BeeGuard: Explainability-based Policy Enforcement of eBPF Codes for Cloud-native Environments

Download PDF
Open Webpage

Neha Chowdhary, Utkalika Satapathy, Theophilus Benson, Subhrendu Chattopadhyay, Palani Kodeswaran, Sayandeep Sen, Sandip Chakraborty

Published: 2025, Last Modified: 28 May 2026COMSNETS 2025EveryoneRevisionsBibTeXCC BY-SA 4.0
Abstract: eBPF enables loading user space code into the kernel, thereby extending the kernel functionalities in an application-aware manner. This flexibility has led to the widespread adoption of the technology across hyperscalers and enterprises for several use cases, including observability, security, network policy enforcement, etc. In general, the safety of the loaded eBPF programs are ensured through a kernel verifier that performs different syntactic/structural checks to secure the kernel against unwanted crashes. In this paper, we motivate the case that this verifier-based security check, while necessary, is insufficient to ensure that the deployed eBPF code complies with organizational policies. Consequently, we propose BeeGuard, a framework to understand program behavior to extract capability lists from eBPF programs. BeeGuard introduces a policy compliance layer on top of the existing verifier, and the extracted capability lists of a program are then checked against organizational policies to allow or block loading the programs. Thorough experiments across the most popular open-source eBPF tools show that BeeGuard can enforce typical enterprise policies with minimal overhead in terms of loading latency and resource utilization.