Microsoft Is Back to Working on "Hornet" Security for eBPF Programs on Linux (www.phoronix.com)

Microsoft has resumed development on the "Hornet" security module aimed at enhancing security for eBPF (extended Berkeley Packet Filter) programs on Linux. Under the leadership of Blaise Boscaccy, the focus of Hornet is to implement a robust in-kernel signature verification mechanism that addresses critical security concerns such as Time-of-Check to Time-of-Use (TOCTOU) vulnerabilities and ensures audit integrity. The latest patch series outlines improvements in how eBPF programs are validated, emphasizing the need for both loader and map verifications to enhance security and maintain accurate logs, which is crucial in security-sensitive applications. The significance of Hornet lies in its potential to bolster system security in environments that demand stringent verification processes. By integrating signature verification directly into the load authorization mechanism, it allows for more reliable access control and system state monitoring. Furthermore, the introduction of expanded hash verification for mapped resources mitigates risks associated with TOCTOU vulnerabilities, offering a more resilient approach to handling eBPF programs. If successful, Hornet could be included in the mainstream Linux kernel by 2026, marking a significant advancement for the AI/ML community and other sectors that rely on eBPF for performance and security.