eBPF‑Secure: A Lightweight eBPF‑Based Confinement and Observability Framework for Container Security

• Shiva Kumar Bommakanti

  Author

As container adoption accelerates, the need for runtime security and transparent observability has never been greater. Traditional Linux confinement primitives, namespaces, cgroups, seccomp, and LSMs are powerful but often complex to combine and difficult to extend. In this work, we introduce extended Berkeley Packet Filter (eBPF) ‑ Secure, a unified eBPF‑based framework that dynamically injects security and observability logic into the kernel without requiring recompilation or reboot. By attaching eBPF programs to key syscall and LSM hooks, eBPF‑Secure enforces container-specific policies for filesystem, network, and IPC interactions, while simultaneously gathering rich audit data into kernel‑space maps for real‑time monitoring. Two prototypes, an application sandbox and its container‑focused successor, demonstrate that eBPF‑Secure can model least‑privilege confinement, bridge the semantic gap between policy and enforcement, and deliver precise security controls with only modest performance overhead. Our evaluation against established benchmarks and an informal attack analysis shows eBPF‑Secure’s ability to harden container deployments while providing operators with fine‑grained visibility into runtime behavior, paving the way for more secure, observable, and extensible container platforms.

• PDF

Copyright (c) 2026 International Journal of Intelligent Systems and Data Science

This work is licensed under a Creative Commons Attribution 4.0 International License.