Comprehensive formal verification of the eBPF verifier’s safety guarantees

Establish a comprehensive formal verification of the Linux kernel eBPF verifier that proves the soundness of the safety guarantees it enforces for eBPF programs, covering the full feature set of the verifier as implemented in the Linux kernel (up to version 6.7) and accounting for its ongoing evolution across kernel releases.

Background

The eBPF verifier is the in-kernel static analysis component that ensures loaded eBPF programs satisfy safety properties such as memory and type safety, resource safety, data-race freedom (for kernel state), termination, and execution-context invariants. The verifier operates over eBPF bytecode with BTF type information, performing symbolic execution, state pruning, and various checks before programs are JIT-compiled.

While parts of the verifier’s numerical abstract domain (tnum) have received formal treatment—showing soundness and optimality—and there have been formal efforts targeting range analysis and JIT correctness, there is no end-to-end formal proof establishing that the verifier’s overall safety guarantees are sound. The breadth of supported features and frequent kernel updates further increase the complexity and urgency of a comprehensive formal verification.

References

There has been no comprehensive formal investigation of the verifier and whether its safety guarantees are sound. This remains an open research problem, and also a huge undertaking due to large number of features supported by it.

The eBPF Runtime in the Linux Kernel  (2410.00026 - Gbadamosi et al., 2024) in Section “Challenges”, Subsection “Formal Verification”