This is an interesting work. It enforces Decentralized Information Flow Control (DIFC) using network switches and OS (using eBPF). They designed a new language to express DIFC policies and can introduce very low overhead on DIFC enforcement.
Although the project only contains 4K LoC, they've conducted extensive evaluation, and some of the evaluations were on simulated environment.
Questions
- As P4Control enforces DIFC at the file level, the tags may not be enough (e.g., only 256 different tags)?