EKFuzz: Fuzzing the BPF subsystem

Abstract

The extended Berkeley Packet Filter (eBPF) framework has revolutionized the way developers interact with the Linux kernel by enabling safe, dynamic programmability. However, this flexibility comes at a cost. The new kernel functions (kfuncs) exposed to eBPF programs are rapidly proliferating, often without adequate testing. While prior work has addressed verifier and helper function fuzzing, the kfuncs remain a largely unexplored attack surface. This thesis presents EKFuzz, a Syzkaller-based fuzzing extension that systematically targets kfuncs used by eBPF programs. EKFuzz incorporates type-aware generation of verifier-compliant programs, automatically generates dependent syscalls (e.g., for maps), and employs a mutation-driven feedback loop. Our evaluation demonstrates that EKFuzz achieves deeper runtime coverage than Syzkaller and uncovers latent bugs within the kfunc execution paths.