eBPF TRAFFIC CONTROL ENCRYPTION

Leung, Jason

Permalink

https://hdl.handle.net/2142/124981 Copy

Description

Title

eBPF TRAFFIC CONTROL ENCRYPTION

Author(s)

Leung, Jason

Issue Date

2021-12-01

Keyword(s)

eBPF, Network Security

Abstract

As the world continues to digitize, the secure transferring of data becomes an increasing priority for end-users. However, with the open-ended flexibility of the modern network stack, there is no guarantee of some base-level confidentiality; instead, it is up to the application to secure the communication. As a result, many people have turned to Virtual Private Networks (VPNs) as a run-time dynamic way to ensure the security (and anonymity) of their connection. While this solves the problem for users of applications, there is no VPN equivalent for securing network back-end communications and data. Furthermore, because of the sensitivity of backend server data, malicious code with user-level privileges poses a real threat to the exfiltration of important information. In this paper, we propose eTCE (/ets/, eBPF Traffic Control Encryption) as a kernel-level encryption protocol that mirrors the “Plug-and-Play” nature of VPNs for cloud application backend developers. By loading an eBPF program onto the traffic control layer at runtime, eTCE can intercept and encrypt packets before they are sent to the Network Interface Card (NIC). Initial results demonstrate that eTCE is capable of transparently providing an assured level of encryption with extremely low overheads while also protecting against vulnerabilities that exist in user-level network encryption schemes without needing stop the system or recompile the kernel.

Type of Resource

text

Language

eng

Owning Collections