Using eBPF for Microcontroller Compartmentalization

What is it about?

eBPF is a virtual machine (VM) technology used in the Linux kernel for augmenting the behaviour of the operating system on the fly. It is typically used for network traffic filtering or system observability. This paper uses eBPF on low-end embedded devices to run multiple applications on a single device while protecting the system from faults in the application logic. The execution of the programs is virtualized which means that any errors will be caught by the virtual machine and won't propagate into the system thereby harming the other running processes. This paper describes the implementation of a software pipeline for deploying eBPF program logic on microcontrollers and a just-in-time (JIT) compiler used to substantially reduce the execution time and decrease the program size by up to 50% compared to existing solutions for running eBPF on embedded devices.

Featured Image

Photo by Albert Stoynov on Unsplash

Photo by Albert Stoynov on Unsplash

Why is it important?

In the recent years, the number of network-enabled microcontroller devices deployed in IoT applications has increased rapidly. It is estimated that as of 2024 there are around 25 billion IoT devices deployed. As those devices are connected to a network, with that increase in connectivity, the attack surface that is exposed to malicious actors grows. The most common use cases of IoT devices are collecting data and controlling appliances (e.g. Smart Home). Attackers can try to compromise the security of said devices to either steal the data of their users, or control them in a malicious way. They can also perform denial-of-service attacks or simply try to bring the systems down. Compartmentalization is a possible solution to this problem, it involves splitting a given application deployed in an IoT scenario into a set of separate components (compartments). The compartments should be isolated and interact with each other over safe communication channels. In the event of an attack, if one of the compartments is compromised, only that single unit will crash, whereas the others will continue to operate normally. Although eBPF was originally used inside of the Linux kernel to augment the behaviour on the system on the fly, μBPF uses this technology as a general-purpose software fault isolation solution. μBPF is a deployment framework and an embedded eBPF virtual machine allowing to deploy compartmentalized applications in the form of multiple short eBPF programs that interact with each other and the underlying operating system using eBPF helper function calls. μBPF also provides a just-in-time (JIT) compiler allowing for transpiling eBPF instructions into the ARMv7 instructions that execute natively on the target microcontrollers. This achieves performance in line with the native C and reduces the program executable size by up to 50%. This is particularly desirable on microcontroller devices because those are often memory-constrained and minimising program size means that we can deploy more program logic on the targeted embedded devices.

Perspectives