End-to-End Mechanized Proof of an eBPF Virtual Machine for Micro-controllers

Yuan, Shenghao; Besson, Frédéric; Talpin, Jean-Pierre; Hym, Samuel; Zandberg, Koen; Baccelli, Emmanuel

doi:10.1007/978-3-031-13188-2_15

Cited by 4 publications

(4 citation statements)

References 32 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…The most closely related work was published in [39] and in [38]. In [39], authors provide rBPF, a port of the eBPF instruction set in order to host a (single) VM on a microcontroller.…”

Section: Related Workmentioning

confidence: 99%

“…In contrast, we extend rBPF's instruction set architecture and VM core with an adequate embedded loading and execution environment, which caters for well-defined, event-driven, short lived and isolated (concurrent) execution of (multiple) functions to be deployed on-the-fly on a networked microcontroller. On the other hand, while [38], concerns formal verification of the sole rBPF instruction interpreter, here we also verify the pre-flight instruction checker and we integrate both in our femto-container implementation -the performance of which we thoroughly evaluate on various microcontrollers. Our design and implementation are so small (a few hundreds lines of code) that formal verification was indeed realistic.…”

Section: Related Workmentioning

confidence: 99%

“…Formal verification details. The Coq models and proofs used to obtain CertFC are presented in [38] and available from [1].…”

Section: Femto-container Formal Verificationmentioning

confidence: 99%

See 2 more Smart Citations

Femto-containers

Zandberg

Baccelli

Yuan

et al. 2022

Proceedings of the 23rd ACM/IFIP International Middleware Conference

Self Cite

View full text Add to dashboard Cite

Low-power operating system runtimes used on IoT microcontrollers typically provide rudimentary APIs, basic connectivity and, sometimes, a (secure) firmware update mechanism. In contrast, on less constrained hardware, networked software has entered the age of serverless, microservices and agility. With a view to bridge this gap, in the paper we design Femto-Containers, a new middleware runtime which can be embedded on heterogeneous low-power IoT devices. Femto-Containers enable the secure deployment, execution and isolation of small virtual software functions on low-power IoT devices, over the network. We implement Femto-Containers, and provide integration in RIOT, a popular open source IoT operating system. We then evaluate the performance of our implementation, which was formally verified for fault-isolation, guaranteeing that RIOT is shielded from logic loaded and executed in a Femto-Container. Our experiments on various popular microcontroller architectures (Arm Cortex-M, ESP32 and RISC-V) show that Femto-Containers offer an attractive trade-off in terms of memory footprint overhead, energy consumption, and security. CCS CONCEPTS• Computer systems organization → Embedded systems.

show abstract

“…The most closely related work was published in [39] and in [38]. In [39], authors provide rBPF, a port of the eBPF instruction set in order to host a (single) VM on a microcontroller.…”

Section: Related Workmentioning

confidence: 99%

Section: Related Workmentioning

confidence: 99%

See 1 more Smart Citation

Femto-containers

Zandberg

Baccelli

Yuan

et al. 2022

Proceedings of the 23rd ACM/IFIP International Middleware Conference

Self Cite

View full text Add to dashboard Cite

show abstract

“…Then, they are compiled to eBPF with LLVM. For a variant of eBPF for embedded systems, CertrBPF [63] provides a formally verified compiler. All extra memory, i.e.…”

Section: Introductionmentioning

confidence: 99%

Automatic Bit- and Memory-Precise Verification of eBPF Code

Bromberger,

Schwarz,

Weidenbach

EPiC Series in Computing

View full text Add to dashboard Cite

We propose a translation from eBPF (extended Berkeley Packet Filter) code to CHC (Constrained Horn Clause sets) over the combined theory of bitvectors and arrays. eBPF is in particular used in the Linux kernel where user code is executed under kernel privileges. In order to protect the kernel, a well-known verifier statically checks the code for any harm and a number of research efforts have been performed to secure and improve the performance of the verifier. This paper is about verifying the functional properties of the eBPF code itself. Our translation procedure bpfverify is precise and covers almost all details of the eBPF language. Functional properties are automatically verified using z3. We prove termination of the procedure and show by real world eBPF code examples that full-fledged automatic verification is actually feasible.

show abstract