eBPF Hitchhiking

Appearance

Return to top
On this page

Conditional Jump Verification

Our implementation differs from the verifier in Linux.

Range Narrowing

The eBPF verifier should use conditional jump information to narrow down the range of possible values. For example, evaluating the following code goto (A <= B) ? branch_1 : branch_2;, the verifier can use the extra condition A <= B after jumping to branch_1, and apply A > B for branch_2.

The main difference is that we handle range comparisons like ABA \leqslant B and A>BA \gt B, while Linux seems to handle only comparison against a constant number.

Handling the A ⩽ B branch

Let A=[amin,amax],B=[bmin,bmax]A = [a_{\min}, a_{\max}], B = [b_{\min}, b_{\max}].

We are to narrow down the ranges assuming that ABA \leqslant B.

  1. If amaxbmina_{\max} \leqslant b_{\min}, since aba \leqslant b is always true, we can extract no extra info.
  2. If bmax<aminb_{\max} \lt a_{\min}, then aba \leqslant b is never true and the execution flow should never reach here.

Otherwise, let I=AB=[imin,imax]I = A \cap B = [i_{\min}, i_{\max}], where imin=max{amin,bmin}i_{\min} = \max \{ a_{\min}, b_{\min} \}, and imax=min{amax,bmax}i_{\max} = \min \{ a_{\max}, b_{\max} \}. II is never empty.

We can then narrow down the ranges into:

A=[amin,imax],A^{\dagger} = [a_{\min}, i_{\max}],

B=[imin,bmax].B^{\dagger} = [i_{\min}, b_{\max}].

You can verify it by:

  • letting a=bIa' = b' \in I (necessity),
  • and trying a=imax+1a' = i_{\max} + 1 or b=imin1b' = i_{\min} - 1 (sufficiency).

So the above result is the best estimate we can ever deduce.

Handling the A > B branch

It is a little bit more complex.

See the section above for handling these two condition:

  • amaxbmina_{\max} \leqslant b_{\min},
  • bmax<aminb_{\max} \lt a_{\min}.

Otherwise, again, let I=AB=[imin,imax]I = A \cap B = [i_{\min}, i_{\max}]. The narrowed-down ranges are as follows:

ConditionAA^{\dagger}BB^{\dagger}
iminbmini_{\min} \neq b_{\min}[imin,amax][i_{\min}, a_{\max}]
imin=bmini_{\min} = b_{\min}[imin+1,amax][i_{\min} + 1, a_{\max}]
imaxamaxi_{\max} \neq a_{\max}[bmin,imax][b_{\min}, i_{\max}]
imax=amaxi_{\max} = a_{\max}[bmin,imax1][b_{\min}, i_{\max} - 1]

Summing up:

A=[max{amin,bmin+1},amax],A^{\dagger} = [\max\{a_{\min}, b_{\min}+1\}, a_{\max}],

B=[bmin,min{bmax,amax1}].B^{\dagger} = [b_{\min}, \min\{b_{\max}, a_{\max}-1\}].

It should be fairly easy to understand why it is so:

  • since A>B    BAA \gt B \implies B \leqslant A, following the section above, we have:

    • B[bmin,imax]B^{\dagger} \subseteq [b_{\min}, i_{\max}],
    • A[imin,amax]A^{\dagger} \subseteq [i_{\min}, a_{\max}].

  • Sufficiency: A>B    A \gt B \implies bminA,b_{\min} \notin A^{\dagger}, amaxBa_{\max} \notin B^{\dagger},

  • Necessity: verifier against b=imax1b = i_{\max} - 1 or a=imin+1a = i_{\min} + 1 should be enough.

Note that amax>bmina_{\max} \gt b_{\min} and the ranges above are always valid.