Hack Week website — Use model checking to validate the tnum_add() algorithm – already done by the Sound, precise, and fast abstract interpretation with tristate numbers work – I’m just learning through mimicking Last year at Hack Week 21 Previous progress 3
a more efficient way to do value tracking — Confirm that the new algorithms works with model checking — Submitted a draft PR to upstream – received initial feedback from Alexei Starovoitov (one of the maintainers of BPF subsystem) Hack Week 23 Progress so far this year 4
Crash the kernel — Access data it is not suppose to read/write e.g. CVE-2021-3490 privilege escalation vulnerabilities Need to ensure that the BPF verifier is bug-free (as much as possible) BPF Verifier 6
void main(void) { /* `i` can be anything from INT_MIN to INT_MAX */ if (0 < i && i < 2) /* `i` can be 0 to 2 */ access(i); /* 2 < 10, so ok */ } An example Value Tracking 11
void main(void) { /* `i` can be anything from INT_MIN to INT_MAX */ if (0 < i && i < 2) /* `i` can be 0 to 2 */ i = i + 5 /* `i` can be 5 to 7 */ access(i); /* 7 < 10, so ok */ } An example Value Tracking 12
*/ void main(void) { /* `i`, `j` can be anything from INT_MIN to INT_MAX */ if (0 < i && i < 2) /* `i` can be 0 to 2 */ if (0 < j && j < 4) /* `j` can be 0 to 4 */ /* i + j can be 0 to 6 */ access(i + j); /* 6 < 10, so ok */ } An example Value Tracking 13
value similar to previous reasoning, by tracking possible value through minimum and maximum struct range { int min; int max; } In the Linux Kernel Value Tracking 14
on the range e.g. for addition we’d have a range_add() function /* Takes two range and adds them */ struct range range_add(struct range a, struct range b) { ... } In the Linux Kernel Value Tracking 15
on the range e.g. for addition we’d have a range_add() function /* Takes two range and adds them */ struct range range_add(struct range a, struct range b) { return (struct range){ .min=a.min+b.min, .max=a.max+b.max } } In the Linux Kernel Value Tracking 16
on the range e.g. for addition we’d have a range_add() function but does it work? /* Takes two range and adds them */ struct range range_add(struct range a, struct range b) { return (struct range){ .min=a.min+b.min, .max=a.max+b.max } } In the Linux Kernel Value Tracking 17 ?
of algorithm using the modeling DSL Model Checking 23 struct range range_add(struct range a, struct range b) { return (struct range){ .min=a.min+b.min, .max=a.max+b.max } }
of algorithm using the modeling DSL Model Checking 24 struct range range_add(struct range a, struct range b) { return (struct range){ .min=a.min+b.min, .max=a.max+b.max } } from z3 import * def range_add(a: Range, b: Range): # Python new_min = a.min + b.start new_max = a.max + b.end return range(min=new_start, max=new_max)
of algorithm using the modeling DSL Model Checking 25 from z3 import * def range_add(a: Range, b: Range): # Python new_min = a.min + b.start new_max = a.max + b.end return range(min=new_start, max=new_max) struct range range_add(struct range a, struct range b) { return (struct range){ .min=a.min+b.min, .max=a.max+b.max } } C implementation
of algorithm using the modeling DSL Model Checking 26 struct range range_add(struct range a, struct range b) { return (struct range){ .min=a.min+b.min, .max=a.max+b.max } } from z3 import * def range_add(a: Range, b: Range): # Python new_min = a.min + b.start new_max = a.max + b.end return range(min=new_start, max=new_max) “model” of the above implementation
= Range('r1'); r2 = Range('r2') rsum = range_add(r1, r2) premise = And(r1.contains(x), r2.contains(y)) prove( Implies( premise, rsum.contains(x + y))) Model Checking 29 say we have to integer x and y
= Range('r1'); r2 = Range('r2') rsum = range_add(r1, r2) premise = And(r1.contains(x), r2.contains(y)) prove( Implies( premise, rsum.contains(x + y))) Model Checking 31 x can be any possible value within the r1 range and y can be any possible value within r2
= Range('r1'); r2 = Range('r2') rsum = range_add(r1, r2) premise = And(r1.contains(x), r2.contains(y)) prove( Implies( premise, rsum.contains(x + y))) Model Checking 32 now if we calculate a new rsum using range_add()
and the SUSE logo are registered trademarks of SUSE LLC in the United States and other countries. All third-party trademarks are the property of their respective owners. For more information, contact SUSE at: +1 800 796 3700 (U.S./Canada) Frankenstrasse 146 90461 Nürnberg www.suse.com Thank you