gobpf
play

gobpf utilizing eBPF from Go FOSDEM 2017-02-05 michael@kinvolk.io - PowerPoint PPT Presentation

Apr 10, 2024 •595 likes •924 views

gobpf utilizing eBPF from Go FOSDEM 2017-02-05 michael@kinvolk.io bpf_trace_printk("hello"); Michael, Software Engineer at Kinvolk We mostly work on Linux core system software (kernel, container, etc.) and like it!

  1. gobpf utilizing eBPF from Go FOSDEM • 2017-02-05 • michael@kinvolk.io

  2. bpf_trace_printk("hello"); Michael, Software Engineer at Kinvolk We mostly work on Linux core system software (kernel, container, etc.) … and like it! https://kinvolk.io/about/ We are hiring, too! FOSDEM • 2017-02-05 • michael@kinvolk.io

  3. What is gobpf? library to create, load and use eBPF programs from Go ● bring together eBPF capabilities and Go software ● FOSDEM • 2017-02-05 • michael@kinvolk.io

  4. Agenda Introduction to eBPF Berkeley Packet Filter / cBPF ● Programs ● Maps ● gobpf BPF Compiler Collection (bcc) ● elf ● CI ● FOSDEM • 2017-02-05 • michael@kinvolk.io

  5. What is eBPF? “bytecode virtual machine” in the Linux kernel ● used for tracing kernel functions, networking, performance analysis, ... ● FOSDEM • 2017-02-05 • michael@kinvolk.io

  6. Berkeley Packet Filter / LSF / cBPF original use case packet filtering ● based on paper “The BSD Packet Filter: A New Architecture for User-level Packet ● Capture” from December 19, 1992 sudo tcpdump -p -ni eth0 -d "ip and udp" (000) ldh [12] (001) jeq #0x800 jt 2 jf 5 (002) ldb [23] (003) jeq #0x11 jt 4 jf 5 (004) ret #262144 (005) ret #0 https://blog.cloudflare.com/bpf-the-forgotten-bytecode/ FOSDEM • 2017-02-05 • michael@kinvolk.io

  7. Why eBPF? enables you to ● attach to different kernel events ○ do networking (SDN), e.g. packet parsing & modification ○ use bpf as a security mechanism, e.g. filtering ○ ... ○ safety guarantee through the bpf verifier ● fast, running in the kernel ● JIT compiled (for x86-64, arm64, and s390 if enabled, ○ /proc/sys/net/core/bpf_jit_enable ) FOSDEM • 2017-02-05 • michael@kinvolk.io

  8. How does it work? program - uses bpf() system call or library to interact with BPF subsystem user-space eBPF maps kernel eBPF program eBPF program ... FOSDEM • 2017-02-05 • michael@kinvolk.io

  9. eBPF programs Programs can be attached to ... sockets ● execute eBPF program for each packet ○ https://www.kernel.org/doc/Documentation/networking/filter.txt ○ non-privileged operation contrary to other bpf(2) ops ○ kernel tracepoints ● ○ linux:include/trace/events/ https://www.kernel.org/doc/Documentation/trace/tracepoints.txt ○ https://github.com/torvalds/linux/blob/v4.9/include/uapi/linux/bpf.h#L90-L99 FOSDEM • 2017-02-05 • michael@kinvolk.io

  10. eBPF programs Programs can be attached to ... kprobes ● “a set of handlers placed on a certain instruction address” - https://lwn.net/Articles/132196/ ○ pre-handler and a post-handler: kretprobe ○ https://www.kernel.org/doc/Documentation/kprobes.txt ○ uprobes ● user-space counterpart of kprobes ○ FOSDEM • 2017-02-05 • michael@kinvolk.io

  11. eBPF maps Maps are a generic data structure to share “data between eBPF kernel programs, and also between kernel and user-space applications.” a key/value for a given map can have an arbitrary structure, as specified by the ● user at map-creation time one special map BPF_MAP_TYPE_PROG_ARRAY holding file descriptors ● referring to other eBPF programs man (2) bpf notoriously not up-to-date ● FOSDEM • 2017-02-05 • michael@kinvolk.io

  12. eBPF maps Available may types: ● ○ HASH ○ ARRAY ○ PROG_ARRAY ○ PERF_EVENT_ARRAY ○ PERCPU_HASH, PERCPU_ARRAY ○ STACK_TRACE ○ CGROUP_ARRAY Linux v4.10 adds LRU_HASH ● https://github.com/torvalds/linux/blob/v4.9/include/uapi/linux/bpf.h#L78-L88 FOSDEM • 2017-02-05 • michael@kinvolk.io

  13. BPF_MAP_TYPE_PERF_EVENT_ARRAY an array of file descriptors (one per cpu, created with perf_event_open(2)) to ● in-kernel ring buffers containing perf events allows sending a lot of events very fast ● user-space program can read asynchronously from mmap’ed memory ● FOSDEM • 2017-02-05 • michael@kinvolk.io

  14. Warning: somewhat scary code on next slide “... to start by coding a struct bpf_insn is starting with difficulty setting Ultra-Violence” - Brendan Gregg FOSDEM • 2017-02-05 • michael@kinvolk.io

  15. Example: fchownat(2) count kprobe /* Put 0 (the map key) on the stack */ BPF_ST_MEM(BPF_W, BPF_REG_10, -4, 0), /* Put frame pointer into R2 */ BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), /* Decrement pointer by four */ BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -4), /* Put map_fd into R1 */ BPF_LD_MAP_FD(BPF_REG_1, map_fd), /* Load current count from map into R0 */ BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem), /* If returned value NULL, skip two instructions and exit */ BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2), /* Put 1 into R1 */ BPF_MOV64_IMM(BPF_REG_1, 1), /* Increment value by 1 */ BPF_RAW_INSN(BPF_STX | BPF_XADD | BPF_W, BPF_REG_0, BPF_REG_1, 0, 0), BPF_EXIT_INSN(), https://kinvolk.io/blog/2016/11/introducing-gobpf---using-ebpf-from-go/ FOSDEM • 2017-02-05 • michael@kinvolk.io

  16. The IO Visor Project “[...] open source project and a community of developers to accelerate the innovation, development, and sharing of virtualized in-kernel IO services for tracing, analytics, monitoring, security and networking functions.” https://www.iovisor.org/about https://github.com/iovisor FOSDEM • 2017-02-05 • michael@kinvolk.io

  17. gobpf library to create, load and use eBPF programs from Go use Cgo + the BPF Compiler Collection (bcc) or ● load and use pre-build elf object files ● https://github.com/iovisor/gobpf ● FOSDEM • 2017-02-05 • michael@kinvolk.io

  18. Why gobpf? There was no library which does what we need ● … but the Hover Framework: https://github.com/iovisor/iomodules ○ We like Go @ Kinvolk + use it a lot ● We work on Weave Scope, which is written in Go ● FOSDEM • 2017-02-05 • michael@kinvolk.io

  19. Why gobpf? Scope probes (read: agents) need to gather a lot of system data ● https://github.com/weaveworks/scope/tree/master/probe/endpoint ○ Doing that with eBPF is often faster and/or more reliable than e.g. /proc or ● conntrack (Linux connection tracking) parsing FOSDEM • 2017-02-05 • michael@kinvolk.io

  20. gobpf/bcc ● import bpf “github.com/iovisor/gobpf/bcc” write eBPF program in C ● load with gobpf ● FOSDEM • 2017-02-05 • michael@kinvolk.io

  21. gobpf/bcc “A modified C language for BPF backends” - ● https://github.com/iovisor/bcc/blob/master/README.md When using bcc, we can rely on bcc helper functions which make it easier to e.g. ● work with maps: map.update(&key, &value); FOSDEM • 2017-02-05 • michael@kinvolk.io

  22. gobpf/bcc libbcc.so is the core of bcc and not only a library but also a compiler to translate eBPF programs written in aforementioned modified C language into byte code for bpf(2) uses clang + llvm-bpf backend ● allows you to verify program before loading it ● spares you “a kludgy workflow, sometimes involving compiling directly in a linux ● kernel source tree” FOSDEM • 2017-02-05 • michael@kinvolk.io

  23. gobpf/bcc const source string = ` #include <uapi/linux/ptrace.h> int kprobe__sys_fchownat( #include <bcc/proto.h> struct pt_regs *ctx, int dfd, const char *filename, typedef struct { uid_t uid, gid_t gid, int flag) u32 pid; { uid_t uid; u64 pid = bpf_get_current_pid_tgid(); gid_t gid; chown_event_t event = { int ret; .pid = pid >> 32, char filename[256]; .uid = uid, } chown_event_t; .gid = gid, }; BPF_PERF_OUTPUT(chown_events); bpf_probe_read(&event.filename, BPF_HASH(chowncall, u64, chown_event_t); sizeof(event.filename), (void *)filename); chowncall.update(&pid, &event); return 0; } ... FOSDEM • 2017-02-05 • michael@kinvolk.io

  24. gobpf/bcc m := bpf.NewModule(source, []string{}) … chownKprobe, err := m.LoadKprobe("kprobe__sys_fchownat") err = m.AttachKprobe("sys_fchownat", chownKprobe) … table := bpf.NewTable(0, m) perfMap, err := bpf.InitPerfMap(table, channel) … go func() { var event chownEvent for { data := <-channel err := binary.Read(bytes.NewBuffer(data), binary.LittleEndian, &event) … filename := (*C.char)(unsafe.Pointer(&event.Filename)) fmt.Printf("uid %d gid %d pid %d called fchownat(2) on %s (return value: %d)\n", event.Uid, event.Gid, event.Pid, C.GoString(filename), event.ReturnValue) } }() FOSDEM • 2017-02-05 • michael@kinvolk.io

  25. gobpf/bcc // Gateway function as required with CGO Go >= 1.6 // ... //export callback_to_go func callback_to_go(cbCookie unsafe.Pointer, raw unsafe.Pointer, rawSize C.int) { callbackData := lookupCallback(uint64(uintptr(cbCookie))) receiverChan := callbackData.receiverChan go func() { receiverChan <- C.GoBytes(raw, rawSize) }() } … C.bpf_open_perf_buffer( (C.perf_reader_raw_cb)(unsafe.Pointer(C.callback_to_go)), unsafe.Pointer(uintptr(callbackDataIndex)) , -1, C.int(cpu)) FOSDEM • 2017-02-05 • michael@kinvolk.io

  26. Demo: fchownat(2) snoop FOSDEM • 2017-02-05 • michael@kinvolk.io

  27. gobpf/elf ● import bpf “github.com/iovisor/gobpf/elf” load + use pre-built elf object ● FOSDEM • 2017-02-05 • michael@kinvolk.io

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Introduction to Long-Term Evolution (LTE) Prepared by: Huai-Lei (Vic) Fu, PhD Candidate Mobile

Introduction to Long-Term Evolution (LTE) Prepared by: Huai-Lei (Vic) Fu, PhD Candidate Mobile

Introduction to Long-Term Evolution (LTE) Prepared by: Huai-Lei (Vic) Fu, PhD Candidate Mobile Communications Networking (MCN) Lab. Department of Computer Science &amp; Information Engineering (CSIE), National Taiwan University, Email:

595 views • 40 slides
Active Networks Towards an Active Network Architecture, D. Tennenhouse, D. Wetherall, CCR

Active Networks Towards an Active Network Architecture, D. Tennenhouse, D. Wetherall, CCR

Active Networks Towards an Active Network Architecture, D. Tennenhouse, D. Wetherall, CCR 1996 Winner of ACM SIGCOMM 2007 Test-of-Time Award Internet in 1996: Routers are passive -- just move bits around Bits are either

1.09k views • 80 slides
Lecture 18: Packet Filtering Firewalls (Linux) Lecture Notes on Computer and Network

Lecture 18: Packet Filtering Firewalls (Linux) Lecture Notes on Computer and Network

Lecture 18: Packet Filtering Firewalls (Linux) Lecture Notes on Computer and Network Security by Avi Kak (kak@purdue.edu) March 24, 2015 3:44pm 2015 Avinash Kak, Purdue University c Goals: Packet-filtering vs. proxy-server

828 views • 70 slides
CSE543 - Computer and Network Security Module: Firewalls Professor Patrick McDaniel Fall 2011

CSE543 - Computer and Network Security Module: Firewalls Professor Patrick McDaniel Fall 2011

609 views • 26 slides
Zero-Copy Socket Splicing Alexander Bluhm bluhm@openbsd.org Sunday, 29. September 2013

Zero-Copy Socket Splicing Alexander Bluhm bluhm@openbsd.org Sunday, 29. September 2013

Motivation Kernel MBuf Packet Processing Socket Splicing Interface Implementation Applications Zero-Copy Socket Splicing Alexander Bluhm bluhm@openbsd.org Sunday, 29. September 2013 Motivation Kernel MBuf Packet Processing Socket

736 views • 38 slides
Continuous Distributed Monitoring in the Evolved Packet Core Industry Experience Report Romaric

Continuous Distributed Monitoring in the Evolved Packet Core Industry Experience Report Romaric

Continuous Distributed Monitoring in the Evolved Packet Core Industry Experience Report Romaric Duvignau 1 Marina Papatriantafilou 1 Konstantinos Peratinos 3 om 2 Patrik Nyman 2 Eric Nordstr DEBS 2019, Darmstadt (June 26). 1 Chalmers

664 views • 41 slides
13 Networking CS 2043: Unix Tools and Scripting, Spring 2019 [1] Matthew Milano February 20,

13 Networking CS 2043: Unix Tools and Scripting, Spring 2019 [1] Matthew Milano February 20,

13 Networking CS 2043: Unix Tools and Scripting, Spring 2019 [1] Matthew Milano February 20, 2019 Cornell University 1 Table of Contents 1. THE INTERNET 2 As always: Everybody! ssh to wash.cs.cornell.edu You can just explain a

387 views • 23 slides
General Packet Radio System (GPRS) Overview Overview Introduction Introduction General Packet

General Packet Radio System (GPRS) Overview Overview Introduction Introduction General Packet

General Packet Radio System (GPRS) Overview Overview Introduction Introduction General Packet Radio Service (GRPS) today Packet overlay network on top of the existing GSM (Digital) circuit switched voice-based network TCP/IP-based:

351 views • 14 slides
A Practical Introduction to Sensor Network Programming Wireless Communication and Networked

A Practical Introduction to Sensor Network Programming Wireless Communication and Networked

A Practical Introduction to Sensor Network Programming Wireless Communication and Networked Embedded Systems, VT 2011 Frederik Hermans, Communication Research, Uppsala Universitet Overview Sensor node hardware: Zolertia Z1 TinyOS

596 views • 46 slides
OMNeT++ Community Summit, 2015 INET 3.0 Wireless Tutorial IBM Research - Zurich, Switzerland

OMNeT++ Community Summit, 2015 INET 3.0 Wireless Tutorial IBM Research - Zurich, Switzerland

OMNeT++ Community Summit, 2015 INET 3.0 Wireless Tutorial IBM Research - Zurich, Switzerland September 3 - 4, 2015 Rudolf Hornig INET 3.0 Wireless Tutorial Outline: The tutorial consists of 13 steps with increasingly more realistic

517 views • 18 slides
Horizontal Vertically integrated Open interfaces Closed, proprietary Rapid innovation Slow

Horizontal Vertically integrated Open interfaces Closed, proprietary Rapid innovation Slow

Forwarding Plane Correctness Nick McKeown Stanford University App App App App App App App App App App App Specialized Open Interface Applications Windows

855 views • 59 slides
Bloom Filter-based Stateless Multicast va Hosszu hosszu@tmit.bme.hu Outline Multicast in

Bloom Filter-based Stateless Multicast va Hosszu hosszu@tmit.bme.hu Outline Multicast in

Bloom Filter-based Stateless Multicast va Hosszu hosszu@tmit.bme.hu Outline Multicast in publish/subscribe networks 1. Pub/sub network architecture 1. Bloom filter basics 2. What is a Bloom filter? 1. False positive probability 2.

424 views • 38 slides
How to do Packet Sniffing on Linux (tcpdump) NetBeez Webinar Panos Vouzis Co-founder and COO

How to do Packet Sniffing on Linux (tcpdump) NetBeez Webinar Panos Vouzis Co-founder and COO

How to do Packet Sniffing on Linux (tcpdump) NetBeez Webinar Panos Vouzis Co-founder and COO Agenda What is tcpdump? Lab set-up tcpdump usage Output breakdown Saving to file Filtering (host, port, traffic

582 views • 11 slides
AjaxTracker: Active Measurement System for High-Fidelity Characterization of AJAX Applications

AjaxTracker: Active Measurement System for High-Fidelity Characterization of AJAX Applications

AjaxTracker: Active Measurement System for High-Fidelity Characterization of AJAX Applications Myungjin Lee , Ramana Rao Kompella, Sumeet Singh Purdue University, Cisco Systems Wind of changes Asynchronous Javascript Migration

503 views • 22 slides
... sclass1 sclass10 Net-linux Net-linux DHCP DHCP The lab has 10 dell systems. Each dell

... sclass1 sclass10 Net-linux Net-linux DHCP DHCP The lab has 10 dell systems. Each dell

Notes on Running Dsniff and the Lab Network Environment Cyber Security Lab 2/16/10 1 General Overview 1.1 Initial machine configuration Outside World DMZ Management 192.168.50.50 192.168.50.60 Dmz 192.168.50.0/24 FW1 Outside =

182 views • 4 slides
() Instructor: Fengwei Zhang SUSTech CS315 Computer Security 1 Who Am I?

() Instructor: Fengwei Zhang SUSTech CS315 Computer Security 1 Who Am I?

CS 315 Computer Security () Instructor: Fengwei Zhang SUSTech CS315 Computer Security 1 Who Am I? Fengwei Zhang Associate Professor of Computer Science Office: Innovation Park Building 10, Room 404 Email: TBA

795 views • 20 slides
dnstap : high speed DNS logging without packet capture Jeroen Massar Farsight Security, Inc.

dnstap : high speed DNS logging without packet capture Jeroen Massar Farsight Security, Inc.

dnstap : high speed DNS logging without packet capture Jeroen Massar Farsight Security, Inc. Unifying the Global Response to Cybercrime Credits &amp; More Info Design &amp; Implementation: Robert Edmonds &lt;edmonds@fsi.io&gt; Website:

786 views • 40 slides
NAV NAV Project Update By: Meghan Allen and Peter McLachlan NAV Objectives Develop a tool

NAV NAV Project Update By: Meghan Allen and Peter McLachlan NAV Objectives Develop a tool

NAV NAV Project Update By: Meghan Allen and Peter McLachlan NAV Objectives Develop a tool for network visualization Focus on common protocols: TCP/IP UDP/IP ICMP Within these protocols focus on common services

431 views • 14 slides
Merging packets with System Events using eBPF Luca Deri &lt;deri@ntop.org&gt;, @lucaderi Samuele

Merging packets with System Events using eBPF Luca Deri &lt;deri@ntop.org&gt;, @lucaderi Samuele

Merging packets with System Events using eBPF Luca Deri &lt;deri@ntop.org&gt;, @lucaderi Samuele Sabella &lt;sabella@ntop.org&gt;, @sabellasamuele Brussels - 2/3 February 2019 About Us Luca: lecturer at the University of Pisa, CS

280 views • 26 slides
University of Calgary CPSC 329 Guest Lecture: Carey Williamson What is network

University of Calgary CPSC 329 Guest Lecture: Carey Williamson What is network

University of Calgary CPSC 329 Guest Lecture: Carey Williamson What is network security? Types of attacks Real-world examples Wrapup and questions 2 The field of network security is about: how the bad guys

482 views • 19 slides
Wireshark Drinking straight from the network hose Wireshark Drinking straight from the network

Wireshark Drinking straight from the network hose Wireshark Drinking straight from the network

Wireshark Drinking straight from the network hose Wireshark Drinking straight from the network hose Md. Abdul Awal TEIN Application Workshop 2017 BdREN University of Dhaka awal@bdren.net.bd December 11, 2017 These materials are licensed

612 views • 31 slides
Section 1: Threat Modeling TA Introduction Keanu Vestil, he/him (keanu@cs.washington.edu) Eric

Section 1: Threat Modeling TA Introduction Keanu Vestil, he/him (keanu@cs.washington.edu) Eric

CSE 484 / CSE M 584 Section 1: Threat Modeling TA Introduction Keanu Vestil, he/him (keanu@cs.washington.edu) Eric Zeng, he/him (ericzeng@cs.washington.edu) Office Hours TBD - stay tuned! Icebreaker In breakout rooms, share your answers to

689 views • 23 slides
Cost Efficient Hardware Timestamping Intermediate Presentation Alexander Frank June 6, 2018

Cost Efficient Hardware Timestamping Intermediate Presentation Alexander Frank June 6, 2018

Chair of Network Architectures and Services Department of Informatics Technical University of Munich Cost Efficient Hardware Timestamping Intermediate Presentation Alexander Frank June 6, 2018 Chair of Network Architectures and Services

531 views • 13 slides
IOT Platform Vulnerabilities &amp; Remedies ComputerWorld Survey Source: http://postscapes.com

IOT Platform Vulnerabilities &amp; Remedies ComputerWorld Survey Source: http://postscapes.com

IOT Platform Vulnerabilities &amp; Remedies ComputerWorld Survey Source: http://postscapes.com Recent IOT Hacks: Disassociation/ De-authorization Pre-installed keys managed by the controller via OTA commands Each node has copy of keys

333 views • 10 slides

More recommend