October 31 - November 1 - Co-Located Events
October 28-30 - Conference
Lyon Convention Centre - Lyon, France
More information for Open Source Summit + Embedded Linux Conference Europe 2019
Back To Schedule
Wednesday, October 30 • 12:20 - 12:55
Combining WrapFS and eBPF to Provide a Lightweight File System Sandboxing Framework - Ashish Bijlani, Georgia Tech

Sign up or log in to save this to your schedule, view media, leave feedback and see who's attending!

Feedback form is now closed.
Filesystem (FS) sandboxing is a useful technique to protect sensitive data from untrusted binaries. However, existing approaches do not allow fine-grained control over policy enforcement (e.g., seccomp), require sudo privileges (e.g., SELinux), incur high performance overhead (e.g., ptrace, FUSE), or are prone to TOCTTOU bugs (e.g., syscall interposition).

We combine eBPF with WrapFS to provide a lightweight, fine-grained FS sandboxing framework called SandFS for unprivileged users and containers. It is a stackable kernel FS that can safely be extended at runtime from user space using eBPF framework to enforce custom security policies in the kernel and offer native performance.

Unprivileged users can use SandFS for protecting private files (e.g., ssh keys) while executing untrusted binaries (e.g., ML models). Web browsers can enforce custom access checks to protect private data from extensions. Containers can be hardened by mounting a separate sandboxing FS layer for each service.


Ashish Bijlani

PhD Student, Georgia Tech
Ashish is a senior PhD student at Georgia Tech, Atlanta. His doctoral research focuses on mobile storage and security. He has presented his research at top-tier academic CS conferences and premier conferences, such as OSSNA'18 and LPC'18.

Wednesday October 30, 2019 12:20 - 12:55
Lumiere Auditortium
  • Session Slides Included Yes