Research Report: Enhanced eBPF Verification and eBPF-based Runtime Safety Protection

The extended Berkeley Packet Filter (eBPF) technology has been extending the capabilities of current Operating Systems (OSs) rapidly in recent years. The eBPF community is wellaware of using formal verification methods to ensure the security of eBPF programs. However, each of the two primary kinds of formal methods, namely abstract interpretation and symbolic execution, comes with their own set of pros and cons. This research report presents our formal eBPF verification approach, which combines the merits of both types of formal methods to ensure soundness, completeness, precision and recall for our solution. This solid security foundation makes eBPF-based applications particularly appealing in the field of cybersecurity. In addition, this research report describes our eBPF-based solution to enhance the runtime security for prebuilt user-space programs. Grounded in a formally provable security foundation, our eBPF-based runtime safety monitoring solution avoids introducing new errors, offers customization to counter various vulnerabilities, and eliminates the need for offline instrumentation.