With the increasing use and adoption of cloud and cloud-native computing, the underlying technologies (i.e., containerization and virtualization) have become foundational. However, strict isolation and maintaining runtime security in these environments has become increasingly challenging. Existing approaches like seccomp and Mandatory Access Control (MAC) frameworks offer some protection up to a limit, but often lack context awareness, syscall argument filtering, and adaptive enforcement, providing the ability to adjust decisions at runtime based on observed application behavior, workload changes, or detected anomalies rather than relying solely on static or predefined rules.This paper introduces eBPF-PATROL (eBPF-Protective Agent for Threat Recognition and Overreach Limitation), an extensible lightweight runtime security agent that uses extended Berkeley Packet Filter (eBPF) technology to monitor and enforce policies in containerized and virtualized environments. By intercepting system calls, analyzing execution context, and applying user-defined rules, eBPF-PATROL detects and prevents real-time boundary violations, such as reverse shells, privilege escalation, and container escape attempts. We describe the architecture, implementation, and evaluation of eBPF-PATROL, demonstrating its low overhead (< 2.5 percent) and high detection accuracy across real-world attack scenarios.

翻译：随着云及云原生计算的广泛应用，底层技术（即容器化与虚拟化）已成为基础架构的核心。然而，在这些环境中实现严格隔离并维持运行时安全正变得日益困难。现有方法如seccomp和强制访问控制（MAC）框架虽能提供一定程度的保护，但通常缺乏上下文感知、系统调用参数过滤及自适应执行能力，无法基于观测到的应用程序行为、工作负载变化或检测到的异常动态调整决策，而仅依赖静态或预定义规则。本文提出eBPF-PATROL（基于eBPF的威胁识别与越界限制防护代理），这是一种可扩展的轻量级运行时安全代理，利用扩展伯克利包过滤器（eBPF）技术监控并执行容器化与虚拟化环境中的安全策略。通过拦截系统调用、分析执行上下文并应用用户定义规则，eBPF-PATROL能够实时检测并阻止边界违规行为，例如反向Shell、权限提升及容器逃逸尝试。我们详细阐述了eBPF-PATROL的架构、实现与评估，证明其在真实攻击场景中具有低开销（<2.5%）与高检测准确率。