the Game eBPF enables: ▶ Fine-grained system introspection ▶ Integration of cross-layer state (kprobes, uprobes, etc.) with policy enforcement (LSM probes) ▶ Rapid prototyping ▶ Safe production deployment daemon using the Python3 bcc framework ▶ Kernelspace components are all eBPF ▶ LSM probes (KRSI), kprobes, uprobes, tracepoints ▶ Under 2000 source lines of kernelspace code Thanks to eBPF, bpfbox is light-weight

0afc50af9547/p6_1.jpg) ## Conclusions • eBPF programs can be attached to different events: ☐ Kprobes ☐ uprobes Tracepoints ☐ network packets... • Frameworks. Go bindings. options make it easier:

d>kprobeskprobeskprobeskprobeskprobeskprobeskprobeskprobeskprobeskprobes

0 码力 | 84 页 | 9.60 MB | 2 年前

3

Traceevent Dynamic Event Static Event Perfevent instrumentations Ftrace (Function trace) kprobes uprobes Tracepoint Performance counter Source: “Dynamic Probes for Linux”, Masami Hiramatsu .rst $]}\$财产$$Kernel_SRC/Documentation/trace/ftrace*.rst $}\$资产$$Kernel_SRC/Documentation/kprobes $}\$资产$$Kernel_SRC/Documentation/trace/kprobetrace.rst $}\$资产$$Kernel_SRC/Documentation/trace/uprobetracer in this cycle is the ability to attach eBPF programs (user-defybercode executed by the kernel) to kprobes. This allows user-defined instrumentation on a live never crash, hang or interfere with the kernel

various hooking points in the kernel such as for incoming packets, outgoing packets, system calls, kprobes, etc. BPF continues to evolve and gain additional capabilities with each new Linux release. Cilium and XDP programs, there are various other kernel subsystems as well which use BPF such as tracing (kprobes, uprobes, tracepoints, etc). The following subsections provide further details on individual aspects packet is received, a kernel address which has a kprobes with a BPF program attached will trap once the code at that address gets executed, then invoke the kprobes callback function for instrumentation which

various hooking points in the kernel such as for incoming packets, outgoing packets, system calls, kprobes, etc. BPF continues to evolve and gain additional capabilities with each new Linux release. Cilium and XDP programs, there are various other kernel subsystems as well which use BPF such as tracing (kprobes, uprobes, tracepoints, etc). The following subsections provide further details on individual aspects kernel tracing utilities all based upon BPF programs hooking into kernel infrastructure based upon kprobes, kretprobes, tracepoints, uprobes, uretprobes as well as USDT probes. The collection provides close

various hooking points in the kernel such as for incoming packets, outgoing packets, system calls, kprobes, etc. BPF continues to evolve and gain additional capabilities with each new Linux release. Cilium and XDP programs, there are various other kernel subsystems as well which use BPF such as tracing (kprobes, uprobes, tracepoints, etc). The following subsections provide further details on individual aspects kernel tracing utilities all based upon BPF programs hooking into kernel infrastructure based upon kprobes, kretprobes, tracepoints, uprobes, uretprobes as well as USDT probes. The collection provides close

[sudo] password for kdas: abi.vsyscall32 = 1 crypto.fips_enabled = 0 debug.exception-trace = 1 debug.kprobes-optimization = 1 dev.cdrom.autoclose = 1 dev.cdrom.autoeject = 0 dev.cdrom.check_media = 0 dev.cdrom

[sudo] password for kdas: abi.vsyscall32 = 1 crypto.tips_enabled = 0 debug.exception-trace = 1 debug.kprobes-optimization = 1 dev.cdrom.autoclose = 1 dev.cdrom.autoeject = 0 dev.cdrom.check_media = 0 dev.cdrom

and XDP programs, there are various other kernel subsystems as well which use BPF such as tracing (kprobes, uprobes, tracepoints, etc). The following subsections provide further details on individual aspects kernel tracing utilities all based upon BPF programs hooking into kernel infrastructure based upon kprobes, kretprobes, tracepoints, uprobes, uretprobes as well as USDT probes. The collection provides close Language’ approach of yore, and compiles ply scripts into Linux BPF programs that are attached to kprobes and tracepoints in the kernel. The scripts have a C-like syntax, heavily inspired by DTrace and by