research-article

Public Access

Simple and precise static analysis of untrusted Linux kernel extensions

Authors:

Elazar Gershuni,

Arie Gurfinkel,

Nina Narodytska,

Jorge A. Navas,

Mooly SagivAuthors Info & Claims

PLDI 2019: Proceedings of the 40th ACM SIGPLAN Conference on Programming Language Design and Implementation

Pages 1069 - 1084

https://doi.org/10.1145/3314221.3314590

Published: 08 June 2019 Publication History

Abstract

Extended Berkeley Packet Filter (eBPF) is a Linux subsystem that allows safely executing untrusted user-defined extensions inside the kernel. It relies on static analysis to protect the kernel against buggy and malicious extensions. As the eBPF ecosystem evolves to support more complex and diverse extensions, the limitations of its current verifier, including high rate of false positives, poor scalability, and lack of support for loops, have become a major barrier for developers.

We design a static analyzer for eBPF within the framework of abstract interpretation. Our choice of abstraction is based on common patterns found in many eBPF programs. We observed that eBPF programs manipulate memory in a rather disciplined way which permits analyzing them successfully with a scalable mixture of very-precise abstraction of certain bounded regions with coarser abstractions of other parts of the memory. We use the Zone domain, a simple domain that tracks differences between pairs of registers and offsets, to achieve precise and scalable analysis. We demonstrate that this abstraction is as precise in practice as more costly abstract domains like Octagon and Polyhedra.

Furthermore, our evaluation, based on hundreds of real-world eBPF programs, shows that the new tool generates no more false alarms than the existing Linux verifier, while it supports a wider class of programs (including programs with loops) and has better asymptotic complexity.

Supplementary Material

WEBM File (p1069-gershuni.webm)

Download
78.00 MB

MP4 File (3314221.3314590.mp4)

Video Presentation

Download
50.49 MB

References

[1]

2018. (2018). https://github.com/cilium/cilium/blob/master/bpf/lxc_config.h.

[2]

2018. (2018). https://github.com/cilium/cilium/commit/06efc2.

[3]

2018. Cilium: API-aware Networking and Security. https://cilium.io/. (2018).

[4]

2018. Coverity Scan: Linux. https://scan.coverity.com/projects/linux. (2018).

[5]

2018. eBPF maps. https://prototype-kernel.readthedocs.io/en/latest/bpf/ebpf_maps.html. (2018).

[6]

2018. eXpress Data Path. https://prototype-kernel.readthedocs.io/en/latest/networking/XDP/index.html. (2018).

[7]

2018. The extended Berkeley Packet Filter (eBPF) backend. http://llvm.org/docs/CodeGenerator.html#the-extended-berkeley-packet-filter-ebpf-backend. (2018).

[8]

2018. IO Visor Project. https://www.iovisor.org/technology/bcc. (2018).

[9]

2018. Production Quality, Multilayer Open Virtual Switch. https://www.openvswitch.org/. (2018).

[10]

2018. A seccomp overview. https://lwn.net/Articles/656307/. (2018).

[11]

2018. Suricata: Next Generation Intrusion Detection and Prevention Tool. https://suricata.readthedocs.io/. (2018).

[12]

2019. eBPF Benchmarks. (2019). https://github.com/vbpf/ebpf-samples.

[13]

2019. PREVAIL: a Polynomial-Runtime EBPF Verifier using an Abstract Interpretation Layer. (2019). https://github.com/vbpf/ebpf-verifier.

[14]

Nadav Amit, Michael Wei, and Cheng-Chun Tu. 2017. Hypercallbacks: Decoupling Policy Decisions and Execution. In 16th Workshop on Hot Topics in Operating Systems (HotOS '17). 37-41.

Digital Library

[15]

Abhiram Balasubramanian, Marek S. Baranowski, Anton Burtsev, Aurojit Panda, Zvonimir Rakamari?, and Leonid Ryzhyk. 2017. System Programming in Rust: Beyond Safety. In 16th Workshop on Hot Topics in Operating Systems (HotOS). 156-161.

Digital Library

[16]

Thomas Ball, Ella Bounimova, Byron Cook, Vladimir Levin, Jakob Lichtenberg, Con McGarvey, Bohus Ondrusek, Sriram K. Rajamani, and Abdullah Ustuner. 2006. Thorough Static Analysis of Device Drivers. In European Conference on Computer Systems 2006 (EuroSys '06). 73-85.

[17]

B. N. Bershad, S. Savage, P. Pardyak, E. G. Sirer, M. E. Fiuczynski, D. Becker, C. Chambers, and S. Eggers. 1995. Extensibility Safety and Performance in the SPIN Operating System. In Fifteenth ACM Symposium on Operating Systems Principles (SOSP '95). 267-283.

Digital Library

[18]

Bruno Blanchet, Patrick Cousot, Radhia Cousot, Jérôme Feret, Laurent Mauborgne, Antoine Miné, David Monniaux, and Xavier Rival. 2003. A static analyzer for large safety-critical software. In Proceedings of the ACM SIGPLAN 2003 Conference on Programming Language Design and Implementation 2003, San Diego, California, USA, June 9-11, 2003. 196-207.

Digital Library

[19]

Vitaly Chipounov, Volodymyr Kuznetsov, and George Candea. 2011. S2E: A Platform for In-vivo Multi-path Analysis of Software Systems. In Sixteenth International Conference on Architectural Support for Programming Languages and Operating Systems (ASPLOS XVI). 265-278.

Digital Library

[20]

Jonathan Corbet. 2018. Bounded loops in BPF programs. https://lwn.net/Articles/773605/. (2018).

[21]

Patrick Cousot and Radhia Cousot. 1976. Static Determination of Dynamic Properties of Programs. In Proceedings of the second international symposium on Programming, Paris, France. 106-130.

[22]

Patrick Cousot and Radhia Cousot. 1977. Abstract Interpretation: A Unified Lattice Model for Static Analysis of Programs by Construction or Approximation of Fixpoints. In Proceedings of the 4th ACM SIGACT-SIGPLAN Symposium on Principles of Programming Languages (POPL '77). ACM, New York, NY, USA, 238-252.

Digital Library

[23]

Patrick Cousot, Radhia Cousot, Jérôme Feret, Laurent Mauborgne, Antoine Miné, and Xavier Rival. 2009. Why does Astrée scale up? Formal Methods in System Design 35, 3 (2009), 229-264.

Digital Library

[24]

Patrick Cousot and Nicolas Halbwachs. 1978. Automatic Discovery of Linear Constraints among Variables of a Program. In Proceedings of the Fifth ACM Symposium on Principles of Programming Languages. 84-97.

Digital Library

[25]

Nurit Dor, Michael Rodeh, and Shmuel Sagiv. 2001. Cleanness Checking of String Manipulations in C Programs via Integer Analysis. In Static Analysis, 8th International Symposium, SAS 2001, Paris, France, July 16-18, 2001, Proceedings. 194-212.

Digital Library

[26]

Nurit Dor, Michael Rodeh, and Shmuel Sagiv. 2003. CSSV: towards a realistic tool for statically detecting all buffer overflows in C. In Proceedings of the ACM SIGPLAN 2003 Conference on Programming Language Design and Implementation 2003, San Diego, California, USA, June 9-11, 2003. 155-167.

Digital Library

[27]

Manuel Fähndrich, Mark Aiken, Chris Hawblitzel, Orion Hodson, Galen Hunt, James R. Larus, and Steven Levi. 2006. Language Support for Fast and Reliable Message-based Communication in Singularity OS. In European Conference on Computer Systems 2006 (EuroSys '06). 177-190.

Digital Library

[28]

John Fastabend. 2018. [RFC PATCH 00/16] bpf, bounded loop support work in progress. https://lwn.net/ml/netdev/20180601092646.15353.28269.stgit@john-Precision-Tower-5810/. (2018).

[29]

Graeme Gange, Jorge A. Navas, Peter Schachte, Harald Søndergaard, and Peter J. Stuckey. 2016. Exploiting Sparsity in Difference-Bound Matrices. In Static Analysis - 23rd International Symposium, SAS 2016, Edinburgh, UK, September 8-10, 2016, Proceedings. 189-211.

[30]

Arie Gurfinkel, Temesghen Kahsai, Anvesh Komuravelli, and Jorge A. Navas. 2015. The SeaHorn Verification Framework. In Computer Aided Verification - 27th International Conference, CAV 2015, San Francisco, CA, USA, July 18-24, 2015, Proceedings, Part I. 343-361.

[31]

Jann Horn. 2018. eBPF memory corruption bugs. https://www.openwall.com/lists/oss-security/2017/12/21/2. (2018).

[32]

Bertrand Jeannet and Antoine Miné. 2009. A Library of Numerical Abstract Domains for Static Analysis. In Computer Aided Verification, A. Bouajjani and O. Maler (Eds.), Vol. 5643. 661-667.

Digital Library

[33]

Akash Lal and Shaz Qadeer. 2014. Powering the Static Driver Verifier Using Corral. In 22Nd ACM SIGSOFT International Symposium on Foundations of Software Engineering (FSE 2014). 202-212.

Digital Library

[34]

Ben Leslie, Peter Chubb, Nicholas Fitzroy-Dale, Stefan Götz, Charles Gray, Luke Macpherson, Daniel Potts, Yueting Shen, Kevin Elphinstone, and Gernot Heiser. 2005. User-Level Device Drivers: Achieved Performance. Journal of Computer Science and Technology 20 (2005), 654-664.

[35]

Steven McCanne and Van Jacobson. 1993. The BSD Packet Filter: A New Architecture for User-level Packet Capture. In USENIX Winter 1993 Conference (USENIX'93).

Digital Library

[36]

Antoine Miné. 2001. A New Numerical Abstract Domain Based on Difference-Bound Matrices. In Programs as Data Objects, Olivier Danvy and Andrzej Filinski (Eds.). Vol. 2053. 155-172.

Digital Library

[37]

Antoine Miné. 2006. Field-sensitive value analysis of embedded C programs with union types and pointer arithmetics. In Proceedings of the 2006 ACM SIGPLAN/SIGBED Conference on Languages, Compilers, and Tools for Embedded Systems (LCTES'06), Ottawa, Ontario, Canada, June 14-16, 2006. 54-63.

Digital Library

[38]

Antoine Miné. 2006. The Octagon Abstract Domain. Higher Order Symbol. Comput. 19, 1 (March 2006), 31-100.

Digital Library

[39]

Antoine Miné. 2017. Tutorial on Static Inference of Numeric Invariants by Abstract Interpretation. Foundations and Trends in Programming Languages 4, 3-4 (2017), 120-372.

Digital Library

[40]

MIT. 2014. Jitk: A Trustworthy In-Kernel Interpreter Infrastructure. (2014). http://css.csail.mit.edu/jitk/.

[41]

Abdelraouf Ouadjaout, Antoine Miné, Noureddine Lasla, and Nadjib Badache. 2016. Static analysis by abstract interpretation of functional properties of device drivers in TinyOS. Journal of Systems and Software 120 (2016), 114-132.

Digital Library

[42]

Nicolas Palix, Gael Thomas, Suman Saha, Christophe Calves, Julia Lawall, and Gilles Muller. 2011. Faults in Linux: Ten Years Later. In Sixteenth International Conference on Architectural Support for Programming Languages and Operating Systems (ASPLOS XVI). 305-318.

Digital Library

[43]

Xavier Rival. 2003. Abstract Interpretation-Based Certification of Assembly Code. In Verification, Model Checking, and Abstract Interpretation, 4th International Conference, VMCAI 2003, New York, NY, USA, January 9-11, 2002, Proceedings. 41-55.

Digital Library

[44]

Xavier Rival and Laurent Mauborgne. 2007. The trace partitioning abstract domain. ACM Trans. Program. Lang. Syst. 29, 5 (2007), 26.

Digital Library

[45]

Jay Schulist, Daniel Borkmann, and Alexei Starovoitov. 2018. Linux Socket Filtering aka Berkeley Packet Filter (BPF). https://www.kernel.org/doc/Documentation/networking/filter.txt. (2018).

[46]

David Sehr, Robert Muth, Cliff Biffle, Victor Khimenko, Egor Pasko, Karl Schimpf, Bennet Yee, and Brad Chen. 2010. Adapting Software Fault Isolation to Contemporary CPU Architectures. In 19th USENIX Conference on Security (USENIX Security'10).

Digital Library

[47]

Ran Shaham, Elliot K. Kolodner, and Shmuel Sagiv. 2000. Automatic Removal of Array Memory Leaks in Java. In Compiler Construction, 9th International Conference, CC 2000, Held as Part of the European Joint Conferences on the Theory and Practice of Software, ETAPS 2000, Berlin, Germany, Arch 25 - April 2, 2000, Proceedings. 50-66.

[48]

Gagandeep Singh, Markus Püschel, and Martin T. Vechev. 2015. Making numerical program analysis fast. In Proceedings of the 36th ACM SIGPLAN Conference on Programming Language Design and Implementation, Portland, OR, USA, June 15-17, 2015. 303-313.

Digital Library

[49]

Gagandeep Singh, Markus Püschel, and Martin T. Vechev. 2017. Fast polyhedra abstract domain. In Proceedings of the 44th ACM SIGPLAN Symposium on Principles of Programming Languages, POPL 2017, Paris, France, January 18-20, 2017. 46-59.

Digital Library

[50]

Gagandeep Singh, Markus Püschel, and Martin T. Vechev. 2018. A practical construction for decomposing numerical abstract domains. PACMPL 2, POPL (2018), 55:1-55:28.

Digital Library

[51]

Michael M. Swift, Brian N. Bershad, and Henry M. Levy. 2003. Improving the Reliability of Commodity Operating Systems. In Nineteenth ACM Symposium on Operating Systems Principles (SOSP '03). 207-222.

Digital Library

[52]

Arnaud Venet and Guillaume P. Brat. 2004. Precise and efficient static array bound checking for large embedded C programs. In Proceedings of the ACM SIGPLAN 2004 Conference on Programming Language Design and Implementation 2004, Washington, DC, USA, June 9-11, 2004. 231-242.

Digital Library

[53]

Xi Wang, David Lazar, Nickolai Zeldovich, Adam Chlipala, and Zachary Tatlock. 2014. Jitk: A Trustworthy In-Kernel Interpreter Infrastructure. In 11th USENIX Symposium on Operating Systems Design and Implementation (OSDI 14). USENIX Association, Broomfield, CO, 33-47. https://www.usenix.org/conference/osdi14/technical-sessions/presentation/wang_xi.

Digital Library

Cited By

Mahadevan STakano YMiyaji A(2024)PRSafe: A Domain Specific Language Created with LLVMJournal of Information Processing10.2197/ipsjjip.32.20732(207-222)Online publication date: 2024
https://doi.org/10.2197/ipsjjip.32.207
Bardinelli JZhang YSu JHuang LParilla AJarvi RKulkarni SZhang W(2024)hyDNS: Acceleration of DNS Through Kernel Space ResolutionProceedings of the ACM SIGCOMM 2024 Workshop on eBPF and Kernel Extensions10.1145/3672197.3673439(58-64)Online publication date: 4-Aug-2024
https://dl.acm.org/doi/10.1145/3672197.3673439
Deokar MMen JCastanheira LBhardwaj ABenson T(2024)An Empirical Study on the Challenges of eBPF Application DevelopmentProceedings of the ACM SIGCOMM 2024 Workshop on eBPF and Kernel Extensions10.1145/3672197.3673429(1-8)Online publication date: 4-Aug-2024
https://dl.acm.org/doi/10.1145/3672197.3673429
Show More Cited By

Index Terms

Simple and precise static analysis of untrusted Linux kernel extensions
1. Security and privacy
  1. Systems security
    1. Operating systems security
2. Software and its engineering
  1. Software organization and properties
    1. Extra-functional properties
      1. Software safety
    2. Software functional properties
      1. Formal methods
        Automated static analysis

Recommendations

Sound, precise, and fast abstract interpretation with tristate numbers
CGO '22: Proceedings of the 20th IEEE/ACM International Symposium on Code Generation and Optimization

Extended Berkeley Packet Filter (BPF) is a language and run-time system that allows non-superusers to extend the Linux and Windows operating systems by downloading user code into the kernel. To ensure that user code is safe to run in kernel context, BPF ...
The secret sauce in efficient and precise static analysis: the beauty of distributive, summary-based static analyses (and how to master them)
ISSTA '18: Companion Proceedings for the ISSTA/ECOOP 2018 Workshops

In this paper I report on experiences gained from more than five years of extensively designing static code analysis tools- in particular such ones with a focus on security- to scale to real-world projects within an industrial context. Within this time ...
Precise flow-insensitive may-alias analysis is NP-hard

Determining aliases is one of the foundamental static analysis problems, in part because the precision with which this problem is solved can affect the precision of other analyses such as live variables, available expressions, and constant propagation. ...

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

PLDI 2019: Proceedings of the 40th ACM SIGPLAN Conference on Programming Language Design and Implementation

June 2019

1162 pages

ISBN:9781450367127

DOI:10.1145/3314221

General Chair:
Kathryn S. McKinley
Google, USA
,
Program Chair:
Kathleen Fisher
Tufts University, USA

Copyright © 2019 Owner/Author.

This work is licensed under a Creative Commons Attribution International 4.0 License.

Sponsors

SIGPLAN: ACM Special Interest Group on Programming Languages

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 08 June 2019

Check for updates

Badges

Author Tags

Qualifiers

Research-article

Funding Sources

Tel Aviv University
United States - Israel Binational Science Foundation
National Science Foundation
Israel Science Foundation
Natural Sciences and Engineering Research Council of Canada
PAZY Foundation
Office of Naval Research

Conference

PLDI '19

Sponsor:

SIGPLAN

PLDI '19: 40th ACM SIGPLAN Conference on Programming Language Design and Implementation

June 22 - 26, 2019

AZ, Phoenix, USA

Acceptance Rates

Overall Acceptance Rate 406 of 2,067 submissions, 20%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

45
Total Citations
View Citations
1,862
Total Downloads

Downloads (Last 12 months)558
Downloads (Last 6 weeks)75

Reflects downloads up to 30 Aug 2024

Other Metrics

View Author Metrics

Citations

Cited By

Mahadevan STakano YMiyaji A(2024)PRSafe: A Domain Specific Language Created with LLVMJournal of Information Processing10.2197/ipsjjip.32.20732(207-222)Online publication date: 2024
https://doi.org/10.2197/ipsjjip.32.207
Bardinelli JZhang YSu JHuang LParilla AJarvi RKulkarni SZhang W(2024)hyDNS: Acceleration of DNS Through Kernel Space ResolutionProceedings of the ACM SIGCOMM 2024 Workshop on eBPF and Kernel Extensions10.1145/3672197.3673439(58-64)Online publication date: 4-Aug-2024
https://dl.acm.org/doi/10.1145/3672197.3673439
Deokar MMen JCastanheira LBhardwaj ABenson T(2024)An Empirical Study on the Challenges of eBPF Application DevelopmentProceedings of the ACM SIGCOMM 2024 Workshop on eBPF and Kernel Extensions10.1145/3672197.3673429(1-8)Online publication date: 4-Aug-2024
https://dl.acm.org/doi/10.1145/3672197.3673429
Benson TKannan PGupta PMadhavan BArora KMeng JLau MDhamija AKrishnamurthy RSundaresan SSpring NZhang YSekar VYu MSeneviratne AVeitch D(2024)NetEdit: An Orchestration Platform for eBPF Network Functions at ScaleProceedings of the ACM SIGCOMM 2024 Conference10.1145/3651890.3672227(721-734)Online publication date: 4-Aug-2024
https://dl.acm.org/doi/10.1145/3651890.3672227
Hung HAmiri Sani A(2024)BRF: Fuzzing the eBPF RuntimeProceedings of the ACM on Software Engineering10.1145/36437781:FSE(1152-1171)Online publication date: 12-Jul-2024
https://dl.acm.org/doi/10.1145/3643778
Sun HXu YLiu JShen YGuan NJiang Y(2024)Finding Correctness Bugs in eBPF Verifier with Structured and Sanitized ProgramProceedings of the Nineteenth European Conference on Computer Systems10.1145/3627703.3629562(689-703)Online publication date: 22-Apr-2024
https://dl.acm.org/doi/10.1145/3627703.3629562
Mayer ABracciale LLungaroni PSidoretti GSalsano SBianchi GLoreti P(2024)Composing eBPF Programs Made Easy With HIKe and eCLATIEEE Transactions on Network and Service Management10.1109/TNSM.2023.332562421:2(1359-1371)Online publication date: Apr-2024
https://doi.org/10.1109/TNSM.2023.3325624
Black CScott-Hayward S(2024)Defeating Data Plane Attacks With Program ObfuscationIEEE Transactions on Dependable and Secure Computing10.1109/TDSC.2023.327793921:3(1317-1330)Online publication date: May-2024
https://doi.org/10.1109/TDSC.2023.3277939
Jin GLi JBriskin G(2024)Research Report: Enhanced eBPF Verification and eBPF-based Runtime Safety Protection2024 IEEE Security and Privacy Workshops (SPW)10.1109/SPW63631.2024.00026(224-230)Online publication date: 23-May-2024
https://doi.org/10.1109/SPW63631.2024.00026
N J PKeshav SB K SS S(2024)Automating Registration of Executables as Commands on the Ubuntu-Linux Platform2024 5th International Conference for Emerging Technology (INCET)10.1109/INCET61516.2024.10593197(1-5)Online publication date: 24-May-2024
https://doi.org/10.1109/INCET61516.2024.10593197
Show More Cited By

View Options

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

Media

Figures

Other

Tables

View Table of Contents