For safety reasons, unprivileged users today have only limited ways to customize the kernel through the extended Berkeley Packet Filter (eBPF). This is unfortunate, especially since the eBPF framework itself has seen an increase in scope over the years. We propose SandBPF, a software-based kernel isolation technique that dynamically sandboxes eBPF programs to allow unprivileged users to safely extend the kernel, unleashing eBPF's full potential. Our early proof-of-concept shows that SandBPF can effectively prevent exploits missed by eBPF's native safety mechanism (i.e., static verification) while incurring 0%-10% overhead on web server benchmarks.

翻译：出于安全考虑，目前非特权用户仅能通过扩展伯克利数据包过滤器（eBPF）以有限方式定制内核。鉴于eBPF框架本身的作用范围近年来持续扩展，这种限制尤为遗憾。我们提出SandBPF——一种基于软件的内核隔离技术，通过动态沙箱化eBPF程序使非特权用户能够安全扩展内核，从而充分发挥eBPF的全部潜力。早期概念验证表明，SandBPF可有效防范eBPF原生安全机制（即静态验证）遗漏的漏洞利用，同时在Web服务器基准测试中仅带来0%-10%的性能开销。