5G Under Attack: Container Isolation Broken by eBPF

Author: Denis Avetisyan

New research reveals critical vulnerabilities in containerized 5G core networks leveraging eBPF, potentially allowing attackers to move laterally between network functions.

The architecture anticipates a future where 5G services are disaggregated, leveraging evolved User Plane Functions (eUPFs) and accelerating packet processing via XDP to optimize network performance and adaptability.

This paper demonstrates that eBPF-enabled containerization in 5G core deployments is susceptible to cross-container attacks, compromising network isolation and security.

While software-defined networking offers increased flexibility and performance, its security implications remain a critical concern, particularly in complex deployments like 5G core networks. This paper, ‘Vulnerability Analysis of eBPF-enabled Containerized Deployments of 5G Core Networks’, investigates potential attack vectors within containerized 5G infrastructures leveraging the extended Berkeley Packet Filter (eBPF) for packet processing. Our analysis demonstrates that these deployments are susceptible to cross-container attacks, enabling exploitation of vulnerabilities related to tracing, denial-of-service, information theft, and bash injection. Given the increasing reliance on eBPF in modern network function virtualization, how can we effectively mitigate these risks and ensure the integrity of critical 5G services?

The Inevitable Fracture: From Hardware to Ephemeral Networks

Traditional mobile networks relied on purpose-built hardware appliances for each network function, creating inflexible and costly systems difficult to scale or update. Modern 5G, however, is fundamentally different, driven by a demand for adaptable infrastructure capable of supporting diverse services and rapidly changing user needs. This has spurred a move away from dedicated hardware toward software-defined networking and network functions virtualization (NFV). By decoupling network functions from the underlying hardware, 5G networks gain the agility to dynamically allocate resources, deploy new services quickly, and respond to fluctuating demands-characteristics crucial for supporting everything from enhanced mobile broadband and massive machine-type communications to ultra-reliable low latency communications.

The evolution towards modern 5G networks is fundamentally reshaping network infrastructure through the adoption of virtualization technologies. Traditionally, network functions relied on dedicated, specialized hardware, creating inflexible and costly systems. Virtualization, however, decouples these functions from the underlying hardware, enabling them to run as software on standard, readily available commodity servers and, crucially, within cloud-based platforms. This transition offers substantial benefits, including reduced capital expenditure, increased agility in deploying new services, and the ability to dynamically scale resources to meet fluctuating demand. By leveraging the elasticity of cloud environments, network operators can optimize resource allocation and improve overall network efficiency, paving the way for innovative 5G applications and services.

The very structure of modern 5G networks is now inextricably linked to the successful deployment of virtualized 5G Core Network Functions (NFs). Traditionally, these core functions – encompassing areas like authentication, session management, and policy control – were implemented on dedicated, specialized hardware. However, the demands of 5G – requiring greater flexibility, scalability, and efficiency – have driven a paradigm shift. Virtualization allows these NFs to operate as software instances on commodity hardware and cloud infrastructure, fundamentally altering network design. This transition isn’t merely an optimization; it’s a foundational change, enabling dynamic resource allocation, automated network slicing, and faster deployment of new services. Without the robust and reliable operation of these virtualized NFs, the full potential of 5G – including its capacity for massive machine-type communications and ultra-reliable low-latency communication – remains unrealized, making their effective implementation central to the entire 5G ecosystem.

The advent of virtualized 5G networks critically relies on cloud platforms acting as the essential infrastructure layer. These platforms deliver the dynamic scalability needed to manage the fluctuating demands placed on network functions, efficiently allocating resources – processing power, storage, and bandwidth – precisely when and where they are required. This on-demand provisioning minimizes operational costs and eliminates the limitations of traditional, hardware-bound systems. By abstracting network functions from dedicated hardware, cloud platforms enable operators to rapidly deploy new services, adapt to changing network conditions, and optimize performance across a geographically dispersed network. The resulting agility and efficiency are not merely incremental improvements, but rather fundamental shifts that redefine how 5G networks are built and managed, paving the way for innovative applications and a more connected future.

Containerization: The Illusion of Control

Containerization presents a more efficient deployment model for 5G Network Functions (NFs) compared to traditional Virtual Machines (VMs). VMs require a full operating system image for each instance, consuming significant resources in terms of CPU, memory, and storage. Containers, conversely, share the host operating system kernel and package only the application and its dependencies, resulting in substantially smaller image sizes – often measured in megabytes versus gigabytes for VMs. This reduced overhead translates to faster startup times, increased density – allowing more NFs to run on the same hardware – and improved resource utilization, all critical factors for the scalability and cost-effectiveness of 5G networks. Furthermore, the portability of containers facilitates consistent operation across different infrastructure environments, from on-premise data centers to public and hybrid clouds.

Docker utilizes operating system-level virtualization to package applications with their dependencies into standardized units called containers. This enables consistent execution across diverse infrastructure, from development laptops to production servers and cloud environments. The Docker platform provides a command-line interface and a robust API for building images-read-only templates used to create containers-and managing their lifecycle. Docker Hub serves as a public registry for sharing and distributing these images, fostering collaboration and accelerating deployment cycles. Key components include the Docker Engine, responsible for building and running containers, and Docker Compose, a tool for defining and managing multi-container applications.

Kubernetes automates the deployment and lifecycle management of containerized 5G network functions (NFs) through declarative configuration files. This orchestration platform manages container placement across a cluster of nodes, ensuring high availability and resource utilization. Key features include automated scaling based on demand, self-healing capabilities through container restart and rescheduling, and rolling updates for zero-downtime deployments. Kubernetes simplifies complex deployments by abstracting underlying infrastructure and providing a consistent environment for 5G service delivery, enabling efficient scaling and management of network slices and virtualized functions.

Namespace isolation within containerization utilizes kernel features to create isolated user space instances for each container. This isolation prevents processes running within one container from accessing or interfering with processes, filesystems, or network interfaces belonging to other containers or the host system. Specifically, namespaces virtualize global system resources such as process IDs (PID), network interfaces, user IDs, mounted file systems, and inter-process communication (IPC). By providing separate views of these resources, namespace isolation significantly reduces the attack surface and improves the overall security posture of the 5G network functions deployed within containers, limiting the blast radius of potential security breaches.

The Shadow Realm: Security in the Age of Ephemerality

Containerized 5G network functions, while offering scalability and resource efficiency, inherently expand the attack surface due to the prevalent use of bash scripting for orchestration and automation. These scripts, often requiring elevated privileges to manage network components, become prime targets for exploitation. Common vulnerabilities include insufficient input validation and the execution of untrusted data within scripts, which can lead to arbitrary code execution. The dynamic nature of container deployments, with frequent image updates and deployments, further complicates security monitoring and patching, increasing the window of opportunity for attackers to exploit bash-related vulnerabilities within the containerized infrastructure.

Bash Injection attacks target vulnerabilities in scripts where user-supplied data is incorporated into shell commands without proper sanitization. This allows an attacker to inject arbitrary commands into the script’s execution flow. Specifically, if a script uses input directly in commands like `system()` or backticks (` “ `), malicious input can alter the intended command. Successful exploitation results in the execution of unintended shell commands with the privileges of the user running the script, potentially leading to system compromise, data exfiltration, or denial of service. Mitigation strategies include avoiding the use of shell execution where possible, employing input validation and sanitization techniques, and utilizing parameterized queries or safer alternatives to shell commands.

Bash injection attacks, and other container exploits, gain privileged access through the utilization of System Calls. System Calls are the programmatic interface between user space applications and the operating system kernel; successful exploitation allows attackers to invoke kernel functions with the permissions of the compromised process. This enables actions such as file system manipulation, process creation, and network configuration changes. Because System Calls operate at the kernel level, standard container isolation mechanisms, such as namespaces and cgroups, may be insufficient to prevent a complete system compromise if an attacker can successfully leverage these calls.

Recent investigations have revealed that a successfully compromised container within a 5G core network can leverage Extended Berkeley Packet Filter (eBPF) functionality to defeat container namespace isolation. This bypass allows the attacker to move laterally and compromise other network functions operating within the same cloud-native infrastructure. The exploitation occurs because eBPF programs, while designed for network packet processing and observability, operate at the kernel level and are not fully constrained by standard container isolation mechanisms. This systemic vulnerability demonstrates that a single container compromise can escalate to a full network breach in cloud-native 5G deployments, highlighting the need for enhanced security measures focused on eBPF program validation and runtime monitoring.

The victim system successfully executed commands injected via a bash attack, demonstrating a security vulnerability.

Open5GS: A Controlled Fracture

Open5GS delivers a complete, open-source instantiation of the 5G core network, fundamentally shifting control and visibility away from proprietary systems. This approach allows network operators, researchers, and developers unprecedented access to the inner workings of 5G, fostering innovation and enabling tailored network configurations. Unlike traditional, closed-source solutions, Open5GS provides full transparency into the network’s functions, allowing for thorough security audits, customized feature development, and optimization for specific use cases. The project’s open nature promotes community collaboration, driving rapid improvements and ensuring long-term sustainability, while simultaneously mitigating vendor lock-in and empowering users with complete control over their 5G infrastructure.

Open5GS empowers telecommunications operators with unprecedented control over their 5G infrastructure through the implementation of modular 5G Core Network Functions, or NFs. Traditionally, building a 5G network required reliance on proprietary solutions, limiting customization and fostering vendor lock-in. Open5GS breaks this mold by providing open-source NFs – including functionalities like Authentication Server, Mobility Management Entity, and User Plane Function – that operators can readily deploy, configure, and adapt to specific network demands. This granular control extends to tailoring network behavior, optimizing resource allocation, and integrating novel services, all without being constrained by the limitations of closed-source systems. The ability to build a truly customized 5G network allows operators to respond swiftly to evolving market needs and deploy innovative applications, fostering a more agile and competitive landscape.

Open5GS is architected around containerization technologies, such as Docker, and orchestrated using Kubernetes, enabling a highly scalable and resilient 5G core network infrastructure. This approach allows network functions to be deployed as isolated containers, simplifying management, updates, and fault isolation. The use of orchestration tools automates deployment, scaling, and healing of these containers, ensuring the network can dynamically adapt to changing traffic demands and maintain service availability even in the face of hardware failures. This container-based architecture not only enhances operational efficiency but also facilitates rapid innovation and customization, allowing operators to quickly deploy new features and services without disrupting the core network functionality.

Open5GS demonstrates significant performance gains through the integration of extended Berkeley Packet Filter (eBPF) and XDP technologies within its 5G User Plane Function (UPF). This innovative approach bypasses traditional kernel processing for packet handling, enabling direct, high-speed data forwarding. Testing reveals a substantial reduction – exceeding 30% – in per-packet processing time, directly translating to lower latency and increased network throughput. By leveraging these advanced technologies, Open5GS not only provides a flexible and customizable 5G core but also delivers a demonstrably efficient architecture capable of meeting the demanding performance requirements of modern applications and services.

The pursuit of performance, particularly in complex systems like containerized 5G core networks, often overshadows the inevitable trade-off with adaptability. This research, detailing vulnerabilities in eBPF-enabled deployments, exemplifies that very tension. As John von Neumann observed, “There is no exquisite beauty… without some strangeness and complexity.” The strangeness here lies in the subtle attack vectors exposed by shared resources, and the complexity arises from the layered virtualization. One anticipates such issues; scalability is simply the word used to justify complexity. The study confirms a predictable outcome – optimization for speed creates fragility, and a system designed for peak performance will eventually lose flexibility as new threats emerge. The perfect architecture, as always, remains a myth to keep one sane.

What Lies Ahead?

The presented work reveals not a failure of implementation, but the inherent prophecy of any system attempting absolute isolation. Containerization, even when augmented with the performance benefits of eBPF, merely shifts the surface area for attack. The illusion of boundaries is a constant source of revelation. Further research must abandon the pursuit of perfect confinement and instead focus on comprehensive, systemic monitoring – for monitoring is the art of fearing consciously.

The emphasis cannot remain on preventing breaches, but on anticipating them. The network functions themselves must be designed with the assumption of compromise, embracing techniques like differential privacy and zero-knowledge proofs not as defenses, but as methods of graceful degradation. This necessitates a move beyond reactive security measures to proactive resilience engineering.

True resilience begins where certainty ends. The field must shift from seeking guarantees of security to building systems capable of self-diagnosis, self-repair, and adaptive reconfiguration. The vulnerabilities demonstrated are not bugs-they are invitations to explore the limits of distributed trust and the emergent properties of complex, interconnected systems. The next step isn’t to ‘fix’ the container, but to understand the ecosystem it inhabits.

Original article: https://arxiv.org/pdf/2603.19867.pdf

Contact the author: https://www.linkedin.com/in/avetisyan/

The Inevitable Fracture: From Hardware to Ephemeral Networks

Containerization: The Illusion of Control

The Shadow Realm: Security in the Age of Ephemerality

Open5GS: A Controlled Fracture

What Lies Ahead?

See also: