Recommended
Recommended
More Related Content
What's hot
What's hot (20)
Viewers also liked
Viewers also liked (20)
Similar to BPF - All your packets belong to me
Similar to BPF - All your packets belong to me (20)
Recently uploaded
Recently uploaded (20)
BPF - All your packets belong to me
- 1. BPF All your Packets belong to Me @_xhr_ xhr@giessen.ccc.de
- 2. xhr GPN 2014 2 BPF ?
- 3. xhr GPN 2014 3 tcpdump ?
- 4. xhr GPN 2014 4 NIC ¯ Link-Layer Driver ¯ Protocol Stack ¯ Userland Packet Flow
- 5. xhr GPN 2014 5 Smart Idea
- 6. xhr GPN 2014 6 NIC ¯ Link-Layer Driver ¯ Filter ¯ Buffer ¯ Userland Packet Flow
- 7. xhr GPN 2014 7 BPF is rather old... McCanne. Jacobson.The BSD Packet Filter: A New Architecture for User-level Packet Capture. in USENIX. 1993.
- 8. xhr GPN 2014 8 Have you met ...
- 9. xhr GPN 2014 9 tcpdump -i eth0 ip6 That's the filter
- 10. xhr GPN 2014 10 0 ldh [12] 1 jeq #0x86dd jt 2 jf 3 2 ret #65535 3 ret #0 Ethernet Protocol Type 0x86dd == IPv6 Accept Packet Drop Packet
- 11. xhr GPN 2014 11 Linux got a BPF JIT in 2011 Check net/core/filter.c
- 12. xhr GPN 2014 12 Packet Filter only for Packets?
- 13. xhr GPN 2014 13 seccomp?
- 14. xhr GPN 2014 14
- 15. xhr GPN 2014 15 So, how does this work?
- 16. xhr GPN 2014 16 Attach a filter to a socket
- 17. xhr GPN 2014 17 [...] struct sock_filter code[] = { { 0x28, 0, 0, 0x0000000c }, [...] }; struct sock_fprog bpf = { .len = ARRAY_SIZE(code), .filter = code, }; sock = socket(PF_PACKET, SOCK_RAW, htons(ETH_P_ALL)); ret = setsockopt(sock, SOL_SOCKET, SO_ATTACH_FILTER, &bpf, sizeof(bpf)); [...]
- 18. xhr GPN 2014 18 So, how can I use this?
- 19. xhr GPN 2014 19 Need for Space
- 20. xhr GPN 2014 20 A 32 bit wide accumulator X 32 bit wide X register M[] 16 x 32 bit "scratch memory"
- 21. xhr GPN 2014 21 Some Instructions
- 22. xhr GPN 2014 22 ld* st* j* ret $alu Load Instructions Store Instructions Jumps Return ALU instructions
- 23. xhr GPN 2014 23 Hmm … k. IDE anyone?
- 24. xhr GPN 2014 24 tools/net/ bpf_asm bpf_dbg
- 25. xhr GPN 2014 25 Demo
- 26. xhr GPN 2014 28 What now?
- 27. xhr GPN 2014 29 Packet Filtering
- 28. xhr GPN 2014 30 Can I haz xt_bpf, plz?
- 29. xhr GPN 2014 31 iptables -A <CHAIN> -m bpf --bytecode "…" -j <TARGET>
- 30. xhr GPN 2014 32 And Why? Because we can!!1 Full packet control Fine grained filters
- 31. xhr GPN 2014 33 Q & A xhr xhr@giessen.ccc.de @_xhr_