{"id":27429958,"url":"https://github.com/caballa/crab-ebpf","last_synced_at":"2026-04-26T08:39:21.838Z","repository":{"id":190692164,"uuid":"199900576","full_name":"caballa/crab-ebpf","owner":"caballa","description":"A eBPF verifier based on Crab","archived":false,"fork":false,"pushed_at":"2023-08-25T19:30:00.000Z","size":2483,"stargazers_count":2,"open_issues_count":0,"forks_count":0,"subscribers_count":1,"default_branch":"master","last_synced_at":"2025-06-06T23:35:45.130Z","etag":null,"topics":["abstract-interpretation","ebpf","static-analysis","verification"],"latest_commit_sha":null,"homepage":"","language":"C++","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/caballa.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE.txt","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null}},"created_at":"2019-07-31T17:27:13.000Z","updated_at":"2025-01-13T18:25:15.000Z","dependencies_parsed_at":null,"dependency_job_id":"ffb1fd67-f1a4-47f9-bedf-f2f9f24c3833","html_url":"https://github.com/caballa/crab-ebpf","commit_stats":null,"previous_names":["caballa/crab-ebpf"],"tags_count":4,"template":false,"template_full_name":null,"purl":"pkg:github/caballa/crab-ebpf","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/caballa%2Fcrab-ebpf","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/caballa%2Fcrab-ebpf/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/caballa%2Fcrab-ebpf/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/caballa%2Fcrab-ebpf/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/caballa","download_url":"https://codeload.github.com/caballa/crab-ebpf/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/caballa%2Fcrab-ebpf/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":32291337,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-04-26T08:29:33.829Z","status":"ssl_error","status_checked_at":"2026-04-26T08:29:18.366Z","response_time":129,"last_error":"SSL_read: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["abstract-interpretation","ebpf","static-analysis","verification"],"created_at":"2025-04-14T14:29:55.618Z","updated_at":"2026-04-26T08:39:21.820Z","avatar_url":"https://github.com/caballa.png","language":"C++","funding_links":[],"categories":[],"sub_categories":[],"readme":"# crab-ebpf\n\nA eBPF verifier using the [Crab](https://github.com/seahorn/crab) library.\n\n\n-------------------------------------------------------------------------------\n\n**Important**: Except the code related to the Crab library, the rest\nof code is from [Prevail](https://github.com/vbpf/ebpf-verifier) as it\nwas on June 2019!. The only purpose of this repo is to allow running\nCrab domains on the set of benchmarks used for the 2019 PLDI\nsubmission. **This repo is not maintained**, so please do not expect any fix if\na eBPF program cannot be supported. However, if you think that\nthere is a problem with Crab-related code then please open in issue\nin [Crab](https://github.com/seahorn/crab).\n\n-------------------------------------------------------------------------------\n\n## Getting Started\n\n### Dependencies from vanilla Ubuntu\n```bash\nsudo apt install build-essential git cmake libboost-dev libgmp-dev libmpfr-dev g++-8\nsudo apt install python3-pip python3-tk\npip3 install matplotlib   # for plotting the graphs\n```\n\n### Installation\nClone, make and run:\n```\ngit clone --recurse-submodules https://github.com/vbpf/ebpf-verifier.git\ncd ebpf-verifier\nmake crab_install\nmake\n```\n\n### Running with Docker\nBuild and run:\n```bash\ndocker build -t verifier .\ndocker run -it verifier ebpf-samples/cilium/bpf_lxc.o 2/1 --domain=zoneCrab\n1,0.062802,21792\n# To run the Linux verifier you'll need a privileged container:\ndocker run --privileged -it verifier ebpf-samples/linux/cpustat_kern.o --domain=linux\n```\n\n### \n\nExample:\n```\nebpf-verifier$ ./check ebpf-samples/cilium/bpf_lxc.o 2/1 --domain=zoneCrab\n1,0.062802,21792\n```\nThe output is three comma-separated values:\n* 1 or 0, for \"pass\" and \"fail\" respectively\n* The runtime of the fixpoint algorithm (in seconds)\n* The peak memory consumption, in kb, as reflected by the resident-set size (rss)\n\nUsage:\n```\nebpf-verifier$ ./check -h\nA new eBPF verifier\nUsage: ./check [OPTIONS] path [section]\n\nPositionals:\n  path FILE REQUIRED          Elf file to analyze\n  section SECTION             Section to analyze\n\nOptions:\n  -h,--help                   Print this help message and exit\n  -l                          List sections\n  -d,--dom,--domain DOMAIN    Abstract domain\n  -i                          Print invariants\n  -f                          Print verifier's failure logs\n  -v                          Print both invariants and failures\n  --asm FILE                  Print disassembly to FILE\n  --dot FILE                  Export cfg to dot FILE\n```\n\nA standard alternative to the --asm flag is `llvm-objdump -S FILE`.\n\nThe cfg can be viewed using `dot` and the standard PDF viewer:\n```\n./check ebpf-samples/cilium/bpf_lxc.o 2/1 --domain=zoneCrab --dot cfg.dot\ndot -Tpdf cfg.dot \u003e cfg.pdf\n```\n\n## Step-by-Step Instructions\n\nTo get the results for described in Figures 9 and 10, run the following:\n```\nscripts/runperf.sh ebpf-samples stats interval zoneCrab zoneElina octElina polyElina | tee results.csv\n```\nThe first argument to the script, `ebpf-samples`, is the root directory in which\nto search for elf files. You can pass any subdirectory or file, e.g.\n`ebpd-samples/linux`.\n\nThe rest of the positional arguments are the numerical domains to use.\n\nThe output is a large `csv` file. The first line is a header:\n```\nsuite,project,file,section,hash,instructions,loads,stores,jumps,joins,interval?,interval_sec,interval_kb,zoneCrab?,zoneCrab_sec,zoneCrab_kb,zoneElina?,zoneElina_sec,zoneElina_kb,octElina?,octElina_sec,octElina_kb,polyElina?,polyElina_sec,polyElina_kb\nebpf-samples,cilium,bpf_lxc.o,2/1,69a5e4fc57ca1c94,41,6,10,1,1,1,0.047696,8484,1,0.057409,21796,1,0.0948671,19192,1,0.100129,24196,1,0.12144,18732\n```\n* _suite_ in our case will be \"ebpf-samples\"\n* _project_ is one of the directories in the suite. We currently have `bpf_cilium_test`, `cilium` `linux`, `ovs`,  `prototype-kernel` and  `suricata`\n* _file_ is the elf file containing the programs. The compiled version of a C file\n* _section_ is the elf section containing the program checked\n* _hash_ is a unique hash of the eBPF code. There are duplicate programs in the benchmark (since we use files from projects \"as-is\"). To count the real number of programs these duplicates should be removed\n* _instructions_, _loads_, _stores_, _jumps_ and _joins_ show the number of these features\n* For each domain DOM, there are 3 consecutive columns:\n    * \"DOM?\" is 0 for rejected program, 1 for accepted program\n    * \"DOM_sec\" is the number of seconds that the fixpoint operation took\n    * \"DOM_kb\" is the peak memory resident set size consumed by the analysis, and is an estimate for the amount of additional memory needed by the analysis  \n\nNote that in the full benchmark, exactly 2 programs should be rejected by `zoneCrab`, our domain of choice. Other domain reject different number of programs.\n\nAny subset of the available domains is valid. So in order to compare the two different\nimplementations of the `zone` domain, one can run\n```\nscripts/runperf.sh ebpf-samples/linux stats zoneCrab zoneElina | results.csv\npython3 scripts/makeplot.py results.csv stores\n```\nThe script `scripts/makeplot.py` takes a csv file in the format described above, and the key to plot against (usually instructions or stores) and plots two graphs: on showing runtime as a function of the number of stores, and the other is the memory consumption as a function of the number of stores.\n\nWhile the paper states that the runtime is quadratic, the results are\nexpected to be nearly linear for all the domains - except probably the domain\n`octElina` which does not show consistent runtime characteristics.\n\nNote that the number of programs is slightly different from the numbers presented in Section 7.1 (benchmarks). The precise numbers depend on how one count duplicate programs (as can be found using the hash column in the resulting csv file), the addition of a new repository (prototype-kernel) and removal of variation on existing repository (ovs-noprint). Also, we did not count programs smaller than certain size.\n\n### Caveat\nWhen performed on a VM without sufficient memory, some analyses of some domains\nare terminated by the OS due to insufficient memory, resulting in \"-1\" runtime\nand skewing the graph. To avoid this, the failing cases should be omitted.\n\n4GB RAM should be enough for `zoneCrab`, our domain of choice, but other domains\nmay require much more than that. To reproduce the results as will be published\nin the final version, it is recommended to use bare-metal Linux machine. \n\n## Testing the Linux verifier\n\nTo run the Linux verifier, you must use `sudo`:\n```\nsudo ./check ebpf-samples/linux/cpustat_kern.o --domain=linux\n```\n\n## Counter and Artificial examples\n\nThe folder `counter/` contains other examples used to demonstrate the usefulness of our tools, compared to the existing verifier. To compile the examples, run \n```\nmake -C counter\nscripts/runperf.sh counter/objects stats zoneCrab\n```\n\nTwo examples of real-world false positive are taken from the Linux samples suite.\nThe file `xdp_tx_iptunnel_kern.o` is valid and passes both the Linux tool and ours.\nHowever, in the original source code there are redundant loads from memory to a varaible holding the same value. These were added happen due to untracked register spilling that led to false positive. Two fixes are compiled into `xdp_tx_iptunnel_1_kern.o` and `xdp_tx_iptunnel_2_kern.o`. Both pass our verifier (without any special effort) but fail the existing one:\n```\n$ ./check counter/objects/xdp_tx_iptunnel_2_kern.o\n1,0.314213,86740\n$ sudo ./check counter/objects/xdp_tx_iptunnel_2_kern.o --domain=linux -v\n\u003c... long trace reporting an alleged failure\u003e\n```\n\n### Double-strncmp experiment\nThis experiment quadratic blowup in the Linux verifier, versus linear runtime in our tool.\nBe sure to run with `sudo`, since Linux requires special permissions for this.\n```\nsudo scripts/experiment.sh | tee blowup.csv\npython3 scripts/makeplot.py blowup.csv iterations False\n```\n\n### Programs with loops\nThere are several simple programs with loops in the folder `counter/src`, called `simple_loop_*.c` and `manual_memset*.c`. The Linux verifier rejects them immediately:\n```\n$ sudo ./check counter/objects/simple_loop_ptr_backwards.o --domain=linux -v\ncounter/objects/simple_loop_ptr_backwards.o\n\tsk_skb/loop-ptr,bpf_load_program(prog_cnt=0) err=22\nback-edge from insn 7 to 5\n```\n\nUsing our tool, the safety (but not termination) of some loop-based programs can be verified:\n```\n$ ./check counter/objects/simple_loop_ptr_backwards.o\n1,0.018346,7900\n```\n(not all the programs in the folder are verified)\n\n### Important components:\n\nThe analyzer code is divided to two main parts: front end, parsing eBPF binaries into CFG, and backend, translating the eBPF CFG into crab-specific CFG of constraints.\n\nThe front end (files named `asm_*`) is potentially reusable by any other analyzer or tool for eBPF. The most important file is `src/asm_syntax.hpp`, which describes the syntax of the language in a relatively self-explanatory way (structs and variant types).\n\nThe backend is mostly confined into `src/crab_verifier.cpp` and `src/crab_constraints.cpp`. The latter does the translation of eBPF instructions to the language handled by crab.\n\n### Apron\n\nThe experiments in the paper do not include the APRON library. The tool supports\ntwo domains: `octApron` and `polyApron`. However, they are mutually exclusive\nwith elina. In order to run the tool with these domains, Crab should be\nreinstalled, and the variable `MOD` should be set:\n\n```\nmake crab_clean clean\nmake MOD=APRON crab_install\nmake\n\n$ ./check ebpf-samples/cilium/bpf_lxc.o 2/1 --domain=polyApron\n1,1.37877,0\n$ ./check ebpf-samples/cilium/bpf_lxc.o 2/1 --domain=octApron\n1,0.200318,0\n$ ./check ebpf-samples/cilium/bpf_lxc.o 2/1 --domain=octElina\nCould not convert: --dom = octElina\nRun with --help for more information.\n```\nTo recompile with Elina support, reinstall crab without `MOD` (or with `MOD=ELINA`):\n```\nmake crab_clean clean\nmake MOD=APRON crab_install\nmake\n```\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fcaballa%2Fcrab-ebpf","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fcaballa%2Fcrab-ebpf","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fcaballa%2Fcrab-ebpf/lists"}