SUSE Hack Week: Model checking the BPF verifier

Project Description

BPF verifier plays a crucial role in securing the system (though less so now that unprivileged BPF is disabled by default in both upstream and SLES), and bugs in the verifier has lead to privilege escalation vulnerabilities in the past (e.g. CVE-2021-3490).

One way to check whether the verifer has bugs to use model checking (a formal verification technique), in other words, build a abstract model of how the verifier operates, and then see if certain condition can occur (e.g. incorrect calculation during value tracking of registers) by giving both the model and condition to a solver.

For the solver I will be using the Z3 SMT solver to do the checking since it provide a Python binding that's relatively easy to use.

Goal for this Hackweek

Learn how to use the Z3 Python binding (i.e. Z3Py) to build a model of (part of) the BPF verifier, probably the part that's related to value tracking using tristate numbers (aka tnum), and then check that the algorithm work as intended.

Resources

Formal Methods for the Informal Engineer: Tutorial #1 - The Z3 Theorem Prover and its accompanying notebook is a great introduction into Z3
- Has a section specifically on model checking
Software Verification and Analysis Using Z3 a great example of using Z3 for model checking
Sound, Precise, and Fast Abstract Interpretation with Tristate Numbers - existing work that use formal verification to prove that the multiplication helper used for value tracking work as intended
[PATCH v5 net-next 00/12] bpf: rewrite value tracking in verifier - initial patch set that adds tristate number to the verifier

Looking for hackers with the skills:

bpf ebpf formalverification modelchecking kernel security

This project is part of:

Hack Week 21

Activity

about 1 month ago: dsterba liked this project.

about 2 months ago: mbrugger liked this project.

about 2 months ago: jzerebecki left this project.

about 2 months ago: jzerebecki added keyword "security" to this project.

about 2 months ago: jzerebecki joined this project.

about 2 months ago: jzerebecki liked this project.

about 2 months ago: ailiopoulos liked this project.

about 2 months ago: shunghsiyu started this project.

about 2 months ago: shunghsiyu added keyword "kernel" to this project.

about 2 months ago: shunghsiyu added keyword "bpf" to this project.

about 2 months ago: shunghsiyu added keyword "ebpf" to this project.

about 2 months ago: shunghsiyu added keyword "formalverification" to this project.

about 2 months ago: shunghsiyu added keyword "modelchecking" to this project.

about 2 months ago: shunghsiyu originated this project.

Comments

about 2 months ago by shunghsiyu | Reply

I've uploaded the jupyter notebook on GitHub that contains a minimal model of tnum along with tnum_add(), as well as the prove that it works.

about 1 month ago by shunghsiyu | Reply

The slides used for lightning talk can be found here

While I'd like to achieve much more, I think what I've done during hack week is suffice to be called a complete project, so I'm marking this as complete

Project Description

Goal for this Hackweek

Resources

Looking for hackers with the skills:

This project is part of:

Activity

Comments

about 2 months ago by shunghsiyu | Reply

about 1 month ago by shunghsiyu | Reply

Similar Projects

kernel

mac80211_hwsim tool by cfconrad

Project Description

Create a DRM driver for Matrox desktop cards by tdz

early stage kdump support by mbrugger

Poking technologies for enrolling customer key to kernel trusted keyring by joeyli

generic zswap dedup by ailiopoulos

security

Project Verifree : internal key server(s) by mcaj

Project description

Learn more about Application Security (AppSec) Open Source Tools and Testing Techniques by heidi.bronson

rust security reviews and cargo-crev by jzerebecki

Poking technologies for enrolling customer key to kernel trusted keyring by joeyli

Kanidm - Modern Opensource Identity Management by firstyear

Project Description