.
The solution is to find a safe, secure way to mitigate vulnerabilities in code quickly and define where operating system code should interface with security tools.
Secure code execution solutions: Advanced sandboxing vs. eBPF
Two technologies have emerged to help ensure code is safe and correct before executing:
Specialized sandboxing technologies
Sandboxing uses small, focused virtual machines (VMs) and verifiers to make sure only safe, approved code runs.
These VMs aren’t like the traditional hypervisor-based systems that run full operating systems. Instead, they’re built to run programs securely using a specific set of virtual instructions (like how Java or JavaScript VMs work, not VMware).
The verifier is key — it checks the code before it runs to make sure it’s safe and correct. This approach isolates potentially risky actions, creating a secure space for code to run.
Programs running in a sandbox are like assembly-language programs. They use a small, basic set of instructions that can work with most processors. This simple design makes the code efficient and ensures it can run securely in the sandbox or kernel environment.
eBPF
The Extended Berkeley Packet Filter takes a more integrated approach, especially in Linux systems. It lets code run safely inside the kernel, giving better visibility and control without risking system stability.
eBPF has a strong built-in verifier that makes sure the code is safe. This prevents code with unsafe instructions from executing and offers a more streamlined, efficient way to run code.
The July 2024 IT outages: What they taught us about secure code execution
Even with protections in place, recent events have shown weaknesses in sandboxing tools and eBPF technology.
It's true that the Linux outage happened because of a bug in the eBPF verifier which caused the operating system to fail. This shows that even advanced tools like eBPF can have problems, making it important to stay alert and keep improving them. But the result of fixing the eBPF verifier has different implications for the future because it's part of a community solution.
When the verifier bug was found, the community worked together quickly to fix it. This collective effort helps improve eBPF for everyone and makes it less likely for similar problems to happen again.
The Blue Screen of Death (BSOD) incident in the Windows environment was caused by memory errors. These errors came from mismatched array sizes in a special sandboxing tool and its verifier system. Efforts to analyze and mitigate the incident showed how important it is to have a strong verification process. This would prevent vulnerabilities from compromising system stability.
Unlike eBPF, proprietary sandboxing VM and verifier systems work in closed ecosystems. While they can fix identified bugs, those improvements only help the users of a single vendor. This siloed way of working slows down the sharing of security improvements and increases the chances of similar problems happening elsewhere.
Towards a unified approach: The case for eBPF
These contrasting incidents show the importance of using a shared, open system for running secure code.
eBPF’s collaborative approach creates a strong base for improving security tools on different platforms. By using a single VM and verifier built into the operating system, organizations can avoid creating multiple inconsistent and potentially insecure do-it-yourself systems.
A good example of this idea is the work being done to bring eBPF to Windows. By adding eBPF to their operating system, organizations can create a secure and standardized environment to run low-level security tools. This change not only makes the operating system safer but also promotes the use of eBPF’s proven approach across the industry.
Efforts to transform security foundations across multiple operating systems with safe kernel integration show the potential of this idea. By using eBPF’s features, these projects aim to build a safer and more connected system for security tools to work across different operating systems.
What eBPF means for the future of cybersecurity
Recent problems with security tools show how adopting eBPF could benefit the cyber industry. With its open and collaborative model, organizations might consider the potential benefits of integrating eBPF into their solutions.
By using eBPF, the responsibility for system crashes, like kernel panics, would shift to the operating system provider. They’re better equipped to handle these issues and keep the system safe and stable.
And by relying on trusted operating system providers to keep eBPF secure, organizations can focus on providing faster and more reliable updates to their customers. This method supports the goal of allowing quick improvements without sacrificing security.
Although careful testing before launching updates is still important, using eBPF’s built-in safety features can greatly lower the chance of problems happening while the system is running.
Embracing collaboration is the future of secure code execution
Recent incidents that resulted from code execution issues show the complexities of maintaining robust, reliable environments.
Proprietary sandboxing VMs and verifiers may give organizations more control and customization, but they also cut them off from wider security improvements. On the other hand, eBPF’s open and collaborative approach creates a stronger system that allows for constant improvement and shared security benefits.
As the industry evolves, using models like eBPF that encourage collaboration, and standardization can help create stronger and safer systems. Organizations can benefit a lot from adding eBPF to their tools, using the shared knowledge of the community to improve security.
With this spirit of collaboration, the future of cybersecurity looks brighter and more secure for all.
Get in touch with us today to learn more about the Illumio Zero Trust Segmentation Platform.