PREVAIL - A new eBPF verifier

a Polynomial-Runtime EBPF Verifier using an Abstract Interpretation Layer

The version discussed in the PLDI paper is available here.

DeepWiki: A comprehensive auto-generated documentation is avaliable at https://deepwiki.com/vbpf/prevail

Getting Started

Clone:

git clone --recurse-submodules https://github.com/vbpf/prevail.git
cd prevail

Building

🐧 Linux

Dependencies (Ubuntu)

sudo apt install build-essential git cmake libboost-dev libyaml-cpp-dev
sudo apt install libboost-filesystem-dev libboost-program-options-dev

Make

cmake -B build -DCMAKE_BUILD_TYPE=Release
cmake --build build

🪟 Windows

Dependencies

Install git
Install Visual Studio Build Tools 2022 and:
- Choose the "C++ build tools" workload (Visual Studio Build Tools 2022 has support for CMake Version 3.25)
- Under Individual Components, select:
  - "C++ Clang Compiler"
  - "MSBuild support for LLVM"
Install nuget.exe

Make on Windows (which uses a multi-configuration generator)

cmake -B build
cmake --build build --config Release

🍏 macOS

Dependencies:

brew install llvm cmake boost yaml-cpp

The system llvm currently comes with Clang 15, which isn't enough to compile prevail, as it depends on C++20. Brew's llvm comes with Clang 17.

Make:

export CPATH=$(brew --prefix)/include LIBRARY_PATH=$(brew --prefix)/lib CMAKE_PREFIX_PATH=$(brew --prefix)
cmake -B build -DCMAKE_BUILD_TYPE=Release -DCMAKE_C_COMPILER=$(brew --prefix llvm)/bin/clang -DCMAKE_CXX_COMPILER=$(brew --prefix llvm)/bin/clang++
cmake --build build

🐋 Docker

Build and run

docker build -t prevail .
docker run -it prevail ebpf-samples/cilium/bpf_lxc.o 2/1
1,0.009812,4132
# To run the Linux verifier you'll need a privileged container:
docker run --privileged -it prevail ebpf-samples/linux/cpustat_kern.o --domain=linux

Example:

$ bin/check ebpf-samples/cilium/bpf_lxc.o 2/1
1,0.014153,6080

The output is three comma-separated values:

1 or 0, for "pass" and "fail" respectively
The runtime of the fixpoint algorithm (in seconds)
The peak memory consumption, in kb, as reflected by the resident-set size (rss)

Usage

PREVAIL is a new eBPF verifier based on abstract interpretation.
bin/check [OPTIONS] path [section] [function]
POSITIONALS:
  path TEXT:FILE REQUIRED     Elf file to analyze
  section SECTION             Section to analyze
  function FUNCTION           Function to analyze
OPTIONS:
  -h,     --help              Print this help message and exit
          --section SECTION   Section to analyze
          --function FUNCTION Function to analyze
  -l                          List programs
          --domain DOMAIN:{stats,linux,zoneCrab,cfg} [zoneCrab]
                              Abstract domain
Features:
          --termination, --no-verify-termination{false}
                              Verify termination. Default: ignore
          --allow-division-by-zero, --no-division-by-zero{false}
                              Handling potential division by zero. Default: allow
  -s,     --strict            Apply additional checks that would cause runtime failures
          --include_groups GROUPS:{atomic32,atomic64,base32,base64,callx,divmul32,divmul64,packet}
                              Include conformance groups
          --exclude_groups GROUPS:{atomic32,atomic64,base32,base64,callx,divmul32,divmul64,packet}
                              Exclude conformance groups
Verbosity:
          --simplify, --no-simplify{false}
                              Simplify the display of the CFG by merging chains of instructions
                              into a single basic block. Default: enabled
          --line-info         Print line information
          --print-btf-types   Print BTF types
  -v                          Print invariants and first failure
  -f                          Print first failure
CFG output:
          --asm FILE          Print disassembly to FILE
          --dot FILE          Export control-flow graph to dot FILE

A standard alternative to the --asm flag is llvm-objdump -S FILE.

The cfg can be viewed using dot and the standard PDF viewer:

sudo apt install graphviz
bin/check ebpf-samples/cilium/bpf_lxc.o 2/1 --dot cfg.dot --domain=stats
dot -Tpdf cfg.dot > cfg.pdf

Testing the Linux verifier

To run the Linux verifier, you must use sudo:

sudo bin/check ebpf-samples/linux/cpustat_kern.o tracepoint/power/cpu_idle --domain=linux

Name		Name	Last commit message	Last commit date
Latest commit History 2,158 Commits
.github		.github
cmake		cmake
ebpf-samples @ 65b12c6		ebpf-samples @ 65b12c6
examples/using_installed_package		examples/using_installed_package
external		external
scripts		scripts
src		src
test-data		test-data
.clang-format		.clang-format
.dockerignore		.dockerignore
.gitignore		.gitignore
.gitmodules		.gitmodules
.yamllint.yml		.yamllint.yml
AGENTS.md		AGENTS.md
CMakeLists.txt		CMakeLists.txt
CODE_OF_CONDUCT.md		CODE_OF_CONDUCT.md
Dockerfile		Dockerfile
Doxyfile		Doxyfile
LICENSE-Apache-2.0.txt		LICENSE-Apache-2.0.txt
LICENSE.txt		LICENSE.txt
README.md		README.md
test-schema.yaml		test-schema.yaml

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Repository files navigation

PREVAIL - A new eBPF verifier

a Polynomial-Runtime EBPF Verifier using an Abstract Interpretation Layer

Getting Started

Building

Dependencies (Ubuntu)

Make

Dependencies

Make on Windows (which uses a multi-configuration generator)

Dependencies:

Make:

Build and run

Example:

Testing the Linux verifier

About

Uh oh!

Releases

Packages

Uh oh!

Contributors 25

Uh oh!

Languages

License

vbpf/prevail

Folders and files

Latest commit

History

Repository files navigation

PREVAIL - A new eBPF verifier

a Polynomial-Runtime EBPF Verifier using an Abstract Interpretation Layer

Getting Started

Building

Dependencies (Ubuntu)

Make

Dependencies

Make on Windows (which uses a multi-configuration generator)

Dependencies:

Make:

Build and run

Example:

Testing the Linux verifier

About

Topics

Resources

License

Code of conduct

Uh oh!

Stars

Watchers

Forks

Releases

Packages 0

Uh oh!

Contributors 25

Uh oh!

Languages

Packages