Skip to content

Epic: eBPF virtual patching (deny rules → cleartext signatures → userspace WAF) #659

Description

@hsinatfootprintai

Epic: eBPF virtual patching

Virtual patching = a temporary, network-level rule that blocks a known
exploit before it reaches vulnerable software, buying time until the real
vendor patch ships (zero downtime, no app change). The classic form is a
WAF/IPS signature; the cheap-and-reliable form is an L3/L4 block rule.

Containarium already ships the enforcement substrate from the eBPF
network-isolation work (#315): per-container-veth TC clsact hooks that can
TC_ACT_SHOT, a per-tenant LPM-trie allow-list, a reconcile loop that pushes
rules into BPF maps with zero downtime, and audit perf events on every deny.
What's missing is a deny primitive and the inspection depth for signatures.

This epic tracks turning that substrate into a virtual-patching capability,
in three tiers of increasing depth and cost.

Tiers

  • Tier 1 — L3/L4 virtual patch (deny rules). Add a per-tenant deny
    LPM-trie (CIDR + optional port/proto) evaluated before the allow logic,
    returning TC_ACT_SHOT. Covers the large class of "a network-reachable
    service / upstream is vulnerable — block it now." Pure eBPF, reuses the
    whole substrate. Ships first.Tier 1: L3/L4 virtual patch — per-tenant eBPF deny rules #660.

  • Tier 2 — bounded cleartext signature match (kernel). Extend the BPF
    program with bpf_skb_load_bytes over the first ~256 payload bytes and a
    small bpf_loop scan for a curated set of cleartext signatures (Log4Shell
    ${jndi:, Shellshock () {). Caveats spelled out: single-packet only
    (segment-split evasion), cleartext only (no TLS), verifier-bounded pattern
    count/length. → Tier 2: bounded cleartext signature matching in eBPF (best-effort IPS) #661.

  • Tier 3 — userspace WAF behind eBPF steering. eBPF redirects flagged
    flows into a host-side WAF (Coraza / ModSec CRS) that does reassembly, TLS
    termination, and vendor signature sets. The only WAF-grade path; eBPF's role
    shrinks to a fast classifier/redirector. → Tier 3: userspace WAF behind eBPF flow steering (WAF-grade virtual patching) #662.

Product hook

Wire to the existing security scanner: a CVE finding emits a virtual-patch
deny rule → reconcile pushes it → reconcile auto-expires it when the scanner
confirms the upstream patch landed. "Band-Aid until the real patch ships, then
auto-removed," end to end.

Honest constraints (why tiers, not one feature)

  • Pure-kernel eBPF sees one packet at a time (no reassembly) and can't read
    TLS payloads — so signature matching past Tier 1 is genuinely limited.
  • All tiers inherit the existing two opt-ins: feature off unless
    CONTAINARIUM_NETWORK_POLICY_BPF_OBJECT is set, and drops disarmed unless
    CONTAINARIUM_NETWORK_POLICY_ENFORCE=1. A misbroad deny rule must not
    blackhole a container by default.

Design doc: docs/security/VIRTUAL-PATCHING-DESIGN.md (added with Tier 1).

Prior art in-tree: docs/security/NETWORK-ISOLATION-DESIGN.md,
experimental/ebpf-phaseA/netpolicy.bpf.c, internal/netbpf/,
internal/server/network_policy_enforcer.go.

Metadata

Metadata

Assignees

No one assigned

    Labels

    ebpfeBPF / kernel datapathenhancementNew feature or requestsecuritySecurity hardening / defensive features

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions