Per https://authors.ietf.org/en/required-content#security-considerations, the BPF ISA draft is required to have a Security Considerations section before it can become an RFC. Below is strawman text that tries to strike a balance between discussing security issues and solutions vs keeping details out of scope that belong in other documents like the "verifier expectations and building blocks for allowing safe execution of untrusted BPF programs" document that is a separate item on the IETF WG charter. Proposed text: > Security Considerations > > BPF programs could use BPF instructions to do malicious things with memory, > CPU, networking, or other system resources. This is not fundamentally different > from any other type of software that may run on a device. Execution environments > should be carefully designed to only run BPF programs that are trusted or verified, > and sandboxing and privilege level separation are key strategies for limiting > security and abuse impact. For example, BPF verifiers are well-known and widely > deployed and are responsible for ensuring that BPF programs will terminate > within a reasonable time, only interact with memory in safe ways, and adhere to > platform-specified API contracts. The details are out of scope of this document > (but see [LINUX] and [PREVAIL]), but this level of verification can often provide a > stronger level of security assurance than for other software and operating system > code. > > Executing programs using the BPF instruction set also requires either an interpreter > or a JIT compiler to translate them to hardware processor native instructions. In > general, interpreters are considered a source of insecurity (e.g., gadgets susceptible > to side-channel attacks due to speculative execution) and are not recommended. > > Informative References: > > [LINUX] "eBPF verifier", https://www.kernel.org/doc/html/latest/bpf/verifier.html > > [PREVAIL] Elazar Gershuni, Nadav Amit, Arie Gurfinkel, Nina Narodytska, Jorge > A. Navas, Noam Rinetzky, Leonid Ryzhyk, and Mooly Sagiv. "Simple and Precise > Static Analysis of Untrusted Linux Kernel Extensions." In Proceedings of the 40th > ACM SIGPLAN Conference on Programming Language Design and Implementation, > pp. 1069-1084. 2019. > https://pldi19.sigplan.org/details/pldi-2019-papers/44/Simple-and-Precise-St atic-Analysis-of-Untrusted-Linux-Kernel-Extensions Dave
