1、Bpftime:Userspace eBPFruntimehttps:/ Tong,Yusheng Z1第二届 eBPF开发者大会w w w.e b p f t r a v e l.c o m中 国 西 安Agenda Why a new userspace eBPF runtime?Kernel����� Uprobe Performance Issues Kernel eBPF Security Concerns and limited configurable Other userspace eBPF runtime limitations Existing Non-kernel eBPF Use
2、cases Introduction to bpftime How it works Examples&benchmark Roadmap Q&A2第 二 届 e B P F 开 发 者 大 会Why bpftime?Uprobe:User-level dynamic tracing1.Kernel Uprobe Performance Issues:Current UProbe implementation necessitates two kernel context������� copies.Results in significant performance overhead.Not suitab
3、le for real-time monitoring in latency-sensitive applications.And Kernel Sys������call tracepoint:Syscall tracepoints will hook all syscalls and require filter for specific processUprobes Wide Adoption in Production Traces user-space protocols:SSL,TLS,HTTP2.Monitors memory allocation and detects leaks.Tra
4、cks threads and goroutine dynamics.Provides passive,non-instrumental tracing.And more.3第 二������ 届 e B P F 开 发 者 大 会Why bpftime?2.Kernel eBPF Security Concerns eBPF programs run in kernel mode,requiring root access.Increases attack surface,posing risks like containe������r escape.Inherent vulnerabilities in eBP
5、F can lead to Kernel Exploits.Limitations of Kernel eBPF Older kernel version,unprivileged environments,non-Linux system may not have access to kernel eBPF Verifier lim��������ited the operation of eBPF,config or extend eBPF may require kernel change��������s4第 二 届 e B P F 开 发 者 大 会Existing Non-kernel eBPF Usecases
6、 Qemu+uBPF:�������Combines Qemu with uBPF.Video.Oko:Extends Open vSwitch-DPDK with BPF.Enhances tools for better integration.GitHub.Solana:Userspace eBPF for High-��������performance Smart Contract.GitHub.DPDK eBPF:Libraries for fast packet processing.Enhanced by Userspace eBPF.eBPF for Windows:Brings eBPF toolcha
7、ins and runtime to Windows kernel.Papers:Rapidpatch:Firmware Hotpatching for Real-Time Embedded Devices Femto-Containers:Lightweight Virtualization and Fault Isolation����� For Small Software Functions on Low-Power IoT MicrocontrollersNetworks+plugins+edge runtime+smart contract+hot patch+Windows5第 二 届 e
8、 B P F 开 发 者 大 会Bpftime:Userspace eBPF runtimebpftime,a full-featured,high-performance eBPF runtime designed to operate in userspace:Fast Uprobe,USDT and Syscall hook capabilities ��������Userspace uprobe can be 10 x faster than kernel uprobe No mannual instrumentation or restart required,similar to kernel
9、probe Trace the user functions,syscalls or modify user function behavior Compatible with kernel eBPF toolchains and libraries No need modify eBPF App Interprocess maps or kernel maps support,work together with kernel eBPF Support“offload to userspace”and verify with kernel verifier New L������LVM JIT/AOT
10、vm for eBPF,which can be used as an independent library May use features like ringbuffer in lower kerne�������l versions6第 二 届 e B P F 开 发 者 大 会Current support featuresUserspace eBPF shared memory map types:BPF_MAP_TYPE_HASH BPF_MAP_TYPE_ARRAY BPF_MAP_TYPE_PROG_ARRAY BPF_MAP_TYPE_RINGBUF BPF_MAP_TYPE_PERF_
11、EVENT_ARRAY BPF_MAP_TYPE_PERCPU_ARRAY BPF_MAP_T������YPE_PERCPU_HASHUser-kernel shared maps:BPF_MAP_TYPE_HASH BPF_MA���P_TYPE_ARRAY BPF_MAP_TYPE_PERCPU_ARRAY BPF_MAP_TYPE_PERF_EVENT_ARRAY7Prog types can attached in userspace:tracepoint:raw_syscalls:sys_enter tracepoint:syscalls:sys_exit_*tracepoint:syscalls:
12、sys_enter_*uretprobe:*uprobe:*usdt:*You can also define other static tracepoints and prog types in userspaceapp.Support 30 kernel helper functionsSupport kernel or userspace verifierTest JIT with bpf_conformance第 二 届 e B P F 开 发 者 大 会Running mode of bpftime Run eBPF in userspac��������e only Can run without
13、 kernel on non-linux systems Not very suitable for large eBPF applications maps in shm cant be used by kernel eBPF programs Run eBPF in userspace with kernel eBPF,a bpftime-daemo����n Compatible with kernel uprobe in behavior Attach to new process or running process automatically Support mix of uprobe a
14、nd kprobe,socket Similar to fuse:userspace daemon+kernel code No modify kernel,using eBPF module to monitor or change the behavior of �������BPF syscalls8第 二 届 e B P F 开 发 者 大 会Get started Use uprobe to monitor userspace malloc function in libc,with hash maps in userspace bpftime load/start Try eBPF in Git
15、Hub codespace9第 二 届 e����� B P F 开 发 者 大 会ExamplesUse uprobe to monitor userspace malloc function in libc,with hash maps,compatible with kern������el10第 二 届 e B P F 开 发 者 大 会Examples Use syscall tracepoint to monitor open and close syscall,with ring buffer for outputhttps:/ 二 届 e B P F 开 发 者 大 会Run eBPF in use
16、rspace only Can run tools like bcc and bpftrace without modification12第 二 届 e B P F 开 发 者 大 会eBPF programeBPF pr������ogram sourceExisting eBPF toolchains:clang/bpftool/bpftraceeBPF userspace applicationseBPF bytecodeeBPF mapsbpf syscallverifierJIT compilerTarget process Upro�������beTrapbreakpointtracepointsysc
�������17、allkprobesocketloadattachUserspace library:libbpfloadUserspaceUserspaceKernel spaceattachOriginal Kernel eBPFdesign:for referencefunctionContext switch13eBPF program sourceExisting eBPF toolchains:clang/bpftool/bpftraceeBPF userspace applicationseBPF bytecodebpf function callTarget pr����ocess Share mem
18、oryinlineHooktracepointuprobesocketattachUserspace library:libbpfUserspaceinjectbpftime:userspace eBPFonly(mode 1)functioneBPF maps bpftime-syscall.soverifierbpftime-agent.soprogramJ������IT compilerkprobesyscallKernel spaceAOT compiler14eBPF progs How it works:injectionSupport two types of injecting runt
19��������、ime share library:For a running process:Ptrace(Based on Frida)At the beginning of a new process:LD_PRELOAD15第 二 届 e B P F 开 发 者 大 会How it works:userspace hookCurrent hook implementation is based on binary rewriting:Userspace function hook:frida-gum Syscall hooks�����:zpoline and pmem/syscall_intercept.Ca
20、n be easily extend with new trampoline methods16eBPF in userspace work with k�������ernel Can run complex observability agents like deepflow Transparently work with kernel eBPF Using kernel eBPF maps“Offload”eBPF to userspace17第 二 届 e B P F 开 发 者 大 会eBPF program sourceExisting eBPF toolchainseBPF userspace
21、 applicationseBPF bytecodeTarget process Userspace library:libbpfUserspaceInject by daemonbpftime:userspace eBPFmix with kernel eBPF(mode 2)bpftime-agent.soUser bpfKernel spacebpf syscallloadloaduprobeKernel bpfeBPF mapsverifierJIT compilerkprobesocketattachat����tachMmap or ring buffer(User and kernel)
22、BpftimedaemonBpf���������time kernel Code(eBPF)hookMonitor and interact with kernel eBPFevents and proc exec18Evaluation&CasesExisting eBPF use cases can be run without or with minor fixes bcc tools,bpftrace and ebpf_exporter Bash,Memory alloc,SSL/TLS,get host latency Opensnoop,Sigsnoop,syscount Deepflow A c
23、omplex Application Observability project using eBPF19Benchmark:attach overhead20第 二 届 e B P F 开 发 者 大 会Benchmark:JIT LLVM jit can be the fastest LLVM is heavy?AOT is also support for embedding device21第 二 届 e B P F 开 发 者 大 会https:/ and BCC Bpftrace:can be running entirely in u�������serspace,without kernel
24、 support eBPF,tracing syscall or uprobe BCC:�������the tools from top half of the picture can be run �������in userspace,tracing Applications,Runtimes and System Call Interface.We have ported and tested some of bcc/libbpf-tools and bpftrace,such as funclatency,bashreadline Prometheus ebpf_exporter is working as w
25、ellhttps:/ vs.User sslsniffsslsniff:a bcc tool to captures SSL/TLS data in userspaceCom�����pared to no SSL interception:Kernel S�������SL Sniff reduces requests/sec by 57.98%,transfer/sec by 58.06%Userspace SSL Sniff reduces requests/sec by 12.35%,transfer/sec by 12.30%wrk https:/127.0.0.1:4043/index.html-c 10
26、0-d 10Test Environment:Linux version 6.2.0,Nginx version 1.22.0,and wrk version 4.2.0.23第 二 届 e B P F 开 发 者 大 会Syscount syscount countin���������g thesystemcalls of the Nginx process,sort them and measure the latency https:/ 二 届 e B P F 开 发 者 大 会Error injection or hotpatch Support error in����jection or override
27、 userspace function and syscall bpf_override_returnBenchmark:Ptrace stop application:48ms LD_PRELOAD:30ms2�����5第 二 ������届 e B P F 开 发 者 大 会Nginx eBPF module Use userspace eBPF as nginx module User verifier instead of sandbox,without boundary check require Allow eBPF to access data structs26第 二 届 e B P F 开 发
28、者 大 会Take away&QA Userspace uprobe can be 10 x faster than kernel uprobe Shm maps and dynamically������ inject into running process Compatible with existing eBPF toolchains,libraries,applications Work together with kernel eBPFQuestions?Comments?Possible new use cases?Please tell ushttps:/ a lot!27第 二 届 e B P������� F 开 发 者 大 会
sgpjbg002
工作日 9:30 - 18:00
会员动态:
报告分类
新质生产力
ChatGPT
新能源汽车
大模型
Sora
机器人
微短剧
芯片
薪酬
白皮书
低空经济
数据要素
创新药
人工智能
AI产业
信息科技
互联网
消费经济
汽车交通
电商零售
传媒娱乐
医药健康
投资金融
能源环境
地产建筑
传统产业
英文报告
其它
扫码登录
手机快捷登录
账号登录
