4 Demo time 5 Tracing Go function with uprobes 6 Demo time 7 Conclusions ● eBPF programs can be attached to different events: ○ Kprobes ○ uprobes ○ Tracepoints ○ network packets… ● Frameworks

eBPF enables: ▶ Fine-grained system introspection ▶ Integration of cross-layer state (kprobes, uprobes, etc.) with policy enforcement (LSM probes) ▶ Rapid prototyping ▶ Safe production deployment of the Python3 bcc framework ▶ Kernelspace components are all eBPF ▶ LSM probes (KRSI), kprobes, uprobes, tracepoints ▶ Under 2000 source lines of kernelspace code ▶ Thanks to eBPF, bpfbox is light-weight

f2 0f 10 0d 36 a6 0f movsd 0xfa636(%rip),%xmm1 Diving into the details eBPF Using uprobes eBPF ... ... main.computeE 0x6609a0 { App Binary main.main { 0x6609f0 ... ... main.computeE The function is simply invoked whenever main.computeE is called. ● The registration is done via UProbes ● It attaches to every running version of the binary #include BPF_PERF_OUTPUT(trace);

programs, there are various other kernel subsystems as well which use BPF such as tracing (kprobes, uprobes, tracepoints, etc). The following subsec�ons provide further details on individual aspects of the upon BPF programs hooking into kernel infrastructure based upon kprobes, kretprobes, tracepoints, uprobes, uretprobes as well as USDT probes. The collec�on provides close to hundred tools targe�ng different com/blog/2016-03-05/linux-bpf-superpowers.html Feb 2016, Linux eBPF/bcc uprobes, Brendan Gregg, h�p://www.brendangregg.com/blog/2016-02-08/linux-ebpf-bcc- uprobes.html Feb 2016, Who is waking the waker? (Linux chain graph

programs, there are various other kernel subsystems as well which use BPF such as tracing (kprobes, uprobes, tracepoints, etc). The following subsections provide further details on individual aspects of the upon BPF programs hooking into kernel infrastructure based upon kprobes, kretprobes, tracepoints, uprobes, uretprobes as well as USDT probes. The collection provides close to hundred tools targeting different x-bpf-superpowers.html 10. Feb 2016, Linux eBPF/bcc uprobes, Brendan Gregg, http://www.brendangregg.com/blog/2016-02-08/linux-ebpf-bcc- uprobes.html 9. Feb 2016, Who is waking the waker? (Linux chain

programs, there are various other kernel subsystems as well which use BPF such as tracing (kprobes, uprobes, tracepoints, etc). The following subsections provide further details on individual aspects of the upon BPF programs hooking into kernel infrastructure based upon kprobes, kretprobes, tracepoints, uprobes, uretprobes as well as USDT probes. The collection provides close to hundred tools targeting different x-bpf-superpowers.html 10. Feb 2016, Linux eBPF/bcc uprobes, Brendan Gregg, http://www.brendangregg.com/blog/2016-02-08/linux-ebpf-bcc- uprobes.html 9. Feb 2016, Who is waking the waker? (Linux chain

programs, there are various other kernel subsystems as well which use BPF such as tracing (kprobes, uprobes, tracepoints, etc). The following subsections provide further details on individual aspects of the upon BPF programs hooking into kernel infrastructure based upon kprobes, kretprobes, tracepoints, uprobes, uretprobes as well as USDT probes. The collection provides close to hundred tools targeting different x-bpf-superpowers.html 10. Feb 2016, Linux eBPF/bcc uprobes, Brendan Gregg, http://www.brendangregg.com/blog/2016-02-08/linux-ebpf-bcc- uprobes.html 9. Feb 2016, Who is waking the waker? (Linux chain

programs, there are various other kernel subsystems as well which use BPF such as tracing (kprobes, uprobes, tracepoints, etc). The following subsections provide further details on individual aspects of the upon BPF programs hooking into kernel infrastructure based upon kprobes, kretprobes, tracepoints, uprobes, uretprobes as well as USDT probes. The collection provides close to hundred tools targeting different x-bpf-superpowers.html 10. Feb 2016, Linux eBPF/bcc uprobes, Brendan Gregg, http://www.brendangregg.com/blog/2016-02-08/linux-ebpf-bcc- uprobes.html 9. Feb 2016, Who is waking the waker? (Linux chain

programs, there are various other kernel subsystems as well which use BPF such as tracing (kprobes, uprobes, tracepoints, etc). The following subsections provide further details on individual aspects of the upon BPF programs hooking into kernel infrastructure based upon kprobes, kretprobes, tracepoints, uprobes, uretprobes as well as USDT probes. The collection provides close to hundred tools targeting different x-bpf-superpowers.html 10. Feb 2016, Linux eBPF/bcc uprobes, Brendan Gregg, http://www.brendangregg.com/blog/2016-02-08/linux-ebpf-bcc- uprobes.html 9. Feb 2016, Who is waking the waker? (Linux chain

programs, there are various other kernel subsystems as well which use BPF such as tracing (kprobes, uprobes, tracepoints, etc). The following subsections provide further details on individual aspects of the upon BPF programs hooking into kernel infrastructure based upon kprobes, kretprobes, tracepoints, uprobes, uretprobes as well as USDT probes. The collection provides close to hundred tools targeting different x-bpf-superpowers.html 10. Feb 2016, Linux eBPF/bcc uprobes, Brendan Gregg, http://www.brendangregg.com/blog/2016-02-08/linux-ebpf-bcc- uprobes.html 9. Feb 2016, Who is waking the waker? (Linux chain