Spying on the Linux kernel for fun and profit
righiandr
155 views
25 slides
Dec 02, 2018
Slide 1 of 25
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
About This Presentation
Do you ever wonder what the kernel is doing while your code is running? This talk will explore some methodologies and techniques (eBPF, ftrace, etc.) to look under the hood of the Linux kernel and understand what it’s actually doing behind the scenes.
Slide Content
Spying on the Linux kernel for
fun and profit
Andrea Righi
[email protected]
Twitter: @arighi
Github profile: https://github.com/arighi
fun and profit
Andrea Righi
[email protected]
Twitter: @arighi
Github profile: https://github.com/arighi
Linux kernel is complex
https://www.linuxcounter.net/statistics/kernel
Linux kernel changes
http://neuling.org/linux-next-size.html
http://neuling.org/linux-next-size.html
How to keep up with changes
●
https://lwn.net/Kernel/
●
https://kernelnewbies.org/LinuxChanges
●
http://vger.kernel.org/vger-lists.html#linux-kernel
●
kernel source: Documentation/
●
https://lwn.net/Kernel/
●
https://kernelnewbies.org/LinuxChanges
●
http://vger.kernel.org/vger-lists.html#linux-kernel
●
kernel source: Documentation/
Real-time tracing
strace
●
strace(1): system call tracer in Linux
●
It uses the ptrace() system call that pauses the
target process for each syscall so that the debugger
can read the state
●
And it’s doing this twice: when the syscall
begins and when it ends!
●
strace(1): system call tracer in Linux
●
It uses the ptrace() system call that pauses the
target process for each syscall so that the debugger
can read the state
●
And it’s doing this twice: when the syscall
begins and when it ends!
strace overhead
### Regular execution ###
$ dd if=/dev/zero of=/dev/null bs=1 count=500k
512000+0 records in
512000+0 records out
512000 bytes (512 kB, 500 KiB) copied, 0,501455 s, 1.0 MB/s
### Strace execution (tracing a syscall that is never called) ###
$ strace -e trace=accept dd if=/dev/zero of=/dev/null bs=1 count=500k
512000+0 records in
512000+0 records out
512000 bytes (512 kB, 500 KiB) copied, 44.0216 s, 11,6 kB/s
+++ exited with 0 +++
### Regular execution ###
$ dd if=/dev/zero of=/dev/null bs=1 count=500k
512000+0 records in
512000+0 records out
512000 bytes (512 kB, 500 KiB) copied, 0,501455 s, 1.0 MB/s
### Strace execution (tracing a syscall that is never called) ###
$ strace -e trace=accept dd if=/dev/zero of=/dev/null bs=1 count=500k
512000+0 records in
512000+0 records out
512000 bytes (512 kB, 500 KiB) copied, 44.0216 s, 11,6 kB/s
+++ exited with 0 +++
Advanced tracing techniques
eBPF
eBPF features
●
Highly efficient VM that lives in the kernel
●
Inject safe sanboxed bytecode into the kernel
●
Attach code to kernel functions / events
●In-kernel JIT compiler
–Dynamically translate eBPF bytecode into native opcodes
●
eBPF makes kernel programmable without having to
cross kernel/user-space boundaries
●
Access in-kernel data structures directly without the risk of
crashing, hanging or breaking the kernel in any way
●
Highly efficient VM that lives in the kernel
●
Inject safe sanboxed bytecode into the kernel
●
Attach code to kernel functions / events
●In-kernel JIT compiler
–Dynamically translate eBPF bytecode into native opcodes
●
eBPF makes kernel programmable without having to
cross kernel/user-space boundaries
●
Access in-kernel data structures directly without the risk of
crashing, hanging or breaking the kernel in any way
eBPF history
●
Initially it was BPF: Berkeley Packet Filter
●
It has its roots in BSD in the very early 1990’s
●
Originally designed as a mechanism for fast filtering network
packets
●
3.15: Linux introduced eBPF: extended Berkeley Packet Filter
●
More efficient / more generic than the original BPF
●
3.18: eBPF VM exposed to user-space
●
4.9: eBPF programs can be attached to perf_events
●
4.10: eBPF programs can be attached to cgroups
●
4.15: eBPF LSM hooks
●
Initially it was BPF: Berkeley Packet Filter
●
It has its roots in BSD in the very early 1990’s
●
Originally designed as a mechanism for fast filtering network
packets
●
3.15: Linux introduced eBPF: extended Berkeley Packet Filter
●
More efficient / more generic than the original BPF
●
3.18: eBPF VM exposed to user-space
●
4.9: eBPF programs can be attached to perf_events
●
4.10: eBPF programs can be attached to cgroups
●
4.15: eBPF LSM hooks
eBPF as a VM
●
Example assembly of a simple
eBPF filter
●Load 16-bit quantity from
offset 12 in the packet to the
accumulator (ethernet type)
●Compare the value to see if
the packet is an IP packet
●If the packet is IP, return TRUE
(packet is accepted)
●
otherwise return 0 (packet is
rejected)
●
Only 4 VM instructions to filter IP
packets!
ldh [12]
jeq #ETHERTYPE_IP, l1, l2
l1: ret #TRUE
l2: ret #0
●
Example assembly of a simple
eBPF filter
●Load 16-bit quantity from
offset 12 in the packet to the
accumulator (ethernet type)
●Compare the value to see if
the packet is an IP packet
●If the packet is IP, return TRUE
(packet is accepted)
●
otherwise return 0 (packet is
rejected)
●
Only 4 VM instructions to filter IP
packets!
ldh [12]
jeq #ETHERTYPE_IP, l1, l2
l1: ret #TRUE
l2: ret #0
eBPF use cases
kprobe
BCC tracing tools
●
BPF Compiler Collection
●
Front-end to eBPF
●
BCC makes eBPF programs easier to write
–Include C wrapper around LLVM
–Python
–Lua
–C++
–C helper libs
●
golang (gobpf)
●
https://github.com/iovisor/gobpf
https://github.com/iovisor/bcc
●
BPF Compiler Collection
●
Front-end to eBPF
●
BCC makes eBPF programs easier to write
–Include C wrapper around LLVM
–Python
–Lua
–C++
–C helper libs
●
golang (gobpf)
●
https://github.com/iovisor/gobpf
https://github.com/iovisor/bcc
Examples
Example #1: trace exec()
●
Intercept all the processes executed in the system
●
Intercept all the processes executed in the system
Example #2: keylogger
●
Identify where and how keyboard characters are
received and processed by the kernel
●
Identify where and how keyboard characters are
received and processed by the kernel
Example #3: ping
●
Identify where ICMP packets (ECHO_REQUEST /
ECHO_REPLY) are received and processed by the
kernel
●
Identify where ICMP packets (ECHO_REQUEST /
ECHO_REPLY) are received and processed by the
kernel
Example #4: task wait / wakeup
●
Determine the stack
trace of a sleeping
process and the stack
trace of the process
that wakes up a
sleeping process
●
Determine the stack
trace of a sleeping
process and the stack
trace of the process
that wakes up a
sleeping process
Conclusion
●
Real-time tracing as a method to study the kernel
●
Understanding what the kernel is doing can help to
improve your application / service in terms of
performance, reliability and security
●
Real-time tracing as a method to study the kernel
●
Understanding what the kernel is doing can help to
improve your application / service in terms of
performance, reliability and security
References
●Brendan Gregg blog
●
http://brendangregg.com/blog/
●
BCC tools
●
https://github.com/iovisor/bcc
●
gobpf (BPF bindings for go):
●
https://github.com/iovisor/gobpf
●
The BSD Packet Filter: A New Architecture for User-level
Packet Capture -
S. McCanne and V. Jacobson
●
http://www.tcpdump.org/papers/bpf-usenix93.pdf
●Brendan Gregg blog
●
http://brendangregg.com/blog/
●
BCC tools
●
https://github.com/iovisor/bcc
●
gobpf (BPF bindings for go):
●
https://github.com/iovisor/gobpf
●
The BSD Packet Filter: A New Architecture for User-level
Packet Capture -
S. McCanne and V. Jacobson
●
http://www.tcpdump.org/papers/bpf-usenix93.pdf
Categories
TechnologyDownload
Download Slideshow Get the original presentation fileQuick Actions
Statistics
- Views 155
- Slides 25
- Favorites 1
- Age 2557 days
Related Slideshows
11
8-top-ai-courses-for-customer-support-representatives-in-2025.pptx
JeroenErne2
47 views
10
7-essential-ai-courses-for-call-center-supervisors-in-2025.pptx
JeroenErne2
47 views
13
25-essential-ai-courses-for-user-support-specialists-in-2025.pptx
JeroenErne2
37 views
11
8-essential-ai-courses-for-insurance-customer-service-representatives-in-2025.pptx
JeroenErne2
34 views
21
Know for Certain
DaveSinNM
21 views
17
PPT OPD LES 3ertt4t4tqqqe23e3e3rq2qq232.pptx
novasedanayoga46
26 views