## https://sploitus.com/exploit?id=D2164002-C940-55C0-9AC7-FB677E0DF7A2
# eBPF CVE Analysis

This repository contains all the materials and documentation for the research project on **eBPF CVE Analysis**, conducted as part of the **Security Verification and Testing** (2025/2026) course at *Politecnico di Torino*.
## Table of Contents
- [Overview](#overview)
- [Phase 1 โ Automated CVE Discovery & Classification](#phase-1--automated-cve-discovery--classification)
- [Phase 2 โ Deep Analysis & Proof-of-Concept Exploits](#phase-2--deep-analysis--proof-of-concept-exploits)
- [Reports & Documentation](#reports--documentation)
- [Prerequisites](#prerequisites)
- [Quick Start](#quick-start)
- [Authors](#authors)
## Overview
Extended Berkeley Packet Filter (eBPF) is a foundational technology in modern Linux systems, powering high-performance in-kernel execution for networking, observability, and security. Tools like **Cilium**, **Falco**, **Calico**, **Katran**, and **bpftrace** rely on eBPF to deliver critical functionality in production and cloud-native environments.
This project investigates the security posture of the eBPF ecosystem through two phases:
1. **Automated CVE Discovery & Classification** โ A Python pipeline that processes 253,000+ CVE records from [cvelistV5](https://github.com/CVEProject/cvelistV5), identifies eBPF-related vulnerabilities, and classifies them along multiple dimensions.
2. **Deep Analysis & Proof-of-Concept Exploits** โ In-depth security analysis and exploitation of 8 selected CVEs, spanning 6 vulnerability classes across the eBPF kernel subsystem and eBPF-based tools.
## Phase 1 โ Automated CVE Discovery & Classification
An automated pipeline for discovering, filtering, and classifying CVEs related to eBPF-based tools and the eBPF kernel subsystem.
### Pipeline Features
- **CVE Filtering**: Matches CVEs against a configurable list of 24 eBPF tools using word-boundary matching
- **False Positive Filtering**: Context-aware rules to eliminate ambiguous matches (e.g., "bcc" email vs BCC tool)
- **Multi-Dimensional Classification**:
- *Inclusion Category*: `Included` (kernel eBPF) / `External` (tool-specific) / `Excluded` (false positive)
- *Vulnerability Type*: `eBPF_Vuln` / `eBPF_Limitation` / `Dev_Error`
- *Technical Category*: verifier, JIT, maps, helpers, core, net subsystem, BTF, probes, etc.
- *Program Type*: XDP, TC, kprobe, etc.
- *Helper Function Detection*: Extracts referenced eBPF helper functions
- **Exploit Detection**: Flags CVEs with known exploits
- **Configurable Auto-fill**: Control which columns are auto-filled via `FILL_*` flags in [`src/config.py`](src/config.py)
- **Dual Output**: Generates both raw candidates and classified output
> [!WARNING]
> The auto-classification may produce inaccurate or inconsistent results. The [`ebpf_cves_classified.xlsx`](data/processed/ebpf_cves_classified.xlsx) committed here has been **manually reviewed and adjusted**. Columns requiring careful manual review include: `inclusionCategory`, `_vulnerabilityType`, `category` / `_detectedCategories`, and `selectionMotivation`.
> [!NOTE]
> Auto-classification behavior can be configured via `FILL_*` flags in [`src/config.py`](src/config.py). Set a flag to `False` to disable auto-fill for that column and leave it empty for manual review.
### Adapting the Pipeline to a Different Domain
The pipeline is **domain-agnostic by design**. For most applications similar to this one, adapting it to a different domain requires editing only [`src/config.py`](src/config.py) โ all domain-specific knowledge (keyword lists, tool heuristics, classification labels, file paths) is centralized there. The core logic modules (`filter.py`, `classifier.py`, `utils.py`, `run_analysis.py`) should require no changes. Even for substantially different use cases, the number of modifications needed should remain limited.
### Output Data
| File | Description |
|---|---|
| [`data/processed/cve_candidates.xlsx`](data/processed/cve_candidates.xlsx) | Raw CVE candidates before classification |
| [`data/processed/ebpf_cves_classified.xlsx`](data/processed/ebpf_cves_classified.xlsx) | Classified CVEs (auto-filled + manually reviewed) |
| [`cve_analysis_final/ebpf_cves_classified_final.xlsx`](cve_analysis_final/ebpf_cves_classified_final.xlsx) | Final curated dataset with the 8 selected CVEs |
## Phase 2 โ Deep Analysis & Proof-of-Concept Exploits
From the 74 classified candidates, **8 CVEs** were selected for in-depth security analysis based on diversity of vulnerability types, affected subsystems, practical relevance, and availability of technical detail.
### Selected CVEs
| CVE ID | Category | Tool | Vulnerability Class | Analyst |
|---|---|---|---|---|
| [CVE-2025-40183](cve_analysis_final/cves_innocenti/CVE-2025-40183/) | Included | Cilium | Resource Exhaustion (memory leak) | Innocenti |
| [CVE-2023-54173](cve_analysis_final/cves_innocenti/CVE-2023-54173/) | Included | Cilium | Concurrency / Preemption Bug | Innocenti |
| [CVE-2024-58099](cve_analysis_final/cves_innocenti/CVE-2024-58099/) | Included | Cilium | Driver Integration (DMA corruption) | Innocenti |
| [CVE-2022-49697](cve_analysis_final/cves_innocenti/CVE-2022-49697/) | Included | Calico | Reference Counting Leak | Innocenti |
| [CVE-2025-37959](cve_analysis_final/cves_soldera/CVE-2025-37959/) | Included | Cilium | Namespace Isolation Failure | Soldera |
| [CVE-2021-47128](cve_analysis_final/cves_soldera/CVE-2021-47128/) | Included | bpftrace | SELinux / Audit Interaction Bug | Soldera |
| [CVE-2021-33505](cve_analysis_final/cves_soldera/CVE-2021-33505/) | External | Falco | TOCTOU Race Condition | Soldera |
| [CVE-2023-49062](cve_analysis_final/cves_soldera/CVE-2023-49062/) | External | Katran | Information Disclosure (uninitialized memory) | Soldera |
### Two Vulnerability Categories
The 8 CVEs span two distinct categories:
1. **Kernel-side eBPF bugs triggered by tools** (6 CVEs) โ Vulnerabilities reside in the Linux kernel's eBPF infrastructure (helper functions, driver integration, networking subsystems). The tools (Cilium, Calico, bpftrace) *triggered and discovered* these bugs by exercising specific kernel code paths under production conditions.
2. **Bugs in tool-authored eBPF code** (2 CVEs) โ Vulnerabilities in the eBPF programs written by the tools themselves (Falco, Katran). The fix was applied to the tool's code, not the Linux kernel.
## Reports & Documentation
### Technical Reports (PDF)
| Report | Description | Link |
|---|---|---|
| **eBPF Tools Vulnerability** | Common report: automated pipeline, methodology, classification results, CVE selection rationale | [`docs/report/eBPF_tools_vulnerability.pdf`](docs/report/eBPF_tools_vulnerability.pdf) |
| **CVE Analysis โ Innocenti** | Deep analysis of 4 CVEs (CVE-2022-49697, CVE-2023-54173, CVE-2024-58099, CVE-2025-40183) with PoC exploits | [`docs/report/CVE_Analysis_Innocenti.pdf`](docs/report/CVE_Analysis_Innocenti.pdf) |
| **CVE Analysis โ Soldera** | Deep analysis of 4 CVEs (CVE-2025-37959, CVE-2021-47128, CVE-2021-33505, CVE-2023-49062) with PoC exploits | [`docs/report/CVE_Analysis_Soldera.pdf`](docs/report/CVE_Analysis_Soldera.pdf) |
### READMEs
- [`cve_analysis_final/README.md`](cve_analysis_final/README.md): Overview of the 8 selected CVEs with detailed descriptions
- [`cve_analysis_final/cves_innocenti/README.md`](cve_analysis_final/cves_innocenti/README.md): Innocenti's CVEs
- [`cve_analysis_final/cves_soldera/README.md`](cve_analysis_final/cves_soldera/README.md): Soldera's CVEs
## Prerequisites
- Python 3.10+
- CVE data from [cvelistV5 releases](https://github.com/CVEProject/cvelistV5/releases) (included as git submodule)
- Excel file with eBPF tool names
For CVE reproduction, see the individual CVE READMEs and setup guides linked above.
## Quick Start
### Running the CVE Analysis Pipeline
```bash
# Clone the repository
git clone --recurse-submodules https://gitlab1.polito.it/netgroup/thesis/projects/svt-2025-26/ebpf-cve-analysis/
cd ebpf-cve-analysis
# Create and activate virtual environment
python -m venv venv
source venv/bin/activate # Mac/Linux
# Install dependencies
pip install -r requirements.txt
# Run the analysis
python scripts/run_analysis.py
```
### Git Submodules
This repository includes Git submodules (cvelistV5 raw data). If you cloned **without** `--recurse-submodules`:
```bash
git submodule update --init --recursive
```
To update submodules to the latest expected commits:
```bash
git submodule update --recursive
```
## Authors
| Name | GitHub | LinkedIn | Email |
| ---- | ------ | -------- | ----- |
| Elia Innocenti | [](https://github.com/eliainnocenti) | [](https://www.linkedin.com/in/eliainnocenti/) | [](mailto:elia.innocenti@studenti.polito.it) |
| Marco Soldera | [](https://github.com/Soldera21) | [](https://www.linkedin.com/in/marcosoldera/) | [](mailto:marco.soldera@studenti.polito.it) |
---
*This work was developed as part of the Security Verification and Testing 2025/2026 course at Politecnico di Torino.*