Combining system visibility and security using eBPF

Network security is traditionally based on the analysis and dissection of network packets. The widespread use of data encryption and the increase of network traffic created many challenges in terms of visibility and performance, making security tools less effective and both hard to deploy and maintain as network size and speed increase. The advent of eBPF in modern Linux systems enables introspection and adds the ability to inject code in the kernel at specific tracepoints. This work leverages eBPF to combine system introspection with a novel system-level security policer that enables the creation of fine-grained security policies tailored for specific users, processes and containers. This is a major advance for network security applications that can benefit from system introspection to enrich information extracted from network packets, paving the way for the implementation of system- and network-aware security polices that combine visibility and security at a fraction of the computational cost of existing solutions.