eBPF studies and introduction

Introduction

(Cooming Soon)

A couple of months ago, I was chatting with a friend about new security technologies. He asked me if I know about any previous work to use eBPF to prevent malicious activities (ergo malware) or at least to detect them.

I heard about eBPF before (as a replacement for Netfilter and such) but never spent a reasonable amount of time studying it. As such, I went down through the rabbit hole to learn a little more.

I was amazed by its capabilities. Below, I'll try to explain as simple as possible what eBPF is and what it can do, along with solid references for those that want to learn more. There's a lot of good information on the internet but I intended to be more generalist and give a light introduction to it.

This post will be updated with more information as soon as possible.

The following topics will be discussed: 1. eBPF brief history 2. eBPF Virtual Machine 3. eBPF program overview 4. eBPF types of programs 4. What are helpers functions? 5. How eBPF is loaded? 6. How can userspace programs interact with eBPF programs 6. eBPF Maps 7. References

eBPF brief history

Back in the '90s, the Berkeley Packet Filter was released by Steve McCanne and Van Jacobson at Lawrence Berkeley Laboratory and its intents is to “provides a raw interface to data link layers in a protocol-independent fashion” and appeared, as usual, as a special device /dev/bpf, allowing raw link-layer packets to be sent and received.

Later on, inspired by BPF, eBPF was introduced in kernel version 3.18, extending the Linux kernel with features capabilities in a similar manner like BPF. But, unlikely BSD, the developer must not be aware of devices and such things. Rather, they will create their code and attach it to the kernel in specifics hook points.

Then, when some sort of event (like a network packet) reaches the system, if there's any BPF program attached to a hook related to that kind of event, the data is “passed” to the program to be processed.

But before we dive little more, we have to understand what is the eBFF Virtual Machine.

eBPF Virtual Machine

eBPF program overview

eBPF types of programs

What are helpers functions?

How eBPF are loaded?

How can userspace programs interact with eBPF programs

eBPF Maps

References

http://www.tcpdump.org/papers/bpf-usenix93.pdf https://sysdig.com/blog/introducing-container-observability-with-ebpf-and-sysdig/ https://blogs.oracle.com/linux/post/bpf-in-depth-building-bpf-programs