For safety reasons, unprivileged users today have only limited ways to customize the kernel through the extended Berkeley Packet Filter (eBPF). This is unfortunate, especially since the eBPF framework itself has seen an increase in scope over the years. We propose SandBPF, a software-based kernel isolation technique that dynamically sandboxes eBPF programs to allow unprivileged users to safely extend the kernel, unleashing eBPF's full potential. Our early proof-of-concept shows that SandBPF can effectively prevent exploits missed by eBPF's native safety mechanism (i.e., static verification) while incurring 0%-10% overhead on web server benchmarks.

翻译：出于安全考虑，当前无特权用户通过扩展伯克利包过滤器（eBPF）自定义内核的方式十分有限。尤其令人遗憾的是，尽管eBPF框架本身的范围近年来有所扩大，但这一限制仍未改变。我们提出SandBPF——一种基于软件的内核隔离技术，通过动态沙箱化eBPF程序，使无特权用户能够安全地扩展内核，从而释放eBPF的全部潜力。初步概念验证表明：SandBPF能有效阻止被eBPF原生安全机制（即静态验证）遗漏的漏洞利用，同时在Web服务器基准测试中仅引入0%-10%的开销。