Skip to content
/ bpfbox Public

🐝 BPFBox πŸ“¦ Exploring process confinement in eBPF

License

GPL-3.0 license
101 stars 9 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

willfindlay/bpfbox

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

Β 

History

203 Commits
.bcc
.bcc
Β 
Β 
.github/ISSUE_TEMPLATE
.github/ISSUE_TEMPLATE
Β 
Β 
bin
bin
Β 
Β 
bpfbox
bpfbox
Β 
Β 
sample_policy
sample_policy
Β 
Β 
tests
tests
Β 
Β 
.ccls
.ccls
Β 
Β 
.gitignore
.gitignore
Β 
Β 
LICENSE
LICENSE
Β 
Β 
Makefile
Makefile
Β 
Β 
Pipfile
Pipfile
Β 
Β 
Pipfile.lock
Pipfile.lock
Β 
Β 
README.md
README.md
Β 
Β 
requirements.txt
requirements.txt
Β 
Β 
setup.py
setup.py
Β 
Β 

Repository files navigation

🐝 bpfbox πŸ“¦

bpfbox is a policy enforcement engine written in eBPF to confine process access to security-sensitive system resources.

bpfbox is EOL

BPFBox is being replaced by BPFContain, a new confinement solution written in Rust using libbpf-rs.

Links

Our research paper: https://www.cisl.carleton.ca/~will/written/conference/bpfbox-ccsw2020.pdf

Disclaimer

bpfbox is very much a research prototype at this stage. Not recommended for production use before version 1.0.0.

Roadmap / TODO

  • Implement auto attachment of uprobes/kprobes for process state
  • Fully implement the uprobe/kprobe support in the policy language (see below)
  • Re-visit policy langugage
    • Move to yaml / rego?
  • Document final version of policy language
  • Add more unit tests / document code coverage

Requirements

  1. Linux 5.8+ compiled with at least CONFIG_BPF=y, CONFIG_BPF_SYSCALL=y, CONFIG_BPF_JIT=y, CONFIG_TRACEPOINTS=y, CONFIG_BPF_LSM=y, CONFIG_DEBUG_INFO=y, CONFIG_DEBUG_INFO_BTF=y, CONFIG_LSM="bpf". pahole >= 0.16 must be installed for the kernel to be built with BTF info.
  2. Either the latest version of bcc from https://github.com/iovisor/bcc or bcc version 0.16+. If building from source, be sure to include -DPYTHON_CMD=python3 in your the cmake flags
  3. Python 3.8+

Installation

  • Coming soon, for now just run from the bin directory in this repository.

Usage

  1. Install policy files in /var/lib/bpfbox/policy
  2. Run the daemon using sudo bpfboxd
  3. Inspect audit logs with tail -f /var/log/bpfbox/bpfbox.log

Citation

If you would like to cite this work, we request that you use the following bibtex entry:

@inproceedings{findlay2020_bpfbox,
    author    = {Findlay, William and Somayaji, Anil and Barrera, David},
    title     = {{bpfbox: Simple Precise Process Confinement with eBPF}},
    year      = {2020},
    isbn      = {9781450380843},
    publisher = {Association for Computing Machinery},
    address   = {New York, NY, USA},
    doi       = {10.1145/3411495.3421358},
    booktitle = {Proceedings of the 2020 ACM SIGSAC Conference on Cloud Computing Security Workshop},
    pages     = {91–103},
    numpages  = {13},
    keywords  = {ebpf, application confinement, access control, sandboxing, operating system security, linux},
    location  = {Virtual Event, USA},
    series    = {CCSW'20}
}

About

🐝 BPFBox πŸ“¦ Exploring process confinement in eBPF

Topics

linux security sandbox linux-kernel ebpf bcc runtime-security

Resources

Readme

License

GPL-3.0 license
Activity

Stars

101 stars

Watchers

13 watching

Forks

9 forks
Report repository

Releases

No releases published

Packages

No packages published

Contributors 2

  •  
  •  

Languages