BBArmor: a Dynamic BPF-to-BPF LSM-Based Enforcement Tool

In modern day applications, eBPF has emerged as a powerful mechanism for extensible networking, observability, and security. Yet its elevated in-kernel privileges also create new attack avenues, since third-party tooling and supply-chain compromises can introduce malicious BPF loaders. A stealthy attacker may embed trojaned eBPF programs in legitimate tools and application or exploit vulnerable plugins to gain CAP_BPF rights, then probe syscalls, trace kernel events and exfiltrate sensitive data; often without raising traditional alarms. In this paper we propose a threat model to encompass these attack vectors for infrastructure administrator and semi-trusted cloud environment where BPF itself becomes both a tool and a target. We introduce BPF-to-BPF Armor (BBArmor), a prototype solution that enforces stricter controls over BPF syscall usage, isolates BPF programs based on provenance and trust levels and blocks anomalous BPF interactions indicative of compromise. Our evaluation demonstrates that BBArmor mitigates BPF syscall misuse with minimal performance overhead, strengthening security against evolving supply-chain and software-supply threats.