《于桐 & 郑昱笙--基于用户态BPF运行时的高效uprobe.pdf》由会员分享,可在线阅读,更多相关《于桐 & 郑昱笙--基于用户态BPF运行时的高效uprobe.pdf(27页珍藏版)》请在三个皮匠报告上搜索。
1、Bpftime:Userspace eBPFruntimehttps:/ Tong,Yusheng Z1第二届 eBPF开发者大会w w w.e b p f t r a v e l.c o m中 国 西 安Agenda Why a new userspace eBPF runtime?Kernel Uprobe Performance Issues Kernel eBPF Security Concerns and limited configurable Other userspace eBPF runtime limitations Existing Non-kernel eBPF Use
2、cases Introduction to bpftime How it works Examples&benchmark Roadmap Q&A2第 二 届 e B P F 开 发 者 大 会Why bpftime?Uprobe:User-level dynamic tracing1.Kernel Uprobe Performance Issues:Current UProbe implementation necessitates two kernel context copies.Results in significant performance overhead.Not suitab
3、le for real-time monitoring in latency-sensitive applications.And Kernel Syscall tracepoint:Syscall tracepoints will hook all syscalls and require filter for specific processUprobes Wide Adoption in Production Traces user-space protocols:SSL,TLS,HTTP2.Monitors memory allocation and detects leaks.Tra
4、cks threads and goroutine dynamics.Provides passive,non-instrumental tracing.And more.3第 二 届 e B P F 开 发 者 大 会Why bpftime?2.Kernel eBPF Security Concerns eBPF programs run in kernel mode,requiring root access.Increases attack surface,posing risks like container escape.Inherent vulnerabilities in eBP
5、F can lead to Kernel Exploits.Limitations of Kernel eBPF Older kernel version,unprivileged environments,non-Linux system may not have access to kernel eBPF Verifier limited the operation of eBPF,config or extend eBPF may require kernel changes4第 二 届 e B P F 开 发 者 大 会Existing Non-kernel eBPF Usecases
6、 Qemu+uBPF:Combines Qemu with uBPF.Video.Oko:Extends Open vSwitch-DPDK with BPF.Enhances tools for better integration.GitHub.Solana:Userspace eBPF for High-performance Smart Contract.GitHub.DPDK eBPF:Libraries for fast packet processing.Enhanced by Userspace eBPF.eBPF for Windows:Brings eBPF toolcha
7、ins and runtime to Windows kernel.Papers:Rapidpatch:Firmware Hotpatching for Real-Time Embedded Devices Femto-Containers:Lightweight Virtualization and Fault Isolation For Small Software Functions on Low-Power IoT MicrocontrollersNetworks+plugins+edge runtime+smart contract+hot patch+Windows5第 二 届 e
8、 B P F 开 发 者 大 会Bpftime:Userspace eBPF runtimebpftime,a full-featured,high-performance eBPF runtime designed to operate in userspace:Fast Uprobe,USDT and Syscall hook capabilities Userspace uprobe can be 10 x faster than kernel uprobe No mannual instrumentation or restart required,similar to kernel
9、probe Trace the user functions,syscalls or modify user function behavior Compatible with kernel eBPF toolchains and libraries No need modify eBPF App Interprocess maps or kernel maps support,work together with kernel eBPF Support“offload to userspace”and verify with kernel verifier New LLVM JIT/AOT
10、vm for eBPF,which can be used as an independent library May use features like ringbuffer in lower kernel versions6第 二 届 e B P F 开 发 者 大 会Current support featuresUserspace eBPF shared memory map types:BPF_MAP_TYPE_HASH BPF_MAP_TYPE_ARRAY BPF_MAP_TYPE_PROG_ARRAY BPF_MAP_TYPE_RINGBUF BPF_MAP_TYPE_PERF_
11、EVENT_ARRAY BPF_MAP_TYPE_PERCPU_ARRAY BPF_MAP_TYPE_PERCPU_HASHUser-kernel shared maps:BPF_MAP_TYPE_HASH BPF_MAP_TYPE_ARRAY BPF_MAP_TYPE_PERCPU_ARRAY BPF_MAP_TYPE_PERF_EVENT_ARRAY7Prog types can attached in userspace:tracepoint:raw_syscalls:sys_enter tracepoint:syscalls:sys_exit_*tracepoint:syscalls:
12、sys_enter_*uretprobe:*uprobe:*usdt:*You can also define other static tracepoints and prog types in userspaceapp.Support 30 kernel helper functionsSupport kernel or userspace verifierTest JIT with bpf_conformance第 二 届 e B P F 开 发 者 大 会Running mode of bpftime Run eBPF in userspace only Can run without
13、 kernel on non-linux systems Not very suitable for large eBPF applications maps in shm cant be used by kernel eBPF programs Run eBPF in userspace with kernel eBPF,a bpftime-daemon Compatible with kernel uprobe in behavior Attach to new process or running process automatically Support mix of uprobe a
14、nd kprobe,socket Similar to fuse:userspace daemon+kernel code No modify kernel,using eBPF module to monitor or change the behavior of BPF syscalls8第 二 届 e B P F 开 发 者 大 会Get started Use uprobe to monitor userspace malloc function in libc,with hash maps in userspace bpftime load/start Try eBPF in Git
15、Hub codespace9第 二 届 e B P F 开 发 者 大 会ExamplesUse uprobe to monitor userspace malloc function in libc,with hash maps,compatible with kernel10第 二 届 e B P F 开 发 者 大 会Examples Use syscall tracepoint to monitor open and close syscall,with ring buffer for outputhttps:/ 二 届 e B P F 开 发 者 大 会Run eBPF in use
16、rspace only Can run tools like bcc and bpftrace without modification12第 二 届 e B P F 开 发 者 大 会eBPF programeBPF program sourceExisting eBPF toolchains:clang/bpftool/bpftraceeBPF userspace applicationseBPF bytecodeeBPF mapsbpf syscallverifierJIT compilerTarget process UprobeTrapbreakpointtracepointsysc
17、allkprobesocketloadattachUserspace library:libbpfloadUserspaceUserspaceKernel spaceattachOriginal Kernel eBPFdesign:for referencefunctionContext switch13eBPF program sourceExisting eBPF toolchains:clang/bpftool/bpftraceeBPF userspace applicationseBPF bytecodebpf function callTarget process Share mem
18、oryinlineHooktracepointuprobesocketattachUserspace library:libbpfUserspaceinjectbpftime:userspace eBPFonly(mode 1)functioneBPF maps bpftime-syscall.soverifierbpftime-agent.soprogramJIT compilerkprobesyscallKernel spaceAOT compiler14eBPF progs How it works:injectionSupport two types of injecting runt
19、ime share library:For a running process:Ptrace(Based on Frida)At the beginning of a new process:LD_PRELOAD15第 二 届 e B P F 开 发 者 大 会How it works:userspace hookCurrent hook implementation is based on binary rewriting:Userspace function hook:frida-gum Syscall hooks:zpoline and pmem/syscall_intercept.Ca
20、n be easily extend with new trampoline methods16eBPF in userspace work with kernel Can run complex observability agents like deepflow Transparently work with kernel eBPF Using kernel eBPF maps“Offload”eBPF to userspace17第 二 届 e B P F 开 发 者 大 会eBPF program sourceExisting eBPF toolchainseBPF userspace
21、 applicationseBPF bytecodeTarget process Userspace library:libbpfUserspaceInject by daemonbpftime:userspace eBPFmix with kernel eBPF(mode 2)bpftime-agent.soUser bpfKernel spacebpf syscallloadloaduprobeKernel bpfeBPF mapsverifierJIT compilerkprobesocketattachattachMmap or ring buffer(User and kernel)
22、BpftimedaemonBpftime kernel Code(eBPF)hookMonitor and interact with kernel eBPFevents and proc exec18Evaluation&CasesExisting eBPF use cases can be run without or with minor fixes bcc tools,bpftrace and ebpf_exporter Bash,Memory alloc,SSL/TLS,get host latency Opensnoop,Sigsnoop,syscount Deepflow A c
23、omplex Application Observability project using eBPF19Benchmark:attach overhead20第 二 届 e B P F 开 发 者 大 会Benchmark:JIT LLVM jit can be the fastest LLVM is heavy?AOT is also support for embedding device21第 二 届 e B P F 开 发 者 大 会https:/ and BCC Bpftrace:can be running entirely in userspace,without kernel
24、 support eBPF,tracing syscall or uprobe BCC:the tools from top half of the picture can be run in userspace,tracing Applications,Runtimes and System Call Interface.We have ported and tested some of bcc/libbpf-tools and bpftrace,such as funclatency,bashreadline Prometheus ebpf_exporter is working as w
25、ellhttps:/ vs.User sslsniffsslsniff:a bcc tool to captures SSL/TLS data in userspaceCompared to no SSL interception:Kernel SSL Sniff reduces requests/sec by 57.98%,transfer/sec by 58.06%Userspace SSL Sniff reduces requests/sec by 12.35%,transfer/sec by 12.30%wrk https:/127.0.0.1:4043/index.html-c 10
26、0-d 10Test Environment:Linux version 6.2.0,Nginx version 1.22.0,and wrk version 4.2.0.23第 二 届 e B P F 开 发 者 大 会Syscount syscount counting thesystemcalls of the Nginx process,sort them and measure the latency https:/ 二 届 e B P F 开 发 者 大 会Error injection or hotpatch Support error injection or override
27、 userspace function and syscall bpf_override_returnBenchmark:Ptrace stop application:48ms LD_PRELOAD:30ms25第 二 届 e B P F 开 发 者 大 会Nginx eBPF module Use userspace eBPF as nginx module User verifier instead of sandbox,without boundary check require Allow eBPF to access data structs26第 二 届 e B P F 开 发
28、者 大 会Take away&QA Userspace uprobe can be 10 x faster than kernel uprobe Shm maps and dynamically inject into running process Compatible with existing eBPF toolchains,libraries,applications Work together with kernel eBPFQuestions?Comments?Possible new use cases?Please tell ushttps:/ a lot!27第 二 届 e B P F 开 发 者 大 会