Simple and precise static analysis of untrusted Linux kernel extensions

Elazar Gershuni, Nina Narodytska, Nadav Amit, Jorge A. Navas, Arie Gurfinkel, Noam Rinetzky, Leonid Ryzhyk, Mooly Sagiv

Research output: Chapter in Book/Report/Conference proceedingConference contributionpeer-review

69 Scopus citations

Abstract

Extended Berkeley Packet Filter (eBPF) is a Linux subsystem that allows safely executing untrusted user-defined extensions inside the kernel. It relies on static analysis to protect the kernel against buggy and malicious extensions. As the eBPF ecosystem evolves to support more complex and diverse extensions, the limitations of its current verifier, including high rate of false positives, poor scalability, and lack of support for loops, have become a major barrier for developers. We design a static analyzer for eBPF within the framework of abstract interpretation. Our choice of abstraction is based on common patterns found in many eBPF programs. We observed that eBPF programs manipulate memory in a rather disciplined way which permits analyzing them successfully with a scalable mixture of very-precise abstraction of certain bounded regions with coarser abstractions of other parts of the memory. We use the Zone domain, a simple domain that tracks differences between pairs of registers and offsets, to achieve precise and scalable analysis. We demonstrate that this abstraction is as precise in practice as more costly abstract domains like Octagon and Polyhedra. Furthermore, our evaluation, based on hundreds of real-world eBPF programs, shows that the new tool generates no more false alarms than the existing Linux verifier, while it supports a wider class of programs (including programs with loops) and has better asymptotic complexity.

Original languageEnglish
Title of host publicationPLDI 2019 - Proceedings of the 40th ACM SIGPLAN Conference on Programming Language Design and Implementation
EditorsKathryn S. McKinley, Kathleen Fisher
PublisherAssociation for Computing Machinery
Pages1069-1084
Number of pages16
ISBN (Electronic)9781450367127
DOIs
StatePublished - 8 Jun 2019
Event40th ACM SIGPLAN Conference on Programming Language Design and Implementation, PLDI 2019 - Phoenix, United States
Duration: 22 Jun 201926 Jun 2019

Publication series

NameProceedings of the ACM SIGPLAN Conference on Programming Language Design and Implementation (PLDI)

Conference

Conference40th ACM SIGPLAN Conference on Programming Language Design and Implementation, PLDI 2019
Country/TerritoryUnited States
CityPhoenix
Period22/06/1926/06/19

Funding

FundersFunder number
National Science Foundation1817204, 1528153
Office of Naval ResearchN68335-17-C-0558
Blavatnik Family Foundation1996/18, 1810/18
United States-Israel Binational Science Foundation2016260

    Keywords

    • Ebpf
    • Kernel extensions
    • Linux
    • Static analysis

    Fingerprint

    Dive into the research topics of 'Simple and precise static analysis of untrusted Linux kernel extensions'. Together they form a unique fingerprint.

    Cite this