Tracing system calls with eBPF
a project by doreilly
Updated about 1 year ago. 3 hacker ♥️. 2 followers.

Description

Many security tools need to record system calls like execve. Using the Linux audit system for this can have a detrimental performance impact in some cases.

Goals

The goal is to investigate eBPF as an alternative and do some benchmarking to see the impact and how it compares to using the audit subsystem.

Progress

BPF done - traceexec

Benchmark report

Resources

eBPF doc

libbpf

libMicro benchmark tool

Join this project

Looking for hackers with the skills:

bpf ebpf

This project is part of:

Hack Week 24

Activity

  • about 1 year ago: alessio.biancalana liked this project.
  • about 1 year ago: doreilly started this project.
  • about 1 year ago: janvhs liked this project.
  • about 1 year ago: doreilly added keyword "ebpf" to this project.
  • about 1 year ago: doreilly added keyword "bpf" to this project.
  • about 1 year ago: bmwiedemann liked this project.
  • about 1 year ago: doreilly originated this project.


    • Comments

    • jiriwiesner
      about 1 year ago by jiriwiesner | Reply

      If I were to do this task the syscount script from bcc-tools would be my starting point: https://github.com/iovisor/bcc/blob/master/tools/syscount.py

    Similar Projects

    bpftrace contribution by mkoutny

    Description

    bpftrace is a great tool, no need to sing odes to it here. It can access any kernel data and process them in real time. It provides helpers for some common Linux kernel structures but not all.

    Goals

    • set up bpftrace toolchain
    • learn about bpftrace implementation and internals
    • implement support for percpu_counters
    • look into some of the first issues
    • send a refined PR (on Thu)

    Resources

    eBPF bytecode emitter in Haskell by kalfalakh

    Description

    Newbie level knowledge of eBPF and some knowledge of Haskell. The goal for this hackweek is to catch two birds with one stone; get familiar with eBPF and learn more about Haskell, hence implement something related to eBPF in Haskell. Given an input, which is a program, represented as eBPF instructions, prepare a fully built eBPF bytecode ready to be loaded into the Kernel.

    Goals

    • Recap on ADTs in Haskell, type classes and their instances / deriving, on pattern matching and higher order functions
    • Read and understand RFC 9669
    • Implement the entire pipeline; parsing the input, verifying the input, building instructions, encoding them and concatenating them
    • Deal with all the learning, bugs and difficulties encountered on the way

    Progress

    Last day of hackweek and this is what I have so far.

    • ADTs implemented to correctly type all operations, classes, opcodes, instructions and other instruction specific types
    • opcodes and opcode builders based on specification are implemented.
    • Encoder is ready for 64-bit instruction format. Extended 128-bit instruction format is not yet supported
    • Only ALU and ALU64 instructions API is provided. JMP, LD, ST for base32 and base64 are missing. swap and atomic are missing
    • All ALU and ALU64 instructions (except MOV and MOVSX) are tested manually and are correctly encoded

    Whats next?

    There is still a lot left to do:

    • Input parser and formatter + some kind of basic verifier
    • API for remaining instruction classes
    • Proper testing mechanism
    • swap and atomic instructions
    • Loader

    Resources

    • RFC 9669
    • https://ebpf.io/
    • https://www.haskell.org/documentation/