Download PDFOpen PDF in browser

Automatic Bit- and Memory-Precise Verification of eBPF Code

24 pagesPublished: May 26, 2024

Abstract

We propose a translation from eBPF (extended Berkeley Packet Filter) code to CHC (Constrained Horn Clause sets) over the combined theory of bitvectors and arrays. eBPF is in particular used in the Linux kernel where user code is executed under kernel privileges. In order to protect the kernel, a well-known verifier statically checks the code for any harm and a number of research efforts have been performed to secure and improve the performance of the verifier. This paper is about verifying the functional properties of the eBPF code itself. Our translation procedure bpfverify is precise and covers almost all details of the eBPF language. Functional properties are automatically verified using z3. We prove termination of the procedure and show by real world eBPF code examples that full-fledged automatic verification is actually feasible.

Keyphrases: constrained horn clauses, ebpf, program verification

In: Nikolaj Bjørner, Marijn Heule and Andrei Voronkov (editors). Proceedings of 25th Conference on Logic for Programming, Artificial Intelligence and Reasoning, vol 100, pages 198-221.

BibTeX entry
@inproceedings{LPAR2024:Automatic_Bit_Memory_Precise,
  author    = {Martin Bromberger and Simon Schwarz and Christoph Weidenbach},
  title     = {Automatic Bit- and Memory-Precise Verification of eBPF Code},
  booktitle = {Proceedings of 25th Conference on Logic for Programming, Artificial Intelligence and Reasoning},
  editor    = {Nikolaj Bjørner and Marijn Heule and Andrei Voronkov},
  series    = {EPiC Series in Computing},
  volume    = {100},
  publisher = {EasyChair},
  bibsource = {EasyChair, https://easychair.org},
  issn      = {2398-7340},
  url       = {/publications/paper/bnnf},
  doi       = {10.29007/sj4l},
  pages     = {198-221},
  year      = {2024}}
Download PDFOpen PDF in browser