Specification and verification in the field: Applying formal methods to BPF just-in-time compilers in the Linux kernel


Luke Nelson, Jacob Van Geffen, Emina Torlak, and Xi Wang, University of Washington


This paper describes our experience applying formal methods to a critical component in the Linux kernel, the just-in-time compilers ("JITs") for the Berkeley Packet Filter (BPF) virtual machine. We verify these JITs using Jitterbug, the first framework to provide a precise specification of JIT correctness that is capable of ruling out real-world bugs, and an automated proof strategy that scales to practical implementations. Using Jitterbug, we have designed, implemented, and verified a new BPF JIT for 32-bit RISC-V, found and fixed 16 previously unknown bugs in five other deployed JITs, and developed new JIT optimizations; all of these changes have been upstreamed to the Linux kernel. The results show that it is possible to build a verified component within a large, unverified system with careful design of specification and proof strategy.

Open Access Media

USENIX is committed to Open Access to the research presented at our events. Papers and proceedings are freely available to everyone once the event begins. Any video, audio, and/or slides that are posted after the event are also free and open to everyone. Support USENIX and our commitment to Open Access.

@inproceedings {258848,
author = {Luke Nelson and Jacob Van Geffen and Emina Torlak and Xi Wang},
title = {Specification and verification in the field: Applying formal methods to {BPF} just-in-time compilers in the Linux kernel},
booktitle = {14th {USENIX} Symposium on Operating Systems Design and Implementation ({OSDI} 20)},
year = {2020},
isbn = {978-1-939133-19-9},
pages = {41--61},
url = {https://www.usenix.org/conference/osdi20/presentation/nelson},
publisher = {{USENIX} Association},
month = nov,
Artifact Evaluated

Presentation Video