BeeGuard: Explainability-based Policy Enforcement of eBPF Codes for Cloud-native Environments
Abstract
eBPF enables loading user space code into the kernel, thereby extending the kernel functionalities in an application-aware manner. This flexibility has led to the widespread adoption of the technology across hyperscalers and enterprises for several use cases, including observability, security, network policy enforcement, etc. In general, the safety of the loaded eBPF programs are ensured through a kernel verifier that performs different syntactic/structural checks to secure the kernel against unwanted crashes. In this paper, we motivate the case that this verifier-based security check, while necessary, is insufficient to ensure that the deployed eBPF code complies with organizational policies. Consequently, we propose BeeGuard, a framework to understand program behavior to extract capability lists from eBPF programs. BeeGuard introduces a policy compliance layer on top of the existing verifier, and the extracted capability lists of a program are then checked against organizational policies to allow or block loading the programs. Thorough experiments across the most popular open-source eBPF tools show that BeeGuard can enforce typical enterprise policies with minimal overhead in terms of loading latency and resource utilization.
Contributors
Overview
A smarter way to secure eBPF programs from conflicting — this framework extends the existing eBPF Verifier, analyzing eBPF program behavior to extract capability labels and enforcing organizational policies thus ensuring that only organization-compliant codes get deployed.
Let’s say an enterprise actively deploys eBPF programs across various departments, only to realize that a maliious program could unintentionally access sensitive data. While the eBPF Verifier checks for safety, it doesn’t ensure compliance with organizational policies.
BeeGuard here helps solve this by extracting the program’s true capabilities, comparing them against organizational rules, and blocking non-compliant code before it runs – ensuring security, compliance, and ease of management!
Key Contributions
- Creating Behavioral Profile for eBPF Programs: In Beeguard, we utilize a modified Code Analyzer module to create a suitable behavioral model of an eBPF program which can be understandable even by the policy makers having little or no understanding of eBPF construct such that it accurately captures the key behaviors without instrumenting the source code.
- Runtime Risk Analysis of eBPF Programs: eBPF programs deployed inside kernel are highly privileged and analysis of their risk at runtime is non-trivial which BeeGuard ensures by utilizing an in-kernel policy compliance layer.
- Point of Implementation of Policy: BeeGuard tackles the task of maintaining a balance between implementing policies in kernel space for ensuring security and in the user space for ease of policy modification by separating policy management from enforcement.
- Implementing Source Control in eBPF Programs: BeeGuard incorporates an in-kernel source-control primitive to ensure the non-compromization of eBPF programs from a trustworthy source without relying on any third-party/user-space application
Bibtex
@inproceedings{chowdhary2025beeguard,
title={BeeGuard: Explainability-based policy enforcement of ebpf codes for cloud-native environments},
author={Chowdhary, Neha and Satapathy, Utkalika and Benson, Theophilus and Chattopadhyay, Subhrendu and Kodeswaran, Palani and Sen, Sayandeep and Chakraborty, Sandip},
booktitle={2025 17th International Conference on COMmunication Systems and NETworks (COMSNETS)},
pages={757--765},
year={2025},
organization={IEEE}
}
Cite
Chowdhary, N., Satapathy, U., Benson, T., Chattopadhyay, S., Kodeswaran, P., Sen, S., & Chakraborty, S. (2025, January). BeeGuard: Explainability-based policy enforcement of ebpf codes for cloud-native environments. In 2025 17th International Conference on COMmunication Systems and NETworks (COMSNETS) (pp. 757-765). IEEE.