SlideShare a Scribd company logo

eBPF — Divulging The Hidden Super Power.pdf

S
SGBSeo

If you are a performance engineer/network engineer or even security engineer, the chance of you encountering eBPF technology in the future is very high.

Technology
1 of 8
Download to read offline
eBPF—Divulging The Hidden Super Power If you are a performance engineer/network engineer or even security engineer, the chance of you encountering eBPF technology in the future is very high. eBPF now has a huge community of users, including big players like Meta, Google, Cloudflare, and Netflix all using this tech in their daily operations.  Goutham Krishna , CoffeeBeans Consulting
Prelude Let me start the blog with a real story. A year back one of my friends called me to discuss tech (which is a very common thing between us). We share different technical challenges each of us faces at our workplace or by any of our peers and these discussions lead to some informative and creative knowledge-sharing sessions. In such a discussion, he described a specific challenge faced by his cousin, who works for a giant cloud provider. The challenge was to restrict certain IPs dynamically as they provide threats such as a DOS (Denial of service attack), the application developer’s brain in me impetuously replied that these should be handled at a firewall level, or middleware can be written to check the origin of the packet and maintain a blacklist for the malicious senders and ignore the requests (Yes I come from a NodeJS and Go background so the initial solution strikes as a middleware). My friend patiently explained the scale and performance at which this needed to be executed which was way beyond my comprehension. After a noob’s doubt clearing session, we agreed that the scale he wanted could only be achieved at a kernel level. I wished him luck (sarcastically) to write a kernel patch and raise a PR hoping the OS maintainers would include the kernel patch in an upcoming kernel release and he can use this feature when it is released. As a reply to my sarcasm, he shared with me a link to an article that detailed something called “eBPF” (extended Berkeley Packet Filter). I did a basic skimming through the article, and my ignorant mind came to sense that there are amazing inventions in the tech world that I am unaware of. According to eBPF, you can inject the code directly into the kernel without writing a patch, waiting for it to be approved by the OS maintainer, “RUN YOUR CUSTOM CODE DIRECTLY IN OS KERNEL”—LIZ RICE “SUPERPOWERS FOR LINUX”.—BRENDAN GREGGS
NB: I have added some video and blog links in the reference section please check it out for some amazing sessions and blogs of eBPF. History The eBPF came to life in 2014, introduced in Linux kernel 3.18, thereby unlocking the God mode of the Linux kernel. The natural doubt anyone reading this blog would have is regarding the name. If this is an “extended berkeley packet filter” then there should be a BPF “berkeley packet filter”. Well, you are right. The BSD packet filter is not a new concept. It was from the 90’s. This gem has been hiding under the radar for years, the Xennails were true innovators. BPF was very basic and its only job was to filter packets at the kernel level hence the name. NB: I have added the original BPF paper published on December 19, 1992, a very interesting read.
The eBPF has come a long way from BPF, just a packet filtering utility to the consideration of microservices architecture for kernels or as they call it microkernels. All the top tech companies that work at scale nowadays use eBPF on daily basis. CNCF community nowadays breathes and lives on eBPF, if you are a DevOps engineer or sysadmin you would have heard of cilium and Falco both popular in Kubernetes users and production tools that are written on top of eBPF. In 2018 Linux announced it would replace its iptable-based implementation with an eBPF version in the kernel (well replacing iptable with any solution would be better), fall back and disadvantage of using iptables is out of the scope of this article, please go to the reference section and find a well- written article about it. The Kubernetes used iptables for the following use cases mostly  Kube-proxy—the component which implements Services and load balancing by DNAT iptables rules  Most CNI plugins are using iptables for Network Policies Cilium has made it more efficient by eliminating the iptable whose performance degrades. You can refer to the details here. Program Execution Bozo’s Guide To explain the importance of eBPF there needs to be an explanation of how programs are executed in Linux, I will try to explain it from a 1000ft view for everyone. NB: Windows User? Well why are you even reading this article, you guys do not have all these cool features. Linux memory is divided into two 1. Kernel space 2. User space
Credits: slideshare The image itself explains the difference between these two. All the programs that you write are just collections of syscalls that are kernel APIs. Just take the example of opening a file through your favorite programming language that just translates into a fileopen syscalls in the kernel. When your application asks the kernel for something, a chunk of data in kernel space is frequently copied into user space. We must do this because operating systems strictly partition memory regions used by the kernel, making it impossible to simply provide a pointer to some region of kernel memory to a user space program. This is known as “crossing the user/kernel boundary,” Because of the copy operation, operations like these can have significant performance consequences. While syscalls cover almost all cases, there arise situations where this is not sufficient like when we need kernel-level performance or write a new
driver programming, etc. Depending on the OS maintainers to make patches for all these small use cases is a waste of time and an impossible process. This is where ebpf comes into the picture. eBPF helps you to write programs in the user space which get packaged and injected into the kernel directly, these programs run on VM in the kernel with a limited instruction set thus extending the capability of the base kernel module. eBPF Dissected eBPF is the provision to run custom code that runs on the kernel for various processes like  Observability (tracing)  Debugging  Firewalling  Load Balancing  Network related activity Anyone who has worked in tracing the various programs in the kernel would know its difficulty. The half-baked utilities available in the Linux systems are not enough for profile complex systems or even to extend the perf tooling. Ebpf is event-driven which means it gets triggered on the following scenarios  A system call  Function entry/exit  When a packet enters or leaves  K probes or U probes
The programs are written in a language called restricted c which is c with a limited instruction set. The BPF compiler BCC converts this into a bytecode which is loaded into the kernel for execution. A validator is run before compiling to ensure there is no infinite loop or such never-ending I/O operation which could crash the kernel. Additional Trick Under Your Sleeve The ebpf is indeed a powerful tool that you could have under your sleeve. When working on high-performance projects tweaking the packets or extending the tracing functionality all help you give better observability of what’s happening with the system. Even though encountering the ebpf by an application developer at the present stage is very feeble, if you are a performance engineer/network engineer or even security engineer, the chance of you encountering ebpf in the future is going to shoot up to the sky. There are some considerations while writing ebpf programs, there have been several privilege escalation attacks that leverage ebpf since it runs in a sudo privilege. The ebpf programs could be used as a powerful aid when leveraging kernel memory vulnerabilities. A detailed writeup of leveraging such a vulnerability was found by Qualys, there is a writeup by them which you can refer to from here. Conclusion As said in Spiderman movies “Great power comes with great responsibility” when you unlock the God mode of Linux you are on your own, the guards that protected your program from corrupting the whole are not available now. There are specific use cases to use Ebpf, it is not the swiss knife for all your performance issues. The community is pretty
huge now including big players like meta, google, Cloudflare, and Netflix all using the tech daily. The tech has loads of potential to grow, recent years have seen separate conf for ebpf enthusiasts. This blog serves as a small opening to people who are unaware of this cool tech, so please do your research. There are tons of resources available online about ebpf and open source projects being built on top of it. I will be writing a follow-up article detailing how to write a sample ebpf program and execute it. Reference  The BPF research paper link was published in the year 1992— https://www.tcpdump.org/papers/bpf-usenix93.pdf  Brendann Gregg talks about eBPF -  https://www.facebook.com/atscaleevents/videos/16938886108842 36/  https://www.youtube.com/watch?v=w8nFRoFJ6EQ  Ebpf over iptables blog—https://cilium.io/blog/2018/04/17/why-is- the-kernel-community-replacing-iptables  Qualys vulnerability—https://www.qualys.com/2021/07/20/cve- 2021-33909/sequoia-local-privilege-escalation-linux.txt

Recommended

eBPF — Divulging The Hidden Super Power.pdf
eBPF — Divulging The Hidden Super Power.pdfeBPF — Divulging The Hidden Super Power.pdf
eBPF — Divulging The Hidden Super Power.pdfseo18
 
Introduction of eBPF - 時下最夯的Linux Technology
Introduction of eBPF - 時下最夯的Linux Technology Introduction of eBPF - 時下最夯的Linux Technology
Introduction of eBPF - 時下最夯的Linux Technology Jace Liang
 
Os Grossupdated
Os GrossupdatedOs Grossupdated
Os Grossupdatedoscon2007
 
State of the Union eBPF - Linux Kernel Programming
State of the Union eBPF - Linux Kernel ProgrammingState of the Union eBPF - Linux Kernel Programming
State of the Union eBPF - Linux Kernel Programmingcvasilak1
 
Extending DevOps to Big Data Applications with Kubernetes
Extending DevOps to Big Data Applications with KubernetesExtending DevOps to Big Data Applications with Kubernetes
Extending DevOps to Big Data Applications with KubernetesNicola Ferraro
 
Starting with OpenCV on i.MX 6 Processors
Starting with OpenCV on i.MX 6 ProcessorsStarting with OpenCV on i.MX 6 Processors
Starting with OpenCV on i.MX 6 ProcessorsToradex
 
eBPF - Observability In Deep
eBPF - Observability In DeepeBPF - Observability In Deep
eBPF - Observability In DeepMydbops
 
Linux internals v4
Linux internals v4Linux internals v4
Linux internals v4Liran Ben Haim
 

Recommended

eBPF — Divulging The Hidden Super Power.pdf
eBPF — Divulging The Hidden Super Power.pdfeBPF — Divulging The Hidden Super Power.pdf
eBPF — Divulging The Hidden Super Power.pdfseo18
 
Introduction of eBPF - 時下最夯的Linux Technology
Introduction of eBPF - 時下最夯的Linux Technology Introduction of eBPF - 時下最夯的Linux Technology
Introduction of eBPF - 時下最夯的Linux Technology Jace Liang
 
Os Grossupdated
Os GrossupdatedOs Grossupdated
Os Grossupdatedoscon2007
 
State of the Union eBPF - Linux Kernel Programming
State of the Union eBPF - Linux Kernel ProgrammingState of the Union eBPF - Linux Kernel Programming
State of the Union eBPF - Linux Kernel Programmingcvasilak1
 
Extending DevOps to Big Data Applications with Kubernetes
Extending DevOps to Big Data Applications with KubernetesExtending DevOps to Big Data Applications with Kubernetes
Extending DevOps to Big Data Applications with KubernetesNicola Ferraro
 
Starting with OpenCV on i.MX 6 Processors
Starting with OpenCV on i.MX 6 ProcessorsStarting with OpenCV on i.MX 6 Processors
Starting with OpenCV on i.MX 6 ProcessorsToradex
 
eBPF - Observability In Deep
eBPF - Observability In DeepeBPF - Observability In Deep
eBPF - Observability In DeepMydbops
 
Linux internals v4
Linux internals v4Linux internals v4
Linux internals v4Liran Ben Haim
 
Dev Environments: The Next Generation
Dev Environments: The Next GenerationDev Environments: The Next Generation
Dev Environments: The Next GenerationTravis Thieman
 
Why you should use the Yocto Project
Why you should use the Yocto ProjectWhy you should use the Yocto Project
Why you should use the Yocto Projectrossburton
 
Why everyone is excited about Docker (and you should too...) - Carlo Bonamic...
Why everyone is excited about Docker (and you should too...) - Carlo Bonamic...Why everyone is excited about Docker (and you should too...) - Carlo Bonamic...
Why everyone is excited about Docker (and you should too...) - Carlo Bonamic...Codemotion
 
Calico-eBPF-Dataplane-CNCF-Webinar-Slides.pdf
Calico-eBPF-Dataplane-CNCF-Webinar-Slides.pdfCalico-eBPF-Dataplane-CNCF-Webinar-Slides.pdf
Calico-eBPF-Dataplane-CNCF-Webinar-Slides.pdfyingxinwang4
 
codemotion-docker-2014
codemotion-docker-2014codemotion-docker-2014
codemotion-docker-2014Carlo Bonamico
 
Linux Beginner Guide 2014
Linux Beginner Guide 2014Linux Beginner Guide 2014
Linux Beginner Guide 2014Anthony Le Goff
 
Dedicated embedded linux af Esben Haabendal, Prevas A/S
Dedicated embedded linux af Esben Haabendal, Prevas A/SDedicated embedded linux af Esben Haabendal, Prevas A/S
Dedicated embedded linux af Esben Haabendal, Prevas A/SInfinIT - Innovationsnetværket for it
 
It’s 2021. Why are we -still- rebooting for patches? A look at Live Patching.
It’s 2021. Why are we -still- rebooting for patches? A look at Live Patching.It’s 2021. Why are we -still- rebooting for patches? A look at Live Patching.
It’s 2021. Why are we -still- rebooting for patches? A look at Live Patching.All Things Open
 
OpenCL Overview Japan Virtual Open House Feb 2021
OpenCL Overview Japan Virtual Open House Feb 2021OpenCL Overview Japan Virtual Open House Feb 2021
OpenCL Overview Japan Virtual Open House Feb 2021The Khronos Group Inc.
 
Kernel Recipes 2013 - Easy rootfs using Buildroot
Kernel Recipes 2013 - Easy rootfs using BuildrootKernel Recipes 2013 - Easy rootfs using Buildroot
Kernel Recipes 2013 - Easy rootfs using BuildrootAnne Nicolas
 
Makefile
MakefileMakefile
MakefileIonela
 
maXbox Starter87
maXbox Starter87maXbox Starter87
maXbox Starter87Max Kleiner
 
Linux Kernel - Let's Contribute!
Linux Kernel - Let's Contribute!Linux Kernel - Let's Contribute!
Linux Kernel - Let's Contribute!Levente Kurusa
 
BUD17-104: Scripting Languages in IoT: Challenges and Approaches
BUD17-104: Scripting Languages in IoT: Challenges and ApproachesBUD17-104: Scripting Languages in IoT: Challenges and Approaches
BUD17-104: Scripting Languages in IoT: Challenges and ApproachesLinaro
 
Understand
UnderstandUnderstand
Understandshivrajmalagatti
 
Developer-Friendly CI / CD for Kubernetes
Developer-Friendly CI / CD for KubernetesDeveloper-Friendly CI / CD for Kubernetes
Developer-Friendly CI / CD for KubernetesDevOps Indonesia
 
Comment améliorer le quotidien des Développeurs PHP ?
Comment améliorer le quotidien des Développeurs PHP ?Comment améliorer le quotidien des Développeurs PHP ?
Comment améliorer le quotidien des Développeurs PHP ?AFUP_Limoges
 
101 ways to configure kafka - badly
101 ways to configure kafka - badly101 ways to configure kafka - badly
101 ways to configure kafka - badlyHenning Spjelkavik
 
Inferno
InfernoInferno
InfernoNagarajan
 
The DevOps paradigm - the evolution of IT professionals and opensource toolkit
The DevOps paradigm - the evolution of IT professionals and opensource toolkitThe DevOps paradigm - the evolution of IT professionals and opensource toolkit
The DevOps paradigm - the evolution of IT professionals and opensource toolkitMarco Ferrigno
 
Next-generation AAM aircraft unveiled by Supernal, S-A2
Next-generation AAM aircraft unveiled by Supernal, S-A2Next-generation AAM aircraft unveiled by Supernal, S-A2
Next-generation AAM aircraft unveiled by Supernal, S-A2Hyundai Motor Group
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 

More Related Content

Similar to eBPF — Divulging The Hidden Super Power.pdf

Dev Environments: The Next Generation
Dev Environments: The Next GenerationDev Environments: The Next Generation
Dev Environments: The Next GenerationTravis Thieman
 
Why you should use the Yocto Project
Why you should use the Yocto ProjectWhy you should use the Yocto Project
Why you should use the Yocto Projectrossburton
 
Why everyone is excited about Docker (and you should too...) - Carlo Bonamic...
Why everyone is excited about Docker (and you should too...) - Carlo Bonamic...Why everyone is excited about Docker (and you should too...) - Carlo Bonamic...
Why everyone is excited about Docker (and you should too...) - Carlo Bonamic...Codemotion
 
Calico-eBPF-Dataplane-CNCF-Webinar-Slides.pdf
Calico-eBPF-Dataplane-CNCF-Webinar-Slides.pdfCalico-eBPF-Dataplane-CNCF-Webinar-Slides.pdf
Calico-eBPF-Dataplane-CNCF-Webinar-Slides.pdfyingxinwang4
 
codemotion-docker-2014
codemotion-docker-2014codemotion-docker-2014
codemotion-docker-2014Carlo Bonamico
 
Linux Beginner Guide 2014
Linux Beginner Guide 2014Linux Beginner Guide 2014
Linux Beginner Guide 2014Anthony Le Goff
 
It’s 2021. Why are we -still- rebooting for patches? A look at Live Patching.
It’s 2021. Why are we -still- rebooting for patches? A look at Live Patching.It’s 2021. Why are we -still- rebooting for patches? A look at Live Patching.
It’s 2021. Why are we -still- rebooting for patches? A look at Live Patching.All Things Open
 
OpenCL Overview Japan Virtual Open House Feb 2021
OpenCL Overview Japan Virtual Open House Feb 2021OpenCL Overview Japan Virtual Open House Feb 2021
OpenCL Overview Japan Virtual Open House Feb 2021The Khronos Group Inc.
 
Kernel Recipes 2013 - Easy rootfs using Buildroot
Kernel Recipes 2013 - Easy rootfs using BuildrootKernel Recipes 2013 - Easy rootfs using Buildroot
Kernel Recipes 2013 - Easy rootfs using BuildrootAnne Nicolas
 
Makefile
MakefileMakefile
MakefileIonela
 
maXbox Starter87
maXbox Starter87maXbox Starter87
maXbox Starter87Max Kleiner
 
Linux Kernel - Let's Contribute!
Linux Kernel - Let's Contribute!Linux Kernel - Let's Contribute!
Linux Kernel - Let's Contribute!Levente Kurusa
 
BUD17-104: Scripting Languages in IoT: Challenges and Approaches
BUD17-104: Scripting Languages in IoT: Challenges and ApproachesBUD17-104: Scripting Languages in IoT: Challenges and Approaches
BUD17-104: Scripting Languages in IoT: Challenges and ApproachesLinaro
 
Developer-Friendly CI / CD for Kubernetes
Developer-Friendly CI / CD for KubernetesDeveloper-Friendly CI / CD for Kubernetes
Developer-Friendly CI / CD for KubernetesDevOps Indonesia
 
Comment améliorer le quotidien des Développeurs PHP ?
Comment améliorer le quotidien des Développeurs PHP ?Comment améliorer le quotidien des Développeurs PHP ?
Comment améliorer le quotidien des Développeurs PHP ?AFUP_Limoges
 
101 ways to configure kafka - badly
101 ways to configure kafka - badly101 ways to configure kafka - badly
101 ways to configure kafka - badlyHenning Spjelkavik
 
The DevOps paradigm - the evolution of IT professionals and opensource toolkit
The DevOps paradigm - the evolution of IT professionals and opensource toolkitThe DevOps paradigm - the evolution of IT professionals and opensource toolkit
The DevOps paradigm - the evolution of IT professionals and opensource toolkitMarco Ferrigno
 

Similar to eBPF — Divulging The Hidden Super Power.pdf (20)

Dev Environments: The Next Generation
Dev Environments: The Next GenerationDev Environments: The Next Generation
Dev Environments: The Next Generation
 
Why you should use the Yocto Project
Why you should use the Yocto ProjectWhy you should use the Yocto Project
Why you should use the Yocto Project
 
Why everyone is excited about Docker (and you should too...) - Carlo Bonamic...
Why everyone is excited about Docker (and you should too...) - Carlo Bonamic...Why everyone is excited about Docker (and you should too...) - Carlo Bonamic...
Why everyone is excited about Docker (and you should too...) - Carlo Bonamic...
 
Calico-eBPF-Dataplane-CNCF-Webinar-Slides.pdf
Calico-eBPF-Dataplane-CNCF-Webinar-Slides.pdfCalico-eBPF-Dataplane-CNCF-Webinar-Slides.pdf
Calico-eBPF-Dataplane-CNCF-Webinar-Slides.pdf
 
codemotion-docker-2014
codemotion-docker-2014codemotion-docker-2014
codemotion-docker-2014
 
Linux Beginner Guide 2014
Linux Beginner Guide 2014Linux Beginner Guide 2014
Linux Beginner Guide 2014
 
Dedicated embedded linux af Esben Haabendal, Prevas A/S
Dedicated embedded linux af Esben Haabendal, Prevas A/SDedicated embedded linux af Esben Haabendal, Prevas A/S
Dedicated embedded linux af Esben Haabendal, Prevas A/S
 
It’s 2021. Why are we -still- rebooting for patches? A look at Live Patching.
It’s 2021. Why are we -still- rebooting for patches? A look at Live Patching.It’s 2021. Why are we -still- rebooting for patches? A look at Live Patching.
It’s 2021. Why are we -still- rebooting for patches? A look at Live Patching.
 
OpenCL Overview Japan Virtual Open House Feb 2021
OpenCL Overview Japan Virtual Open House Feb 2021OpenCL Overview Japan Virtual Open House Feb 2021
OpenCL Overview Japan Virtual Open House Feb 2021
 
Kernel Recipes 2013 - Easy rootfs using Buildroot
Kernel Recipes 2013 - Easy rootfs using BuildrootKernel Recipes 2013 - Easy rootfs using Buildroot
Kernel Recipes 2013 - Easy rootfs using Buildroot
 
Makefile
MakefileMakefile
Makefile
 
maXbox Starter87
maXbox Starter87maXbox Starter87
maXbox Starter87
 
Linux Kernel - Let's Contribute!
Linux Kernel - Let's Contribute!Linux Kernel - Let's Contribute!
Linux Kernel - Let's Contribute!
 
BUD17-104: Scripting Languages in IoT: Challenges and Approaches
BUD17-104: Scripting Languages in IoT: Challenges and ApproachesBUD17-104: Scripting Languages in IoT: Challenges and Approaches
BUD17-104: Scripting Languages in IoT: Challenges and Approaches
 
Understand
UnderstandUnderstand
Understand
 
Developer-Friendly CI / CD for Kubernetes
Developer-Friendly CI / CD for KubernetesDeveloper-Friendly CI / CD for Kubernetes
Developer-Friendly CI / CD for Kubernetes
 
Comment améliorer le quotidien des Développeurs PHP ?
Comment améliorer le quotidien des Développeurs PHP ?Comment améliorer le quotidien des Développeurs PHP ?
Comment améliorer le quotidien des Développeurs PHP ?
 
101 ways to configure kafka - badly
101 ways to configure kafka - badly101 ways to configure kafka - badly
101 ways to configure kafka - badly
 
Inferno
InfernoInferno
Inferno
 
The DevOps paradigm - the evolution of IT professionals and opensource toolkit
The DevOps paradigm - the evolution of IT professionals and opensource toolkitThe DevOps paradigm - the evolution of IT professionals and opensource toolkit
The DevOps paradigm - the evolution of IT professionals and opensource toolkit
 

Recently uploaded

Next-generation AAM aircraft unveiled by Supernal, S-A2
Next-generation AAM aircraft unveiled by Supernal, S-A2Next-generation AAM aircraft unveiled by Supernal, S-A2
Next-generation AAM aircraft unveiled by Supernal, S-A2Hyundai Motor Group
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxOnBoard
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksBenefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksSoftradix Technologies
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):comworks
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Alan Dix
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationSafe Software
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsMark Billinghurst
 
Hyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your Budget
Hyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your BudgetHyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your Budget
Hyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your BudgetEnjoy Anytime
 
Pigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsMemoori
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machinePadma Pradeep
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024Scott Keck-Warren
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesSinan KOZAK
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 

Recently uploaded (20)

Next-generation AAM aircraft unveiled by Supernal, S-A2
Next-generation AAM aircraft unveiled by Supernal, S-A2Next-generation AAM aircraft unveiled by Supernal, S-A2
Next-generation AAM aircraft unveiled by Supernal, S-A2
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptx
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksBenefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other Frameworks
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food Manufacturing
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
 
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptxE-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
 
Hyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your Budget
Hyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your BudgetHyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your Budget
Hyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your Budget
 
Pigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping Elbows
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial Buildings
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machine
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen Frames
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 

eBPF — Divulging The Hidden Super Power.pdf

  • 1. eBPF—Divulging The Hidden Super Power If you are a performance engineer/network engineer or even security engineer, the chance of you encountering eBPF technology in the future is very high. eBPF now has a huge community of users, including big players like Meta, Google, Cloudflare, and Netflix all using this tech in their daily operations.  Goutham Krishna , CoffeeBeans Consulting
  • 2. Prelude Let me start the blog with a real story. A year back one of my friends called me to discuss tech (which is a very common thing between us). We share different technical challenges each of us faces at our workplace or by any of our peers and these discussions lead to some informative and creative knowledge-sharing sessions. In such a discussion, he described a specific challenge faced by his cousin, who works for a giant cloud provider. The challenge was to restrict certain IPs dynamically as they provide threats such as a DOS (Denial of service attack), the application developer’s brain in me impetuously replied that these should be handled at a firewall level, or middleware can be written to check the origin of the packet and maintain a blacklist for the malicious senders and ignore the requests (Yes I come from a NodeJS and Go background so the initial solution strikes as a middleware). My friend patiently explained the scale and performance at which this needed to be executed which was way beyond my comprehension. After a noob’s doubt clearing session, we agreed that the scale he wanted could only be achieved at a kernel level. I wished him luck (sarcastically) to write a kernel patch and raise a PR hoping the OS maintainers would include the kernel patch in an upcoming kernel release and he can use this feature when it is released. As a reply to my sarcasm, he shared with me a link to an article that detailed something called “eBPF” (extended Berkeley Packet Filter). I did a basic skimming through the article, and my ignorant mind came to sense that there are amazing inventions in the tech world that I am unaware of. According to eBPF, you can inject the code directly into the kernel without writing a patch, waiting for it to be approved by the OS maintainer, “RUN YOUR CUSTOM CODE DIRECTLY IN OS KERNEL”—LIZ RICE “SUPERPOWERS FOR LINUX”.—BRENDAN GREGGS
  • 3. NB: I have added some video and blog links in the reference section please check it out for some amazing sessions and blogs of eBPF. History The eBPF came to life in 2014, introduced in Linux kernel 3.18, thereby unlocking the God mode of the Linux kernel. The natural doubt anyone reading this blog would have is regarding the name. If this is an “extended berkeley packet filter” then there should be a BPF “berkeley packet filter”. Well, you are right. The BSD packet filter is not a new concept. It was from the 90’s. This gem has been hiding under the radar for years, the Xennails were true innovators. BPF was very basic and its only job was to filter packets at the kernel level hence the name. NB: I have added the original BPF paper published on December 19, 1992, a very interesting read.
  • 4. The eBPF has come a long way from BPF, just a packet filtering utility to the consideration of microservices architecture for kernels or as they call it microkernels. All the top tech companies that work at scale nowadays use eBPF on daily basis. CNCF community nowadays breathes and lives on eBPF, if you are a DevOps engineer or sysadmin you would have heard of cilium and Falco both popular in Kubernetes users and production tools that are written on top of eBPF. In 2018 Linux announced it would replace its iptable-based implementation with an eBPF version in the kernel (well replacing iptable with any solution would be better), fall back and disadvantage of using iptables is out of the scope of this article, please go to the reference section and find a well- written article about it. The Kubernetes used iptables for the following use cases mostly  Kube-proxy—the component which implements Services and load balancing by DNAT iptables rules  Most CNI plugins are using iptables for Network Policies Cilium has made it more efficient by eliminating the iptable whose performance degrades. You can refer to the details here. Program Execution Bozo’s Guide To explain the importance of eBPF there needs to be an explanation of how programs are executed in Linux, I will try to explain it from a 1000ft view for everyone. NB: Windows User? Well why are you even reading this article, you guys do not have all these cool features. Linux memory is divided into two 1. Kernel space 2. User space
  • 5. Credits: slideshare The image itself explains the difference between these two. All the programs that you write are just collections of syscalls that are kernel APIs. Just take the example of opening a file through your favorite programming language that just translates into a fileopen syscalls in the kernel. When your application asks the kernel for something, a chunk of data in kernel space is frequently copied into user space. We must do this because operating systems strictly partition memory regions used by the kernel, making it impossible to simply provide a pointer to some region of kernel memory to a user space program. This is known as “crossing the user/kernel boundary,” Because of the copy operation, operations like these can have significant performance consequences. While syscalls cover almost all cases, there arise situations where this is not sufficient like when we need kernel-level performance or write a new
  • 6. driver programming, etc. Depending on the OS maintainers to make patches for all these small use cases is a waste of time and an impossible process. This is where ebpf comes into the picture. eBPF helps you to write programs in the user space which get packaged and injected into the kernel directly, these programs run on VM in the kernel with a limited instruction set thus extending the capability of the base kernel module. eBPF Dissected eBPF is the provision to run custom code that runs on the kernel for various processes like  Observability (tracing)  Debugging  Firewalling  Load Balancing  Network related activity Anyone who has worked in tracing the various programs in the kernel would know its difficulty. The half-baked utilities available in the Linux systems are not enough for profile complex systems or even to extend the perf tooling. Ebpf is event-driven which means it gets triggered on the following scenarios  A system call  Function entry/exit  When a packet enters or leaves  K probes or U probes
  • 7. The programs are written in a language called restricted c which is c with a limited instruction set. The BPF compiler BCC converts this into a bytecode which is loaded into the kernel for execution. A validator is run before compiling to ensure there is no infinite loop or such never-ending I/O operation which could crash the kernel. Additional Trick Under Your Sleeve The ebpf is indeed a powerful tool that you could have under your sleeve. When working on high-performance projects tweaking the packets or extending the tracing functionality all help you give better observability of what’s happening with the system. Even though encountering the ebpf by an application developer at the present stage is very feeble, if you are a performance engineer/network engineer or even security engineer, the chance of you encountering ebpf in the future is going to shoot up to the sky. There are some considerations while writing ebpf programs, there have been several privilege escalation attacks that leverage ebpf since it runs in a sudo privilege. The ebpf programs could be used as a powerful aid when leveraging kernel memory vulnerabilities. A detailed writeup of leveraging such a vulnerability was found by Qualys, there is a writeup by them which you can refer to from here. Conclusion As said in Spiderman movies “Great power comes with great responsibility” when you unlock the God mode of Linux you are on your own, the guards that protected your program from corrupting the whole are not available now. There are specific use cases to use Ebpf, it is not the swiss knife for all your performance issues. The community is pretty
  • 8. huge now including big players like meta, google, Cloudflare, and Netflix all using the tech daily. The tech has loads of potential to grow, recent years have seen separate conf for ebpf enthusiasts. This blog serves as a small opening to people who are unaware of this cool tech, so please do your research. There are tons of resources available online about ebpf and open source projects being built on top of it. I will be writing a follow-up article detailing how to write a sample ebpf program and execute it. Reference  The BPF research paper link was published in the year 1992— https://www.tcpdump.org/papers/bpf-usenix93.pdf  Brendann Gregg talks about eBPF -  https://www.facebook.com/atscaleevents/videos/16938886108842 36/  https://www.youtube.com/watch?v=w8nFRoFJ6EQ  Ebpf over iptables blog—https://cilium.io/blog/2018/04/17/why-is- the-kernel-community-replacing-iptables  Qualys vulnerability—https://www.qualys.com/2021/07/20/cve- 2021-33909/sequoia-local-privilege-escalation-linux.txt