Exjobbspresentation: Inline Security Enforcement for Containers Using eBPF

This thesis explores the possibility of using extended Berkeley Packet Filter (eBPF) to implement inline security enforcement for containerized workloads. The objective is to automatically create profiles for runtime enforcement within cloud environments such as Kubernetes. A key feature of eBPF programs is that they can attach to various different kernel events, similar to the Linux Security Module (LSM) AppArmor, which is already used in cloud security. AppArmor enforces Mandatory Access Control (MAC) policies by restricting the actions that programs can perform on a system.

By attaching eBPF hooks to some of the same LSM framework hook points a proof of concept is developed to demonstrate the flexibility of eBPF, where only the relevant hooks need to be utilized. The approach involves automatically constructing a whitelist-based profile through a training phase, during which expected benign behavior is observed and recorded. This profile is subsequently enforced to deny unauthorized actions, resulting in a solution that is straightforward to deploy. Furthermore, this is achieved without relying on the AppArmor module being enabled by default on all nodes across a Kubernetes cluster but instead relies on BPF LSM for enforcement.

The findings in this thesis show that an eBPF solution is effective for locking down a container based on file paths and network access. However, additional development is required to achieve the same level of maturity and comprehensiveness as AppArmor.

Handledare: Christian Gehrmann

Examinator: Thomas Johansson