Kernel Newbies archive mirror
 help / color / mirror / Atom feed
From: Patrick ZHANG <patrickzhang2333@gmail.com>
To: Andrea Tomassetti <andrea.tomassetti-opensource@devo.com>
Cc: kernelnewbies@kernelnewbies.org
Subject: Re: eBPF Verifier's Design Principles
Date: Fri, 2 Jun 2023 20:02:49 +0800	[thread overview]
Message-ID: <CAOqUrdjvQz2TiKYj82PG1zLoYd-eJytYf-6ggCrrODzrgpBmxg@mail.gmail.com> (raw)
In-Reply-To: <CAHykVA6GCYqp=HotNmvdHyV9K2hJGoeJaKort6+N0YntkH51bA@mail.gmail.com>

Hi Andrea,

Thank you for your reply, and I appreciate you mentioning the Google article.

After reading it, I noticed that the author did not clearly state the
principles
but only provided a few examples in the third paragraph. However, the article
gave me the idea that I could sort and classify all vulnerability types of
verifier-related CVEs.
While this is only a proof and it is difficult to say that these types are
corresponding to the verifier's design principle, it is a step forward.

Thank you again for your help.

Best regards,
Patrick


Andrea Tomassetti <andrea.tomassetti-opensource@devo.com> 于2023年6月1日周四 20:41写道:
>
> Hi Patrick,
> there's a lot of work related to security and exploiting the eBPF
> verifier out there.
>
> I'm not an expert myself, but the principles you exposed seem right.
>
> Here there's a nice and recent article about eBPF fuzzing:
> https://security.googleblog.com/2023/05/introducing-new-way-to-buzz-for-ebpf.html
>
> Best,
> Andrea
>
> On Thu, Jun 1, 2023 at 9:48 AM Patrick ZHANG <patrickzhang2333@gmail.com> wrote:
> >
> > Hi there,
> > I am not sure I am doing this in the right way.
> > I writing to seek your guidance and expertise regarding on kernel security.
> > Specifically, my focus has been on the eBPF environment and its verifier,
> > which plays a crucial role in ensuring kernel safety.
> >
> > While conducting my research, I discovered that there are no official
> > documents available that outline the principles of the verifier.
> > Consequently, I have endeavored to deduce the kernel safety principles
> > ensured by the verifier by studying its code. Based on my analysis, I
> > have identified the following principles:
> > 1. Control Flow Integrity: It came to my attention that the verifier
> > rejects BPF programs containing indirect call instructions (callx). By
> > disallowing indirect control flow, the verifier ensures the identification
> > of all branch targets, thereby upholding control flow integrity (CFI).
> >
> > 2. Memory Safety: BPF programs are restricted to accessing predefined
> > data, including the stack, maps, and the context. The verifier effectively
> > prevents out-of-bounds access and modifies memory access to thwart
> > Spectre attacks, thus promoting memory safety.
> >
> > 3. Prevention of Information Leak: Through a comprehensive analysis of
> > all register types, the verifier prohibits the writing of pointer-type
> > registers
> > into maps. This preventive measure restricts user processes from reading
> > kernel pointers, thereby mitigating the risk of information leaks.
> >
> > 4. Prevention of Denial-of-Service (DoS): The verifier guarantees the
> > absence of deadlocks and crashes (e.g., division by zero), while also
> > imposing a limit on the execution time of BPF programs (up to 1M
> > instructions). These measures effectively prevent DoS attacks.
> >
> > I would greatly appreciate it if someone could review the aforementioned
> > principles to ensure their accuracy and comprehensiveness. If there are
> > any additional principles that I may have overlooked, I would be grateful
> > for your insights on this matter.
> >
> > Furthermore, I would like to explore why the static verifier was chosen as
> > the means to guarantee kernel security when there are other sandboxing
> > techniques that can achieve kernel safety by careful design.
> >
> > The possible reasons I can think of are that verified (and jitted) BPF
> > programs can run at nearly native speed, and that eBPF inherits the verifier
> > from cBPF for compatibility reasons.
> >
> > Thank you very much for your time and attention. I appreciate the  feedback
> > and insights.
> >
> > Best,
> > Patrick
> >
> > _______________________________________________
> > Kernelnewbies mailing list
> > Kernelnewbies@kernelnewbies.org
> > https://lists.kernelnewbies.org/mailman/listinfo/kernelnewbies

_______________________________________________
Kernelnewbies mailing list
Kernelnewbies@kernelnewbies.org
https://lists.kernelnewbies.org/mailman/listinfo/kernelnewbies

      reply	other threads:[~2023-06-02 12:04 UTC|newest]

Thread overview: 3+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2023-06-01  7:48 eBPF Verifier's Design Principles Patrick ZHANG
2023-06-01 12:41 ` Andrea Tomassetti
2023-06-02 12:02   ` Patrick ZHANG [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=CAOqUrdjvQz2TiKYj82PG1zLoYd-eJytYf-6ggCrrODzrgpBmxg@mail.gmail.com \
    --to=patrickzhang2333@gmail.com \
    --cc=andrea.tomassetti-opensource@devo.com \
    --cc=kernelnewbies@kernelnewbies.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).