Research On Fuzzing-based Vulnerability Discovery Technique For EBPF

eBPF(extended Berkeley Package Filter)is an evolving technology implemented in the Linux kernel which allows running user-written programs in the kernel without modifying the kernel code.Fuzzing has become the most popular vulnerability discovery technique recently due to its efficiency and practicality.Some tools use generic fuzzing techniques to test eBPF,however,fuzzing faces many challenges due to the complex architecture and special vulnerability patterns of eBPF.First,many of the vulnerabilities in the eBPF verifier module are logical bugs that do not easily have an observable impact on the system and are therefore difficult to discover.Second,blind input generation methods have difficulty in meeting the syntactic and semantic requirements in eBPF,leading to early rejection of the generated input samples and thus making it difficult to efficiently and adequately fuzz the eBPF system.In response to the above challenges,this thesis researches the design and implementation of vulnerability discovery techniques for eBPF,and the main work and contributions are as follows:1.Research on verifier logic bug state detection method.Firstly,we analyze the shortcomings of existing methods in bug detection by combining the exploitation characteristics and patterns of eBPF verifier logic bugs and conclude that the main limitation is that there is a lag in bug detection compared to bug triggering.This thesis designed the verifier state capture framework and combined it with detecting run-time violations of verification assumptions and malformed bounds to detect bug states in the early stages of bug triggering.2.Research on semantically enhanced input generation methods.Firstly,analyze the deficiencies of existing approaches in combination with specific helper function vulnerability trigger samples.The main limitation is that context-independent methods are difficult to generate inputs that satisfy semantic requirements.This thesis summarizes the syntactic and semantic requirements in the eBPF system and proposes a context-aware input generation framework based on the idea of reusing the register states maintained by the verifier,and designing an instruction generation process and register type-based instruction generation rules to improve the quality of generated instructions.3.Fuzzing framework implementation and experimental evaluation.This thesis implements the above fuzzing methods and a fuzzing framework named ebpfuzz based on Syzkaller,and designs experiments to prove the method’s effectiveness.The results show that compared to Syzkaller and other open-source tools,the verifier logic bug state detection method in this thesis is able to expose previously known logic bugs in eBPF more quickly and stably,and the input generation method in this thesis is able to generate valid eBPF instructions more efficiently and in a more balanced manner,and to provide faster and more code coverage.In addition,based on this work,3 vulnerabilities and 1 implementation bug were discovered for the eBPF system,as well as 3 functional patches and5 self-test use cases were submitted.