Browse > Article
http://dx.doi.org/10.13089/JKIISC.2022.32.2.213

BPFast: An eBPF/XDP-Based High-Performance Packet Payload Inspection System for Cloud Environments  

You, Myoung-sung (KAIST)
Kim, Jin-woo (Kwangwoon University)
Shin, Seung-won (KAIST)
Park, Tae-june (Chonnam National University)
Publication Information
Journal of the Korea Institute of Information Security & Cryptology / v.32, no.2, 2022 , pp. 213-225 More about this Journal
Abstract
Containerization, a lightweight virtualization technology, enables agile deployments of enterprise-scale microservices in modern cloud environments. However, containerization also opens a new window for adversaries who aim to disrupt the cloud environments. Since microservices are composed of multiple containers connected through a virtual network, a single compromised container can carry out network-level attacks to hijack its neighboring containers. While existing solutions protect containers against such attacks by using network access controls, they still have severe limitations in terms of performance. More specifically, they significantly degrade network performance when processing packet payloads for L7 access controls (e.g., HTTP). To address this problem, we present BPFast, an eBPF/XDP-based payload inspection system for containers. BPFast inspects headers and payloads of packets at a kernel-level without any user-level components. We evaluate a prototype of BPFast on a Kubernetes environment. Our results show that BPFast outperforms state-of-the-art solutions by up to 7x in network latency and throughput.
Keywords
Cloud security; Network security; Payload inspection; eBPF;
Citations & Related Records
연도 인용수 순위
  • Reference
1 Michael Kerrisk, "ip-netns - process network namespace management," https://man7.org/linux/man-pages/man8/ip-netns.8.html, Feb. 2022.
2 H. Kang, M. Le, and S. Tao, "Container and microservice driven design for cloud infrastructure devops," In Proceedings of 2016 IEEE International Conference on Cloud Engineering (IC2E), pp. 202-211, Apr. 2016.
3 Docker, "Docker: Empowering App Development for Developers." https://www.docker.com/, Mar. 2021.
4 OpenVz, "Open source container-based virtualization for Linux," https://openvz.org/, Feb. 2022.
5 Docker, "Use bridge networks | Docker Documentation," https://docs.docker.com/network/bridge/, Feb. 2022.
6 P. Bosshart, G. Gibb, H. Kim, G. Varghese, N. McKeown, M. Izzard, and M. Horowitz, "Forwarding metamorphosis: Fast programmable match-action processing in hardware for SDN," ACM SIGCOMM Computer Communication Review, vol. 43, no. 4, pp. 99-110, Aug. 2013.   DOI
7 DockerHub, "Httpd - Official Image | Docker Hub," https://hub.docker.com/_/httpd, Feb. 2022.
8 S. Sultan, I. Ahmad, and T. Dimitriou, "Container Security: Issues, Challenges, and the Road Ahead," IEEE Access, vol. 7, pp. 52976-52996, Apr. 2019.   DOI
9 Kubernetes, "Configure a Security Context for a Pod or Container," https://kubernetes.io/docs/tasks/configure-pod-container/security-context/,Feb. 2022.
10 A. Martin, S. Raponi, T. Combe, and R. Di Pietro, "Docker Ecosystem-Vulnerability Analysis," Computer Communications, vol. 122, pp. 30-43, Jun. 2018.   DOI
11 R. T. El-Maghraby, N. M. Abd Elazim and A. M. Bahaa-Eldin, "A survey on deep packet inspection," In Proceedings of 2017 12th International Conference on Computer Engineering and Systems (ICCES), pp. 188-197, Feb. 2017.
12 Z. Jian, and L. Chen, "A defense method against docker escape attack," In Proceedings of the 2017 International Conference on Cryptography, Security and Privacy (ICCSP), pp. 142-146, Mar. 2017.
13 Kubernetes, "Production-Grade Container Orchestration," https://kubernetes.io/, Feb. 2022.
14 Kubernetes, 'Kubernetes API Concepts," https://kubernetes.io/docs/reference/using-api/api-concepts/, Feb. 2022.
15 DockerHub, "Ubuntu - Official Image | Docker Hub," https://hub.docker.com/_/ubuntu, Feb. 2022.
16 Will Glozer, "WRK - a HTTP benchma rking tool," https://github.com/wg/wrk, Feb. 2022.
17 Istio, "Mutual TLS Migration," https://istio.io/latest/docs/tasks/security/authentication/mtls-migration/, Feb. 2022.
18 Docker, "Seccomp security profiles for Docker container," https://docs.docker.com/engine/security/seccomp/, Feb. 2022.
19 Tigera, "Protect Calico -Tigera." https://www.tigera.io/project-calico/, Feb. 2022.
20 Linkerd, "The world's lightest, fastest service mesh," https://linkerd.io/, Feb. 2022.
21 Cilium, "How Cilium enhances Istio with socket-aware BPF programs," https://cilium.io/blog/2018/08/07/istio-10-cilium, Feb. 2022.
22 A. Randal, "The ideal versus the real:Revisiting the history of virtual machines and containers," ACM Computing Surveys (CSUR), vol. 53, no. 2, pp. 1-31, Feb. 2020.   DOI
23 G. Perrone and S. P. Romano, "The docker security playground: A hands-on approach to the study of network security," In Proceedings of Principles, Systems and Applications of IP Telecommunications (IPTComm), pp. 1-8, Sep. 2021.
24 Istio "The Istio Service Mesh," https://istio.io/, Feb. 2022.
25 Cilium, "eBPF cGuide," https://docs.cilium.io/en/latest/bpf/, Feb. 2022.
26 L. Lei, J. Sun, K. Sun, C. Shenefiel,R. Ma, Y. Wang, and Q. Li, "Speaker:Split-phase execution of application containers," In Proceedings of International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment, pp.230-251, Jun. 2017.
27 S. Ghavamnia, T. Palit, A. Benameur,and M. Polychronakis, "Confine:Automated System Call Policy Generation for Container Attack Surface Reduction," In Proceedings of International Symposium on Research in Attacks, Intrusions and Defenses(RAID), pp. 443-458, Oct. 2020.
28 G. Budigiri, C. Baumann, J. T. M uhlberg, E. Truyen, and W. Joosen,"Network policies in kubernetes: Performance evaluation and security analysis," In proceedings of Joint European Conference on Networks and Communications & 6G Summit, pp. 407-412, Jun. 2021.
29 X. Li, Y. Chen, Z. Lin, X. Wang, and J. H. Chen, "Automatic Policy Generation for Inter-Service Access Control of Microservices," In Proceedings of 30th USENIX Security Symposium, pp. 3971-3988, Aug. 2021.
30 Cilium, "IPsec Transparent Encryption,"https://docs.cilium.io/en/v1.10/gettingstarted/encryption-ipsec/, Feb. 2022.
31 Cilium, "Envoy with Ciliumfilter," https://github.com/cilium/proxy, Feb. 2022.
32 J. Nam, S. Lee, H. Seo, P. Porras,V. Yegneswaran, and S. Shin, "BASTION: A Security Enforcement Network Stack for Container Networks," In Proceedings of the Annual Technical Conference. USENIX Association (ATC), pp. 81-95, Jul. 2020.
33 L. Li, T. Tang and W. Chou, "A REST Service Framework for Fine-Grained Resource Management in Container-Based Cloud," In Proceedings of 2015 IEEE 8th International Conference on Cloud Computing, pp. 645-652, Jun. 2015.
34 F. Minna, A. Blaise, F. Rebecchi, B. Chandrasekaran, and F. Massacci, "Understanding the security implications of kubernetes networking," IEEE Security & Privacy, vol. 19, pp. 46-56, May. 2021.   DOI
35 Tripwire, "Tripwire State of Container Security Report," https://www.tripwire.com/solutions/devops/tripwire-dimensional-research-state-of-container-security-report-register, Jan. 2019.
36 Cilium, "Cilium: security-enhanced CNI," https://cilium.io/, Feb. 2022.
37 eBPF, "eBPF - Introduction, Tutorials & Community Resources," https://ebpf.io/, Mar. 2022.