The EBPF subsystem of linux aims to to make the kernel more extensible by allowing userland to submit custom 'EBPF' program that can be hooked to various kernel events. The security verifier of EBPF aims to prevent any dangerous programs from being accepted and ran - however this verifier is subject to a variety of bugs, allowing unsafe programs to be introduced into a kernel context.

Traditional fuzzers in the area, particularly syzkaller, do not interface particularly well with the EBPF subsystem, due to EBPF being very highly structured. As such, this talk covers my own custom fuzzer targeted towards EBPF, talking about the design choices used to accurately model the system, and the various issues encountered alongside development.