Related papers: BRF: eBPF Runtime Fuzzer

BRF: eBPF Runtime Fuzzer

URL: http://arxiv.org/abs/2305.08782v1
Date: Mon, 15 May 2023 16:42:51 GMT
Title: BRF: eBPF Runtime Fuzzer
Authors: Hsin-Wei Hung and Ardalan Amiri Sani
Abstract summary: This paper introduces the BPF Fuzzer (BRF), a fuzzer that can satisfy the semantics and dependencies required by the verifier and the eBPF subsystem. BRF achieves 101% higher code coverage. As a result, BRF has so far managed to find 4 vulnerabilities (some of them have been assigned runtime numbers) in the eBPF.
Score: 3.895892630722353
License: http://creativecommons.org/licenses/by/4.0/
Abstract: The eBPF technology in the Linux kernel has been widely adopted for different applications, such as networking, tracing, and security, thanks to the programmability it provides. By allowing user-supplied eBPF programs to be executed directly in the kernel, it greatly increases the flexibility and efficiency of deploying customized logic. However, eBPF also introduces a new and wide attack surface: malicious eBPF programs may try to exploit the vulnerabilities in the eBPF subsystem in the kernel. Fuzzing is a promising technique to find such vulnerabilities. Unfortunately, our experiments with the state-of-the-art kernel fuzzer, Syzkaller, shows that it cannot effectively fuzz the eBPF runtime, those components that are in charge of executing an eBPF program, for two reasons. First, the eBPF verifier (which is tasked with verifying the safety of eBPF programs) rejects many fuzzing inputs because (1) they do not comply with its required semantics or (2) they miss some dependencies, i.e., other syscalls that need to be issued before the program is loaded. Second, Syzkaller fails to attach and trigger the execution of eBPF programs most of the times. This paper introduces the BPF Runtime Fuzzer (BRF), a fuzzer that can satisfy the semantics and dependencies required by the verifier and the eBPF subsystem. Our experiments show, in 48-hour fuzzing sessions, BRF can successfully execute 8x more eBPF programs compared to Syzkaller. Moreover, eBPF programs generated by BRF are much more expressive than Syzkaller's. As a result, BRF achieves 101% higher code coverage. Finally, BRF has so far managed to find 4 vulnerabilities (some of them have been assigned CVE numbers) in the eBPF runtime, proving its effectiveness.

Related papers

SafeBPF: Hardware-assisted Defense-in-depth for eBPF Kernel Extensions [1.0499611180329806]
We introduce SafeBPF, a general design that isolates eBPF programs from the rest of the kernel to prevent memory safety vulnerabilities from being exploited. We show that SafeBPF incurs up to 4% overhead on macrobenchmarks while achieving desired security properties.
arXiv Detail & Related papers (2024-09-11T13:58:51Z)
VeriFence: Lightweight and Precise Spectre Defenses for Untrusted Linux Kernel Extensions [0.07696728525672149]
Linux's extended Berkeley Packet Filter (BPF) avoids user-/ kernel transitions by just-in-time compiling user-provided bytecode. To mitigate the Spectre vulnerabilities disclosed in 2018, defenses which reject potentially-dangerous programs had to be deployed. We propose VeriFence, an enhancement to the kernel's Spectre defenses that reduces the number of BPF application programs rejected from 54% to zero.
arXiv Detail & Related papers (2024-04-30T12:34:23Z)
When eBPF Meets Machine Learning: On-the-fly OS Kernel Compartmentalization [10.368811907720064]
Compartmentalization effectively prevents initial corruption from turning into a successful attack. This paper presents O2C, a pioneering system designed to enforce OS kernel compartmentalization on the fly. O2C is empowered by the newest advancements of the eBPF ecosystem which allows to instrument eBPF programs that perform enforcement actions into the kernel at runtime.
arXiv Detail & Related papers (2024-01-11T03:30:50Z)
KEN: Kernel Extensions using Natural Language [1.293634133244466]
KEN is a framework that allows Kernel Extensions to be written in Natural language. It synthesizes an eBPF program given a user's English language prompt. We show that KEN produces correct eBPF programs on 80% which is an improvement of a factor of 2.67 compared to an LLM-empowered program synthesis baseline.
arXiv Detail & Related papers (2023-12-09T10:45:54Z)
Iterative Shallow Fusion of Backward Language Model for End-to-End Speech Recognition [48.328702724611496]
We propose a new shallow fusion (SF) method to exploit an external backward language model (BLM) for end-to-end automatic speech recognition (ASR) We iteratively apply the BLM to partial ASR hypotheses in the backward direction (i.e., from the possible next token to the start symbol) during decoding, substituting the newly calculated BLM scores for the scores calculated at the last iteration. In experiments using an attention-based encoder-decoder ASR system, we confirmed that ISF shows comparable performance with SF using the FLM.
arXiv Detail & Related papers (2023-10-17T05:44:10Z)
Does Continual Learning Equally Forget All Parameters? [55.431048995662714]
Distribution shift (e.g., task or domain shift) in continual learning (CL) usually results in catastrophic forgetting of neural networks. We study which modules in neural networks are more prone to forgetting by investigating their training dynamics during CL. We propose a more efficient and simpler method that entirely removes the every-step replay and replaces them by only $k$-times of FPF periodically triggered during CL.
arXiv Detail & Related papers (2023-04-09T04:36:24Z)
The Cascaded Forward Algorithm for Neural Network Training [61.06444586991505]
We propose a new learning framework for neural networks, namely Cascaded Forward (CaFo) algorithm, which does not rely on BP optimization as that in FF. Unlike FF, our framework directly outputs label distributions at each cascaded block, which does not require generation of additional negative samples. In our framework each block can be trained independently, so it can be easily deployed into parallel acceleration systems.
arXiv Detail & Related papers (2023-03-17T02:01:11Z)
MOAT: Towards Safe BPF Kernel Extension [10.303142268182116]
The Linux kernel extensively uses the Berkeley Packet Filter (BPF) to allow user-written BPF applications to execute in the kernel space. Recent attacks show that BPF programs can evade security checks and gain unauthorized access to kernel memory. We present MOAT, a system that isolates potentially malicious BPF programs using Intel Memory Protection Keys (MPK)
arXiv Detail & Related papers (2023-01-31T05:31:45Z)
General Cutting Planes for Bound-Propagation-Based Neural Network Verification [144.7290035694459]
We generalize the bound propagation procedure to allow the addition of arbitrary cutting plane constraints. We find that MIP solvers can generate high-quality cutting planes for strengthening bound-propagation-based verifiers. Our method is the first verifier that can completely solve the oval20 benchmark and verify twice as many instances on the oval21 benchmark.
arXiv Detail & Related papers (2022-08-11T10:31:28Z)
Computation Offloading and Resource Allocation in F-RANs: A Federated Deep Reinforcement Learning Approach [67.06539298956854]
fog radio access network (F-RAN) is a promising technology in which the user mobile devices (MDs) can offload computation tasks to the nearby fog access points (F-APs)
arXiv Detail & Related papers (2022-06-13T02:19:20Z)
Differentially Private Federated Bayesian Optimization with Distributed Exploration [48.9049546219643]
We introduce differential privacy (DP) into the training of deep neural networks through a general framework for adding DP to iterative algorithms. We show that DP-FTS-DE achieves high utility (competitive performance) with a strong privacy guarantee. We also use real-world experiments to show that DP-FTS-DE induces a trade-off between privacy and utility.
arXiv Detail & Related papers (2021-10-27T04:11:06Z)

This list is automatically generated from the titles and abstracts of the papers in this site.