BPF-based kernel exploit shielding presented at LSFMM+BPF

lwn.net · ⭐️ 8/10 · 2026-07-13

John Fastabend of Cisco presented a technique at the 2026 LSFMM+BPF Summit that uses BPF to quickly shield running Linux kernels from exploits, potentially reducing response time from months to minutes. This approach could dramatically improve security for devices with custom kernels, like Cisco switches, where patching is slow and disruptive. It also underscores the need for additional kernel hooks to make BPF-based shielding fully effective. Tetragon, an open-source BPF-based monitoring tool, collects event data into a time-series database for post-exploit analysis. BPF can override system call return values and leverage Linux Security Module hooks to block exploits without rebooting.

Background

BPF (Berkeley Packet Filter) is a Linux kernel technology that allows running sandboxed programs in kernel space for observability and security enforcement. Tetragon is an open-source tool that uses BPF for monitoring and enforcement. Yocto is a framework for building custom Linux distributions, often used in embedded devices like network switches.

References

Read original