I went to go learn more about eBPF, but the ebpf.io site reads like a sales pitch. "Revolutionary technology", "The possibilities are endless, and the innovation that eBPF is unlocked has only just begun", "revolutionary new approaches", "unprecedented visibility".
I know I may be a curmudgeonly old fart, but to echo clktmr's comment, in this case, it seems like a glorified strace(). It also seems like a lot of hype for something that seems to have potential to have lots of unintended consequences.
eBPF is much more than a glorified strace(): with eBPF you can basically inserts your own code in a lot of places in the kernel.
This can be packet-processing code to modify the way packets are routed, filtered, altered, or it can be used to instrument kernel codepath to monitor or debug issues.
The latter is what can be compared to strace(), but with strace() you only see what is happening at the userspace/kernel boundary. With eBPF you can actually look at what is going on in the kernel itself, which is really powerful.
The downside is that eBPF can be a pain to use with all those obscure tools tightly dependents upon your kernel release and options... But things are improving quickly and if you want to give it a try, I would recommend starting with bpftrace: https://bpftrace.org/
I would be curious to know what malicious implications eBPF could have. related discussion [1] [2] For example, could a file-less trojan be injected via eBPF to reroute specific data payloads or copy specific payloads to different destinations? Or silently censor specific destinations?
Are there ways that eBPF could be abused and if so what mitigations, limitations and logging can one implement so that eBPF can remain enabled in a hardened and sensitive environment?
I've written my BSc thesis on Kubernetes bandwidth management with eBPF a year ago. This is exactly what I felt trying to research this technology. Countless blog posts about how great eBPF is, close to none useful resources... And from what I've seen since, it's only gotten marginally better.
strace is a Linux specific utility, ptrace() is the syscall. If you're going to claim that you can achieve what TFA describes without eBPF, it would help if you atleast got the notation right.
Author here.
strace wouldn't work for this. Need to track individual page faults + their addresses. Problem with memory-mapped IO is that it's all done by memory-access "side-effects".
The strace-like functionality is supposedly more efficient and is more convenient.
If you're only interested in syscalls, then yes. But a library's memory is mmaped (syscall), which just establishes a virtual address mapping for the library file. When the library is accessed, that mmap'ed region is faulted in (not a syscall). This is something where you need eBFP (or dtrace, etc) to see what's happening.
I use "ktrace -t f" once in a while for debugging and it's really handy. Output looks like
78436 cat PFLT 0x6c71f99cda8 0x2<VM_PROT_WRITE>
78436 cat PRET KERN_SUCCESS
78436 cat PFLT 0x3c6efd36c280 0x2<VM_PROT_WRITE>
78436 cat PRET KERN_SUCCESS
78436 cat PFLT 0x3c6efd36e158 0x2<VM_PROT_WRITE>
78436 cat PRET KERN_SUCCESS
...
Obviously not nearly as flexible as ebpf though. For instance it'll log all page faults happening in the context of the process, and so includes page faults that happen in the kernel due to copyin()/copyout() etc. Sometimes it's helpful and other times confusing.
Readit News
I know I may be a curmudgeonly old fart, but to echo clktmr's comment, in this case, it seems like a glorified strace(). It also seems like a lot of hype for something that seems to have potential to have lots of unintended consequences.
This can be packet-processing code to modify the way packets are routed, filtered, altered, or it can be used to instrument kernel codepath to monitor or debug issues.
The latter is what can be compared to strace(), but with strace() you only see what is happening at the userspace/kernel boundary. With eBPF you can actually look at what is going on in the kernel itself, which is really powerful.
The downside is that eBPF can be a pain to use with all those obscure tools tightly dependents upon your kernel release and options... But things are improving quickly and if you want to give it a try, I would recommend starting with bpftrace: https://bpftrace.org/
Are there ways that eBPF could be abused and if so what mitigations, limitations and logging can one implement so that eBPF can remain enabled in a hardened and sensitive environment?
[1] - https://utcc.utoronto.ca/~cks/space/blog/linux/DisablingUser...
[2] - https://access.redhat.com/security/cve/cve-2021-33624
https://www.brendangregg.com/blog/2019-01-01/learn-ebpf-trac...
https://www.usenix.org/conference/nsdi21/presentation/ghigof...
Another example is controlling the scheduler with ebpf.
https://lwn.net/Articles/873244/
Deleted Comment
The strace-like functionality is supposedly more efficient and is more convenient.
78436 cat PFLT 0x6c71f99cda8 0x2<VM_PROT_WRITE> 78436 cat PRET KERN_SUCCESS 78436 cat PFLT 0x3c6efd36c280 0x2<VM_PROT_WRITE> 78436 cat PRET KERN_SUCCESS 78436 cat PFLT 0x3c6efd36e158 0x2<VM_PROT_WRITE> 78436 cat PRET KERN_SUCCESS ...
Obviously not nearly as flexible as ebpf though. For instance it'll log all page faults happening in the context of the process, and so includes page faults that happen in the kernel due to copyin()/copyout() etc. Sometimes it's helpful and other times confusing.