Project Description
BPF verifier plays a crucial role in securing the system (though less so now that unprivileged BPF is disabled by default in both upstream and SLES), and bugs in the verifier has lead to privilege escalation vulnerabilities in the past (e.g. CVE20213490).
One way to check whether the verifer has bugs to use model checking (a formal verification technique), in other words, build a abstract model of how the verifier operates, and then see if certain condition can occur (e.g. incorrect calculation during value tracking of registers) by giving both the model and condition to a solver.
For the solver I will be using the Z3 SMT solver to do the checking since it provide a Python binding that's relatively easy to use.
Goal for this Hackweek
Learn how to use the Z3 Python binding (i.e. Z3Py) to build a model of (part of) the BPF verifier, probably the part that's related to value tracking using tristate numbers (aka tnum), and then check that the algorithm work as intended.
Resources
 Formal Methods for the Informal Engineer: Tutorial #1  The Z3 Theorem Prover and its accompanying notebook is a great introduction into Z3
 Has a section specifically on model checking
 Software Verification and Analysis Using Z3 a great example of using Z3 for model checking
 Sound, Precise, and Fast Abstract Interpretation with Tristate Numbers  existing work that use formal verification to prove that the multiplication helper used for value tracking work as intended
 [PATCH v5 netnext 00/12] bpf: rewrite value tracking in verifier  initial patch set that adds tristate number to the verifier
Looking for hackers with the skills:
This project is part of:
Hack Week 21 Hack Week 23
Activity
Comments

about 2 years ago by shunghsiyu  Reply
I've uploaded the jupyter notebook on GitHub that contains a minimal model of tnum along with tnum_add(), as well as the prove that it works.

about 2 years ago by shunghsiyu  Reply
The slides used for lightning talk can be found here
While I'd like to achieve much more, I think what I've done during hack week is suffice to be called a complete project, so I'm marking this as complete

9 months ago by shunghsiyu  Reply
I'm restarting this project to model check the range tracking (minimal and maximal value possible in s32/u32/u64/s64 range) done in BPF verifier.
In addition to that I hope to unify signed and unsigned range tracking based on previously posted idea and the "Interval Analysis and Machine Arithmetic: Why Signedness Ignorance Is Bliss" paper for simpler range tracking code.
Similar Projects
This project is one of its kind!