The authors present Berrify, an enhancement to the Linux kernel's Spectre defenses for the extended Berkeley Packet Filter (BPF). BPF allows unprivileged user processes to load safety-checked bytecode into the kernel, which executes at near-native speed. However, to mitigate Spectre vulnerabilities, the kernel had to deploy defenses that reject potentially-dangerous BPF programs, affecting 24% to 54% of programs in a dataset with 844 real-world BPF programs.
Berrify addresses this problem by optimistically attempting to verify all speculative execution paths and only inserting speculation barriers when unsafe behavior is detected. This reduces the number of rejected BPF programs from 54% to 0% while maintaining security. The authors analyze the formal security properties enforced by the BPF verifier and show that Berrify soundly prevents unsafe transient execution without increasing the kernel's attack surface.
The evaluation demonstrates that Berrify's performance impact is minimal, as it primarily affects the BPF program execution time, which is a small fraction of the overall application runtime. The authors also publish their Berrify implementation for the Linux v6.5 kernel, making it available for future research and practical use.
To Another Language
from source content
arxiv.org
Deeper Inquiries