Share
## https://sploitus.com/exploit?id=D2164002-C940-55C0-9AC7-FB677E0DF7A2
# eBPF CVE Analysis

![polito-logo](resources/images/logo_polito.jpg)

This repository contains all the materials and documentation for the research project on **eBPF CVE Analysis**, conducted as part of the **Security Verification and Testing** (2025/2026) course at *Politecnico di Torino*.


## Table of Contents

- [Overview](#overview)
- [Phase 1 โ€” Automated CVE Discovery & Classification](#phase-1--automated-cve-discovery--classification)
- [Phase 2 โ€” Deep Analysis & Proof-of-Concept Exploits](#phase-2--deep-analysis--proof-of-concept-exploits)
- [Reports & Documentation](#reports--documentation)
- [Prerequisites](#prerequisites)
- [Quick Start](#quick-start)
- [Authors](#authors)


## Overview

Extended Berkeley Packet Filter (eBPF) is a foundational technology in modern Linux systems, powering high-performance in-kernel execution for networking, observability, and security. Tools like **Cilium**, **Falco**, **Calico**, **Katran**, and **bpftrace** rely on eBPF to deliver critical functionality in production and cloud-native environments.

This project investigates the security posture of the eBPF ecosystem through two phases:

1. **Automated CVE Discovery & Classification** โ€” A Python pipeline that processes 253,000+ CVE records from [cvelistV5](https://github.com/CVEProject/cvelistV5), identifies eBPF-related vulnerabilities, and classifies them along multiple dimensions.
2. **Deep Analysis & Proof-of-Concept Exploits** โ€” In-depth security analysis and exploitation of 8 selected CVEs, spanning 6 vulnerability classes across the eBPF kernel subsystem and eBPF-based tools.


## Phase 1 โ€” Automated CVE Discovery & Classification

An automated pipeline for discovering, filtering, and classifying CVEs related to eBPF-based tools and the eBPF kernel subsystem.

### Pipeline Features

- **CVE Filtering**: Matches CVEs against a configurable list of 24 eBPF tools using word-boundary matching
- **False Positive Filtering**: Context-aware rules to eliminate ambiguous matches (e.g., "bcc" email vs BCC tool)
- **Multi-Dimensional Classification**:
  - *Inclusion Category*: `Included` (kernel eBPF) / `External` (tool-specific) / `Excluded` (false positive)
  - *Vulnerability Type*: `eBPF_Vuln` / `eBPF_Limitation` / `Dev_Error`
  - *Technical Category*: verifier, JIT, maps, helpers, core, net subsystem, BTF, probes, etc.
  - *Program Type*: XDP, TC, kprobe, etc.
  - *Helper Function Detection*: Extracts referenced eBPF helper functions
- **Exploit Detection**: Flags CVEs with known exploits
- **Configurable Auto-fill**: Control which columns are auto-filled via `FILL_*` flags in [`src/config.py`](src/config.py)
- **Dual Output**: Generates both raw candidates and classified output

> [!WARNING]
> The auto-classification may produce inaccurate or inconsistent results. The [`ebpf_cves_classified.xlsx`](data/processed/ebpf_cves_classified.xlsx) committed here has been **manually reviewed and adjusted**. Columns requiring careful manual review include: `inclusionCategory`, `_vulnerabilityType`, `category` / `_detectedCategories`, and `selectionMotivation`.

> [!NOTE]
> Auto-classification behavior can be configured via `FILL_*` flags in [`src/config.py`](src/config.py). Set a flag to `False` to disable auto-fill for that column and leave it empty for manual review.

### Adapting the Pipeline to a Different Domain

The pipeline is **domain-agnostic by design**. For most applications similar to this one, adapting it to a different domain requires editing only [`src/config.py`](src/config.py) โ€” all domain-specific knowledge (keyword lists, tool heuristics, classification labels, file paths) is centralized there. The core logic modules (`filter.py`, `classifier.py`, `utils.py`, `run_analysis.py`) should require no changes. Even for substantially different use cases, the number of modifications needed should remain limited.

### Output Data

| File | Description |
|---|---|
| [`data/processed/cve_candidates.xlsx`](data/processed/cve_candidates.xlsx) | Raw CVE candidates before classification |
| [`data/processed/ebpf_cves_classified.xlsx`](data/processed/ebpf_cves_classified.xlsx) | Classified CVEs (auto-filled + manually reviewed) |
| [`cve_analysis_final/ebpf_cves_classified_final.xlsx`](cve_analysis_final/ebpf_cves_classified_final.xlsx) | Final curated dataset with the 8 selected CVEs |


## Phase 2 โ€” Deep Analysis & Proof-of-Concept Exploits

From the 74 classified candidates, **8 CVEs** were selected for in-depth security analysis based on diversity of vulnerability types, affected subsystems, practical relevance, and availability of technical detail.

### Selected CVEs

| CVE ID | Category | Tool | Vulnerability Class | Analyst |
|---|---|---|---|---|
| [CVE-2025-40183](cve_analysis_final/cves_innocenti/CVE-2025-40183/) | Included | Cilium | Resource Exhaustion (memory leak) | Innocenti |
| [CVE-2023-54173](cve_analysis_final/cves_innocenti/CVE-2023-54173/) | Included | Cilium | Concurrency / Preemption Bug | Innocenti |
| [CVE-2024-58099](cve_analysis_final/cves_innocenti/CVE-2024-58099/) | Included | Cilium | Driver Integration (DMA corruption) | Innocenti |
| [CVE-2022-49697](cve_analysis_final/cves_innocenti/CVE-2022-49697/) | Included | Calico | Reference Counting Leak | Innocenti |
| [CVE-2025-37959](cve_analysis_final/cves_soldera/CVE-2025-37959/) | Included | Cilium | Namespace Isolation Failure | Soldera |
| [CVE-2021-47128](cve_analysis_final/cves_soldera/CVE-2021-47128/) | Included | bpftrace | SELinux / Audit Interaction Bug | Soldera |
| [CVE-2021-33505](cve_analysis_final/cves_soldera/CVE-2021-33505/) | External | Falco | TOCTOU Race Condition | Soldera |
| [CVE-2023-49062](cve_analysis_final/cves_soldera/CVE-2023-49062/) | External | Katran | Information Disclosure (uninitialized memory) | Soldera |

### Two Vulnerability Categories

The 8 CVEs span two distinct categories:

1. **Kernel-side eBPF bugs triggered by tools** (6 CVEs) โ€” Vulnerabilities reside in the Linux kernel's eBPF infrastructure (helper functions, driver integration, networking subsystems). The tools (Cilium, Calico, bpftrace) *triggered and discovered* these bugs by exercising specific kernel code paths under production conditions.
2. **Bugs in tool-authored eBPF code** (2 CVEs) โ€” Vulnerabilities in the eBPF programs written by the tools themselves (Falco, Katran). The fix was applied to the tool's code, not the Linux kernel.


## Reports & Documentation

### Technical Reports (PDF)

| Report | Description | Link |
|---|---|---|
| **eBPF Tools Vulnerability** | Common report: automated pipeline, methodology, classification results, CVE selection rationale | [`docs/report/eBPF_tools_vulnerability.pdf`](docs/report/eBPF_tools_vulnerability.pdf) |
| **CVE Analysis โ€” Innocenti** | Deep analysis of 4 CVEs (CVE-2022-49697, CVE-2023-54173, CVE-2024-58099, CVE-2025-40183) with PoC exploits | [`docs/report/CVE_Analysis_Innocenti.pdf`](docs/report/CVE_Analysis_Innocenti.pdf) |
| **CVE Analysis โ€” Soldera** | Deep analysis of 4 CVEs (CVE-2025-37959, CVE-2021-47128, CVE-2021-33505, CVE-2023-49062) with PoC exploits | [`docs/report/CVE_Analysis_Soldera.pdf`](docs/report/CVE_Analysis_Soldera.pdf) |

### READMEs

- [`cve_analysis_final/README.md`](cve_analysis_final/README.md): Overview of the 8 selected CVEs with detailed descriptions
- [`cve_analysis_final/cves_innocenti/README.md`](cve_analysis_final/cves_innocenti/README.md): Innocenti's CVEs
- [`cve_analysis_final/cves_soldera/README.md`](cve_analysis_final/cves_soldera/README.md): Soldera's CVEs


## Prerequisites

- Python 3.10+
- CVE data from [cvelistV5 releases](https://github.com/CVEProject/cvelistV5/releases) (included as git submodule)
- Excel file with eBPF tool names

For CVE reproduction, see the individual CVE READMEs and setup guides linked above.


## Quick Start

### Running the CVE Analysis Pipeline

```bash
# Clone the repository
git clone --recurse-submodules https://gitlab1.polito.it/netgroup/thesis/projects/svt-2025-26/ebpf-cve-analysis/
cd ebpf-cve-analysis

# Create and activate virtual environment
python -m venv venv
source venv/bin/activate  # Mac/Linux

# Install dependencies
pip install -r requirements.txt

# Run the analysis
python scripts/run_analysis.py
```

### Git Submodules

This repository includes Git submodules (cvelistV5 raw data). If you cloned **without** `--recurse-submodules`:

```bash
git submodule update --init --recursive
```

To update submodules to the latest expected commits:

```bash
git submodule update --recursive
```


## Authors

| Name | GitHub | LinkedIn | Email |
| ---- | ------ | -------- | ----- |
| Elia Innocenti | [![GitHub](https://img.shields.io/badge/GitHub-Profile-informational?logo=github)](https://github.com/eliainnocenti) | [![LinkedIn](https://img.shields.io/badge/LinkedIn-Profile-blue?logo=linkedin)](https://www.linkedin.com/in/eliainnocenti/) | [![Email](https://img.shields.io/badge/Email-Send-blue?logo=gmail)](mailto:elia.innocenti@studenti.polito.it) |
| Marco Soldera | [![GitHub](https://img.shields.io/badge/GitHub-Profile-informational?logo=github)](https://github.com/Soldera21) | [![LinkedIn](https://img.shields.io/badge/LinkedIn-Profile-blue?logo=linkedin)](https://www.linkedin.com/in/marcosoldera/) | [![Email](https://img.shields.io/badge/Email-Send-blue?logo=gmail)](mailto:marco.soldera@studenti.polito.it) |

---

*This work was developed as part of the Security Verification and Testing 2025/2026 course at Politecnico di Torino.*