The extended Berkeley Packet Filter (eBPF) is a lightweight and fast 64-bit RISC-like virtual
machine (VM) inside the Linux kernel. eBPF has emerged as the most promising and de …

Formal verification is a promising approach to eliminate bugs at compile time, before they
ship. Indeed, our community has verified a wide variety of system software. However, much …

The extended Berkeley Packet Filter (eBPF) provides powerful and flexible kernel interfaces
to extend the kernel functions for user space programs via running bytecode directly in the …

The Berkeley Packet Filter (BPF) has emerged as the de-facto standard for carrying out safe
and performant, user-specified computation (s) in kernel space. However, BPF also …

This paper introduces the novel concept of compilation space, which facilitates the thorough
validation of just-in-time (JIT) compilers in modern language virtual machines (LVMs). The …

System call filtering is a widely used security mechanism for protecting a shared OS kernel
against untrusted user applications. However, existing system call filtering techniques either …

The emergence of verified eBPF bytecode is ushering in a new era of safe kernel
extensions. In this paper, we argue that eBPF's verifier---the source of its safety guarantees …

This paper introduces state embedding, a novel and highly effective technique for validating
the correctness of the eBPF verifier, a critical component for Linux kernel security. To check …

Managing the performance of thousands of services across millions of servers demands a
networking stack that can dynamically adjust protocol settings to match diverse priorities and …

Bluetooth Low Energy (BLE) is a short-range wireless communication technology for
resource-constrained IoT devices. Unfortunately, BLE is vulnerable to session-based …