Project Description

BPF verifier plays a crucial role in securing the system (though less so now that unprivileged BPF is disabled by default in both upstream and SLES), and bugs in the verifier has lead to privilege escalation vulnerabilities in the past (e.g. CVE-2021-3490).

One way to check whether the verifer has bugs to use model checking (a formal verification technique), in other words, build a abstract model of how the verifier operates, and then see if certain condition can occur (e.g. incorrect calculation during value tracking of registers) by giving both the model and condition to a solver.

For the solver I will be using the Z3 SMT solver to do the checking since it provide a Python binding that's relatively easy to use.

Goal for this Hackweek

Learn how to use the Z3 Python binding (i.e. Z3Py) to build a model of (part of) the BPF verifier, probably the part that's related to value tracking using tristate numbers (aka tnum), and then check that the algorithm work as intended.

Resources

Looking for hackers with the skills:

bpf ebpf formalverification modelchecking kernel security

This project is part of:

Hack Week 21

Activity

  • 7 months ago: dsterba liked this project.
  • 8 months ago: mbrugger liked this project.
  • 8 months ago: jzerebecki left this project.
  • 8 months ago: jzerebecki added keyword "security" to this project.
  • 8 months ago: jzerebecki joined this project.
  • 8 months ago: jzerebecki liked this project.
  • 8 months ago: ailiopoulos liked this project.
  • 8 months ago: shunghsiyu started this project.
  • 8 months ago: shunghsiyu added keyword "kernel" to this project.
  • 8 months ago: shunghsiyu added keyword "bpf" to this project.
  • 8 months ago: shunghsiyu added keyword "ebpf" to this project.
  • 8 months ago: shunghsiyu added keyword "formalverification" to this project.
  • 8 months ago: shunghsiyu added keyword "modelchecking" to this project.
  • 8 months ago: shunghsiyu originated this project.

  • Comments

    • shunghsiyu
      7 months ago by shunghsiyu | Reply

      I've uploaded the jupyter notebook on GitHub that contains a minimal model of tnum along with tnum_add(), as well as the prove that it works.

    • shunghsiyu
      7 months ago by shunghsiyu | Reply

      The slides used for lightning talk can be found here

      While I'd like to achieve much more, I think what I've done during hack week is suffice to be called a complete project, so I'm marking this as complete

    Similar Projects

    Create a DRM driver for VGA video cards by tdz

    Yes, those [VGA video cards](https://en.wikiped...


    Authenticated hashes for BTRFS by dsterba

    Project Description

    Implement a checksum ...


    Improve Qualcomm SOC msm8994/msm8992 kernel mainline support by pvorel

    Project Description

    Due previous hackweek...


    Modular kernel packaging by mwilck

    Project Description

    Create a PoC for a mo...


    How software creation process can save energy and CO2 emissions by acervesato

    [comment]: # (Please use the project descriptio...


    Rancher Token Revoker by mbolot

    [comment]: # (Please use the project descriptio...


    Run sandboxed Firefox with image and sound inside a container by nguyens

    [comment]: # (Please use the project descriptio...


    Create tool for managing RPM package signing keys by dheidler

    [comment]: # (Please use the project descriptio...


    Force USB devices to be read from a virtual machine on a given PC by nguyens

    [comment]: # (Please use the project descriptio...