BRF: Fuzzing the eBPF Runtime
Article No.: 52, Pages 1152 - 1171
Abstract
The eBPF technology in the Linux kernel has been widely adopted for different applications, such as networking, tracing, and security, thanks to the programmability it provides. By allowing user-supplied eBPF programs to be executed directly in the kernel, it greatly increases the flexibility and efficiency of deploying customized logic. However, eBPF also introduces a new and wide attack surface: malicious eBPF programs may try to exploit the vulnerabilities in the eBPF subsystem in the kernel. Fuzzing is a promising technique to find such vulnerabilities. Unfortunately, our experiments with the stateof-the-art kernel fuzzer, Syzkaller, show that it cannot effectively fuzz the eBPF runtime, those components that are in charge of executing an eBPF program, for two reasons. First, the eBPF verifier (which is tasked with verifying the safety of eBPF programs) rejects many fuzzing inputs because (1) they do not comply with its required semantics or (2) they miss some dependencies, i.e., other syscalls that need to be issued before the program is loaded. Second, Syzkaller fails to attach and trigger the execution of eBPF programs most of the times. This paper introduces the BPF Runtime Fuzzer (BRF), a fuzzer that can satisfy the semantics and dependencies required by the verifier and the eBPF subsystem. Our experiments show, in 48-hour fuzzing sessions, BRF can successfully execute 8× more eBPF programs compared to Syzkaller (and 32× more programs compared to Buzzer, an eBPF fuzzer released recently from Google). Moreover, eBPF programs generated by BRF are much more expressive than Syzkaller’s. As a result, BRF achieves 101% higher code coverage. Finally, BRF has so far managed to find 6 vulnerabilities (2 of them have been assigned CVE numbers) in the eBPF runtime, proving its effectiveness.
References
[1]
2019. BPF Fuzzer. https://github.com/iovisor/bpf-fuzzer
[2]
2019. BPF-HELPERS - list of eBPF helper functions, Linux, 2019-03-06. https://web.archive.org/web/20190313070209/https://man7.org/linux/man-pages/man7/bpf-helpers.7.html
[3]
2021. Syzkaller: coverage-guided Linux system call fuzzer. https://opensource.google.com/projects/syzkaller
[4]
2022. BPF-HELPERS - list of eBPF helper functions, Linux v6.1, 2022-09-26. https://web.archive.org/web/20230715024726/https://man7.org/linux/man-pages/man7/bpf-helpers.7.html
[5]
2022. eBPF for Windows. https://github.com/Microsoft/ebpf-for-windows
[6]
2022. eBPF Summit. https://ebpf.io/summit-2022/
[7]
Cornelius Aschermann, Tommaso Frassetto, Thorsten Holz, Patrick Jauernig, Ahmad-Reza Sadeghi, and Daniel Teuchert. 2019. NAUTILUS: Fishing for Deep Bugs with Grammars. In NDSS. https://doi.org/10.14722/ndss.2019.23412
[8]
Sanjit Bhat and Hovav Shacham. 2022. Formal Verification of the Linux Kernel eBPF Verifier Range Analysis. https://sanjit-bhat.github.io/assets/pdf/ebpf-verifier-range-analysis22.pdf
[9]
Peng Chen and Hao Chen. 2018. Angora: Efficient fuzzing by principled search. In 2018 IEEE Symposium on Security and Privacy (SP). 711–725. https://doi.org/10.1109/SP.2018.00046
[10]
Yongheng Chen, Rui Zhong, Hong Hu, Hangfan Zhang, Yupeng Yang, Dinghao Wu, and Wenke Lee. 2021. One engine to fuzz’em all: Generic language processor testing with semantic validation. In 2021 IEEE Symposium on Security and Privacy (SP). 642–658. https://doi.org/10.1109/SP40001.2021.00071
[11]
Addison Crump. 2022. Earn $ 200K by fuzzing for a weekend: Part 1. https://secret.club/2022/05/11/fuzzing-solana.html
[12]
Elazar Gershuni, Nadav Amit, Arie Gurfinkel, Nina Narodytska, Jorge A Navas, Noam Rinetzky, Leonid Ryzhyk, and Mooly Sagiv. 2019. Simple and precise static analysis of untrusted linux kernel extensions. In Proceedings of the 40th ACM SIGPLAN Conference on Programming Language Design and Implementation. https://doi.org/10.1145/3314221.3314590
[13]
Christian Holler, Kim Herzig, and Andreas Zeller. 2012. Fuzzing with code fragments. In 21st USENIX Security Symposium (USENIX Security 12). 445–458. https://dl.acm.org/doi/10.5555/2362793.2362831
[14]
Luke Nelson, Jacob Van Geffen, Emina Torlak, and Xi Wang. 2020. Specification and verification in the field: Applying formal methods to BPF just-in-time compilers in the Linux kernel. In Proceedings of the 14th USENIX Conference on Operating Systems Design and Implementation. https://www.usenix.org/conference/osdi20/presentation/nelson
[15]
Benjamin Curt Nilsen. 2020. Fuzzing the Berkeley Packet Filter.
[16]
M. H. Noor, X. Wang, and B. Ravindran. 2023. Understanding the Security of Linux eBPF Subsystem. In Proc. ACM Asia-Pacific Workshop on Systems (APSys). https://doi.org/10.1145/3609510.3609822
[17]
Rohan Padhye, Caroline Lemieux, Koushik Sen, Mike Papadakis, and Yves Le Traon. 2019. Semantic fuzzing with zest. In Proceedings of the 28th ACM SIGSOFT International Symposium on Software Testing and Analysis. 329–340. https://doi.org/10.1145/3293882.3330576
[18]
Soyeon Park, Wen Xu, Insu Yun, Daehee Jang, and Taesoo Kim. 2020. Fuzzing javascript engines with aspect-preserving mutation. In 2020 IEEE Symposium on Security and Privacy (SP). 1629–1642. https://doi.org/10.1109/SP40000.2020.00067
[19]
Simon Scannell. 2020. eBPF Fuzzer. https://scannell.io/posts/ebpf-fuzzing
[20]
Juan José López Jaimez Simon Scannell, Valentina Palmiotti. 2023. Alice in Kernel Land: Lessons Learned From the eBPF Rabbit Hole. Black Hat Asia.
[21]
Prashast Srivastava and Mathias Payer. 2021. Gramatron: Effective grammar-aware fuzzing. In Proceedings of the 30th ACM SIGSOFT International Symposium on Software Testing and Analysis. 244–256. https://doi.org/10.1145/3460319.3464814
[22]
Alexei Starovoitov. 2014. BPF syscall, maps, verifier, samples, llvm. https://lwn.net/Articles/609433/
[23]
Alexei Starovoitov and Daniel Borkmann. 2014. net: filter: rework/optimize internal BPF interpreter’s instruction set. https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?
[24]
Emina Torlak and Rastislav Bodik. 2013. Growing solver-aided languages with Rosette. In Proceedings of the 2013 ACM international symposium on New ideas, new paradigms, and reflections on programming & software. https://doi.org/10.1145/2509578.2509586
[25]
Jacob Van Geffen, Luke Nelson, Isil Dillig, Xi Wang, and Emina Torlak. 2020. Synthesizing JIT Compilers for In-Kernel DSLs. In Computer Aided Verification: 32nd International Conference, CAV 2020, Los Angeles, CA, USA, July 21–24, 2020, Proceedings, Part II. 564–586. https://doi.org/10.1007/978-3-030-53291-8_29
[26]
Spandan Veggalam, Sanjay Rawat, Istvan Haller, and Herbert Bos. 2016. Ifuzzer: An evolutionary interpreter fuzzer using genetic programming. In European Symposium on Research in Computer Security. 581–601. https://doi.org/10.1007/978-3-319-45744-4_29
[27]
Harishankar Vishwanathan, Matan Shachnai, Srinivas Narayana, and Santosh Nagarakatte. 2021. ‘Semantics, verification, and efficient implementations for tristate numbers. arXiv preprint arXiv:2105.05398.
[28]
X. Wang, D. Lazar, N. Zeldovich, A. Chlipala, and Z. Tatlock. 2014. Jitk: a Trustworthy In-Kernel Interpreter Infrastructure. In Proc. USENIX OSDI. https://www.usenix.org/conference/osdi14/technical-sessions/presentation/wang_xi
[29]
Xuejun Yang, Yang Chen, Eric Eide, and John Regehr. 2011. Finding and understanding bugs in C compilers. In Proceedings of the 32nd ACM SIGPLAN conference on Programming language design and implementation. 283–294. https://doi.org/10.1145/1993316.1993532
Recommendations
Understanding Performance of eBPF Maps
eBPF '24: Proceedings of the ACM SIGCOMM 2024 Workshop on eBPF and Kernel ExtensionsThe Linux community has witnessed the rapid development of eBPF technology that allows users to load custom programs into the Linux kernel to extend its capabilities. A key feature that makes eBPF powerful is eBPF maps, which provide data storage and ...
Understanding the Security of Linux eBPF Subsystem
APSys '23: Proceedings of the 14th ACM SIGOPS Asia-Pacific Workshop on SystemsLinux eBPF allows a userspace application to execute code inside the Linux kernel without modifying the kernel code or inserting a kernel module. An in-kernel eBPF verifier pre-verifies any untrusted eBPF bytecode before running it in kernel context. ...
Verifying the Verifier: eBPF Range Analysis Verification
Computer Aided VerificationAbstractThis paper proposes an automated method to check the correctness of range analysis used in the Linux kernel ’s eBPF verifier. We provide the specification of soundness for range analysis performed by the eBPF verifier. We automatically generate ...
Comments
Please enable JavaScript to view thecomments powered by Disqus.Information & Contributors
Information
Published In
July 2024
2770 pages
Copyright © 2024 Owner/Author.
This work is licensed under a Creative Commons Attribution International 4.0 License.
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
Published: 12 July 2024
Published in PACMSE Volume 1, Issue FSE
Author Tags
Qualifiers
- Research-article
Funding Sources
- National Science Foundation
Contributors
Other Metrics
Bibliometrics & Citations
Bibliometrics
Article Metrics
- 0Total Citations
- 403Total Downloads
- Downloads (Last 12 months)403
- Downloads (Last 6 weeks)123
Reflects downloads up to 17 Nov 2024
Other Metrics
Citations
View Options
Login options
Check if you have access through your login credentials or your institution to get full access on this article.
Sign in