BPFflow - Preventing information leaks from eBPF

eBPF has seen major industry adoption by enterprises to enhance observability, tracing and monitoring by hooking at different points in the kernel. However, since the kernel is a critical resource, eBPF can also pose as a threat if misused, potentially leading to privilege escalation, information leaks and more. While effective to some extent, existing mitigation strategies like interface filtering are coarse-grained and often over-restrictive.

We propose BPFflow, a flexible framework for the system administrator to define policies that specify sensitive data sources, trusted sinks, and permitted flows between them. These policies are enforced by an Information Flow Control (IFC) system within the eBPF verifier to track the propagation of sensitive data to prevent unauthorized leakage to userspace or any other untrusted sinks without any runtime overhead.