EKFuzz: Fuzzing the BPF subsystem
| dc.contributor.author | Puranam, Ananta Srikar | en |
| dc.contributor.committeechair | Ravindran, Binoy | en |
| dc.contributor.committeemember | Wang, Haining | en |
| dc.contributor.committeemember | Giles, Kendall Everett | en |
| dc.contributor.department | Electrical and Computer Engineering | en |
| dc.date.accessioned | 2025-10-13T13:36:15Z | en |
| dc.date.available | 2025-10-13T13:36:15Z | en |
| dc.date.issued | 2025-08-15 | en |
| dc.description.abstract | The extended Berkeley Packet Filter (eBPF) framework has revolutionized the way developers interact with the Linux kernel by enabling safe, dynamic programmability. However, this flexibility comes at a cost. The new kernel functions (kfuncs) exposed to eBPF programs are rapidly proliferating, often without adequate testing. While prior work has addressed verifier and helper function fuzzing, the kfuncs remain a largely unexplored attack surface. This thesis presents EKFuzz, a Syzkaller-based fuzzing extension that systematically targets kfuncs used by eBPF programs. EKFuzz incorporates type-aware generation of verifier-compliant programs, automatically generates dependent syscalls (e.g., for maps), and employs a mutation-driven feedback loop. Our evaluation demonstrates that EKFuzz achieves deeper runtime coverage than Syzkaller and uncovers latent bugs within the kfunc execution paths. | en |
| dc.description.abstractgeneral | Modern operating systems must balance safety and performance. Linux introduced eBPF to safely run custom programs inside the kernel-making tools for networking, monitoring, and security more efficient. To help eBPF programs interact with the kernel, developers expose internal kernel functions (called kfuncs). However, these functions are growing rapidly in number and are often not thoroughly tested. This thesis presents a testing tool, EKFuzz, which can automatically try many different inputs and combinations to catch potential problems in these functions. EKFuzz builds on an existing testing tool called Syzkaller and improves it to better handle this new type of kernel interaction. The result is a safer, more robust Linux system. | en |
| dc.description.degree | Master of Science | en |
| dc.description.sponsorship | This thesis work is supported by the Defense Advanced Research Projects Agency (DARPA) and Naval Information Warfare Center Pacific (NIWC Pacific) under Contract No. N66001-21-C-4028 and the US National Science Foundation (NSF) under grant CNS-2234257. | en |
| dc.format.medium | ETD | en |
| dc.format.mimetype | application/pdf | en |
| dc.identifier.uri | https://hdl.handle.net/10919/138146 | en |
| dc.language.iso | en | en |
| dc.publisher | Virginia Tech | en |
| dc.rights | CC0 1.0 Universal | en |
| dc.rights.uri | http://creativecommons.org/publicdomain/zero/1.0/ | en |
| dc.subject | Linux | en |
| dc.subject | Fuzzing | en |
| dc.subject | eBPF | en |
| dc.subject | syzkaller | en |
| dc.subject | EKFuzz | en |
| dc.title | EKFuzz: Fuzzing the BPF subsystem | en |
| dc.type | Thesis | en |
| dc.type.dcmitype | Text | en |
| thesis.degree.discipline | Computer Engineering | en |
| thesis.degree.grantor | Virginia Polytechnic Institute and State University | en |
| thesis.degree.level | masters | en |
| thesis.degree.name | Master of Science | en |