BeeGuard: Explainability-based Policy Enforcement of eBPF Codes for Cloud-native Environments

Key Features

---

Let's say an enterprise actively deploys eBPF programs across various departments, only to realize that a maliious program could unintentionally access sensitive data. While the eBPF Verifier checks for safety, it doesn’t ensure compliance with organizational policies.

BeeGuard here helps solve this by extracting the program’s true capabilities, comparing them against organizational rules, and blocking non-compliant code before it runs -- ensuring security, compliance, and ease of management!

• Creating Behavioral Profile for eBPF Programs: In Beeguard, we utilize a modified Code Analyzer module to create a suitable behavioral model of an eBPF program which can be understandable even by the policy makers having little or no understanding of eBPF construct such that it accurately captures the key behaviors without instrumenting the source code.
• Runtime Risk Analysis of eBPF Programs: eBPF programs deployed inside kernel are highly privileged and analysis of their risk at runtime is non-trivial which BeeGuard ensures by utilizing an in-kernel policy compliance layer.
• Point of Implementation of Policy: BeeGuard tackles the task of maintaining a balance between implementing policies in kernel space for ensuring security and in the user space for ease of policy modification by separating policy management from enforcement.
• Implementing Source Control in eBPF Programs: BeeGuard incorporates an in-kernel source-control primitive to ensure the non-compromization of eBPF programs from a trustworthy source without relying on any third-party/user-space application

Contributors

Publications

---

1. Neha Chowdhary, Utkalika Satapathy, Theophilus Benson, Subhrendu Chattopadhyay, Palani Kodeswaran, Sayandeep Sen, Sandip Chakraborty: “BeeGuard: Explainability-based Policy Enforcement of eBPF Codes for Cloud-native Environments”, COMSNETS 2025