bpfbox: Simple Precise Process Confinement with eBPF and KRSI William Findlay October 28, 2020 bpfbox at a Glance ▶ bpfbox is a novel process confinement mechanism for Linux using eBPF ▶ Users write security solutions We have an opportunity to rethink process confinement from the ground up. 3 / 7 bpfbox Implementation ▶ Userspace daemon using the Python3 bcc framework ▶ Kernelspace components are (KRSI), kprobes, uprobes, tracepoints ▶ Under 2000 source lines of kernelspace code ▶ Thanks to eBPF, bpfbox is light-weight, flexible, and production-safe ▶ Works out of the box on any vanilla Linux kernel