SlideShare a Scribd company logo

Andrea Righi - Spying on the Linux kernel for fun and profit

L
linuxlab_conf

The document discusses the complexities of the Linux kernel, focusing on real-time tracing techniques such as strace and eBPF (extended Berkeley Packet Filter). eBPF allows for efficient in-kernel programmability and tracing without crashing the kernel and has evolved significantly since its introduction. Various use cases and examples are provided, highlighting the benefits of understanding kernel behavior for improved application performance, reliability, and security.

Software
1 of 24
Downloaded 16 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
Spying on the Linux kernel for fun and profit Andrea Righi righi.andrea@gmail.com Twitter: @arighi Github profile: https://github.com/arighi
Linux kernel is complex
https://www.linuxcounter.net/statistics/kernel
Linux kernel changes http://neuling.org/linux-next-size.html
How to keep up with changes ● https://lwn.net/Kernel/ ● https://kernelnewbies.org/LinuxChanges ● http://vger.kernel.org/vger-lists.html#linux-kernel ● kernel source: Documentation/
Real-time tracing
strace ● strace(1): system call tracer in Linux ● It uses the ptrace() system call that pauses the target process for each syscall so that the debugger can read the state ● And it’s doing this twice: when the syscall begins and when it ends!
strace overhead ### Regular execution ### $ dd if=/dev/zero of=/dev/null bs=1 count=500k 512000+0 records in 512000+0 records out 512000 bytes (512 kB, 500 KiB) copied, 0,501455 s, 1.0 MB/s ### Strace execution (tracing a syscall that is never called) ### $ strace -e trace=accept dd if=/dev/zero of=/dev/null bs=1 count=500k 512000+0 records in 512000+0 records out 512000 bytes (512 kB, 500 KiB) copied, 44.0216 s, 11,6 kB/s +++ exited with 0 +++
Advanced tracing techniques
eBPF
eBPF features ● Highly efficient VM that lives in the kernel ● Inject safe sanboxed bytecode into the kernel ● Attach code to kernel functions / events ● In-kernel JIT compiler – Dynamically translate eBPF bytecode into native opcodes ● eBPF makes kernel programmable without having to cross kernel/user-space boundaries ● Access in-kernel data structures directly without the risk of crashing, hanging or breaking the kernel in any way
eBPF history ● Initially it was BPF: Berkeley Packet Filter ● It has its roots in BSD in the very early 1990’s ● Originally designed as a mechanism for fast filtering network packets ● 3.15: Linux introduced eBPF: extended Berkeley Packet Filter ● More efficient / more generic than the original BPF ● 3.18: eBPF VM exposed to user-space ● 4.9: eBPF programs can be attached to perf_events ● 4.10: eBPF programs can be attached to cgroups ● 4.15: eBPF LSM hooks
eBPF as a VM ● Example assembly of a simple eBPF filter ● Load 16-bit quantity from offset 12 in the packet to the accumulator (ethernet type) ● Compare the value to see if the packet is an IP packet ● If the packet is IP, return TRUE (packet is accepted) ● otherwise return 0 (packet is rejected) ● Only 4 VM instructions to filter IP packets! ldh [12] jeq #ETHERTYPE_IP, l1, l2 l1: ret #TRUE l2: ret #0
eBPF use cases
kprobe
BCC tracing tools ● BPF Compiler Collection ● Front-end to eBPF ● BCC makes eBPF programs easier to write – Include C wrapper around LLVM – Python – Lua – C++ – C helper libs ● golang (gobpf) ● https://github.com/iovisor/gobpf https://github.com/iovisor/bcc
Examples
Example #1: trace exec() ● Intercept all the processes executed in the system
Example #2: keylogger ● Identify where and how keyboard characters are received and processed by the kernel
Example #3: ping ● Identify where ICMP packets (ECHO_REQUEST / ECHO_REPLY) are received and processed by the kernel
Example #4: task wait / wakeup ● Determine the stack trace of a sleeping process and the stack trace of the process that wakes up a sleeping process
Conclusion ● Real-time tracing as a method to study the kernel ● Understanding what the kernel is doing can help to improve your application / service in terms of performance, reliability and security
References ● Brendan Gregg blog ● http://brendangregg.com/blog/ ● BCC tools ● https://github.com/iovisor/bcc ● gobpf (BPF bindings for go): ● https://github.com/iovisor/gobpf ● The BSD Packet Filter: A New Architecture for User-level Packet Capture - S. McCanne and V. Jacobson ● http://www.tcpdump.org/papers/bpf-usenix93.pdf
Thanks ● twitter: @arighi ● email: righi.andrea@gmail.com

More Related Content

PDF
Mirko Damiani - An Embedded soft real time distributed system in Go
linuxlab_conf
 
PDF
Michele Dionisio & Pietro Lorefice - Developing and testing a device driver w...
linuxlab_conf
 
PDF
Davide Berardi - Linux hardening and security measures against Memory corruption
linuxlab_conf
 
PDF
Valerio Di Giampietro - Introduction To IoT Reverse Engineering with an examp...
linuxlab_conf
 
PDF
MOVED: RDK/WPE Port on DB410C - SFO17-206
Linaro
 
PDF
OpenWrt From Top to Bottom
Kernel TLV
 
PDF
Claudio Scordino - Handling mixed criticality on embedded multi-core systems
linuxlab_conf
 
PDF
Kernel Recipes 2015: Greybus
Anne Nicolas
 
Mirko Damiani - An Embedded soft real time distributed system in Go
linuxlab_conf
 
Michele Dionisio & Pietro Lorefice - Developing and testing a device driver w...
linuxlab_conf
 
Davide Berardi - Linux hardening and security measures against Memory corruption
linuxlab_conf
 
Valerio Di Giampietro - Introduction To IoT Reverse Engineering with an examp...
linuxlab_conf
 
MOVED: RDK/WPE Port on DB410C - SFO17-206
Linaro
 
OpenWrt From Top to Bottom
Kernel TLV
 
Claudio Scordino - Handling mixed criticality on embedded multi-core systems
linuxlab_conf
 
Kernel Recipes 2015: Greybus
Anne Nicolas
 

What's hot (20)

PDF
Alessio Lama - Development and testing of a safety network protocol
linuxlab_conf
 
PDF
Kernel Recipes 2016 - Landlock LSM: Unprivileged sandboxing
Anne Nicolas
 
PDF
Kernel Recipes 2015 - The Dronecode Project – A step in open source drones
Anne Nicolas
 
PDF
Kernel Recipes 2016 - New hwmon device registration API - Jean Delvare
Anne Nicolas
 
PDF
Secure Boot on ARM systems – Building a complete Chain of Trust upon existing...
Linaro
 
PDF
Stefano Cordibella - An introduction to Yocto Project
linuxlab_conf
 
PDF
The Linux Block Layer - Built for Fast Storage
Kernel TLV
 
PDF
Emanuele Faranda - Creating network overlays with IoT devices using N2N
linuxlab_conf
 
PDF
BKK16-103 OpenCSD - Open for Business!
Linaro
 
PDF
LAS16-210: Hardware Assisted Tracing on ARM with CoreSight and OpenCSD
Linaro
 
PDF
Emerging Persistent Memory Hardware and ZUFS - PM-based File Systems in User ...
Kernel TLV
 
PDF
BKK16-409 VOSY Switch Port to ARMv8 Platforms and ODP Integration
Linaro
 
PDF
Luca Cipriani - Control your Embedded Linux remotely by using MQTT and a web ...
linuxlab_conf
 
PDF
BKK16-505 Kernel and Bootloader Consolidation and Upstreaming
Linaro
 
PDF
Tommaso Cucinotta - Low-latency and power-efficient audio applications on Linux
linuxlab_conf
 
PDF
BSD Sockets API in Zephyr RTOS - SFO17-108
Linaro
 
PPTX
A Kernel of Truth: Intrusion Detection and Attestation with eBPF
oholiab
 
PDF
Lcu14 101- coresight overview
Linaro
 
PPTX
Bypassing ASLR Exploiting CVE 2015-7545
Kernel TLV
 
PDF
ebpf and IO Visor: The What, how, and what next!
Affan Syed
 
Alessio Lama - Development and testing of a safety network protocol
linuxlab_conf
 
Kernel Recipes 2016 - Landlock LSM: Unprivileged sandboxing
Anne Nicolas
 
Kernel Recipes 2015 - The Dronecode Project – A step in open source drones
Anne Nicolas
 
Kernel Recipes 2016 - New hwmon device registration API - Jean Delvare
Anne Nicolas
 
Secure Boot on ARM systems – Building a complete Chain of Trust upon existing...
Linaro
 
Stefano Cordibella - An introduction to Yocto Project
linuxlab_conf
 
The Linux Block Layer - Built for Fast Storage
Kernel TLV
 
Emanuele Faranda - Creating network overlays with IoT devices using N2N
linuxlab_conf
 
BKK16-103 OpenCSD - Open for Business!
Linaro
 
LAS16-210: Hardware Assisted Tracing on ARM with CoreSight and OpenCSD
Linaro
 
Emerging Persistent Memory Hardware and ZUFS - PM-based File Systems in User ...
Kernel TLV
 
BKK16-409 VOSY Switch Port to ARMv8 Platforms and ODP Integration
Linaro
 
Luca Cipriani - Control your Embedded Linux remotely by using MQTT and a web ...
linuxlab_conf
 
BKK16-505 Kernel and Bootloader Consolidation and Upstreaming
Linaro
 
Tommaso Cucinotta - Low-latency and power-efficient audio applications on Linux
linuxlab_conf
 
BSD Sockets API in Zephyr RTOS - SFO17-108
Linaro
 
A Kernel of Truth: Intrusion Detection and Attestation with eBPF
oholiab
 
Lcu14 101- coresight overview
Linaro
 
Bypassing ASLR Exploiting CVE 2015-7545
Kernel TLV
 
ebpf and IO Visor: The What, how, and what next!
Affan Syed
 
Ad

Similar to Andrea Righi - Spying on the Linux kernel for fun and profit (20)

PDF
Kernel bug hunting
Andrea Righi
 
PDF
Security Monitoring with eBPF
Alex Maestretti
 
PDF
UM2019 Extended BPF: A New Type of Software
Brendan Gregg
 
PDF
Efficient System Monitoring in Cloud Native Environments
Gergely Szabó
 
PDF
LSFMM 2019 BPF Observability
Brendan Gregg
 
PPTX
Understanding eBPF in a Hurry!
Ray Jenkins
 
ODP
Linux kernel tracing superpowers in the cloud
Andrea Righi
 
PDF
eBPF Trace from Kernel to Userspace
SUSE Labs Taipei
 
PDF
Using eBPF Off-CPU Sampling to See What Your DBs are Really Waiting For by Ta...
ScyllaDB
 
PDF
DEF CON 27 - JEFF DILEO - evil e bpf in depth
Felipe Prado
 
PDF
Linux BPF Superpowers
Brendan Gregg
 
PDF
Kernel Recipes 2019 - BPF at Facebook
Anne Nicolas
 
PDF
BPF: Tracing and more
Brendan Gregg
 
PDF
Linux kernel bug hunting
Andrea Righi
 
PDF
Tracing MariaDB server with bpftrace - MariaDB Server Fest 2021
Valeriy Kravchuk
 
PDF
Bpf performance tools chapter 4 bcc
Viller Hsiao
 
PPTX
Always-on Profiling of All Linux Threads, On-CPU and Off-CPU, with eBPF & Con...
ScyllaDB
 
PDF
Linux 4.x Tracing Tools: Using BPF Superpowers
Brendan Gregg
 
PDF
bpftrace - Tracing Summit 2018
AlastairRobertson9
 
PDF
OSSNA 2017 Performance Analysis Superpowers with Linux BPF
Brendan Gregg
 
Kernel bug hunting
Andrea Righi
 
Security Monitoring with eBPF
Alex Maestretti
 
UM2019 Extended BPF: A New Type of Software
Brendan Gregg
 
Efficient System Monitoring in Cloud Native Environments
Gergely Szabó
 
LSFMM 2019 BPF Observability
Brendan Gregg
 
Understanding eBPF in a Hurry!
Ray Jenkins
 
Linux kernel tracing superpowers in the cloud
Andrea Righi
 
eBPF Trace from Kernel to Userspace
SUSE Labs Taipei
 
Using eBPF Off-CPU Sampling to See What Your DBs are Really Waiting For by Ta...
ScyllaDB
 
DEF CON 27 - JEFF DILEO - evil e bpf in depth
Felipe Prado
 
Linux BPF Superpowers
Brendan Gregg
 
Kernel Recipes 2019 - BPF at Facebook
Anne Nicolas
 
BPF: Tracing and more
Brendan Gregg
 
Linux kernel bug hunting
Andrea Righi
 
Tracing MariaDB server with bpftrace - MariaDB Server Fest 2021
Valeriy Kravchuk
 
Bpf performance tools chapter 4 bcc
Viller Hsiao
 
Always-on Profiling of All Linux Threads, On-CPU and Off-CPU, with eBPF & Con...
ScyllaDB
 
Linux 4.x Tracing Tools: Using BPF Superpowers
Brendan Gregg
 
bpftrace - Tracing Summit 2018
AlastairRobertson9
 
OSSNA 2017 Performance Analysis Superpowers with Linux BPF
Brendan Gregg
 
Ad

More from linuxlab_conf (9)

PDF
Jonathan Corbet - Keynote: The Kernel Report
linuxlab_conf
 
PDF
Marco Cavallini - Yocto Project, an automatic generator of embedded Linux dis...
linuxlab_conf
 
PDF
Bruno Verachten - The Android device farm that fits in a (cloudy) pocket
linuxlab_conf
 
PDF
Jagan Teki - U-boot from scratch
linuxlab_conf
 
PDF
Jacopo Mondi - Complex cameras are complex
linuxlab_conf
 
PDF
Dario Faggioli - Virtualization in the age of speculative execution HW bugs
linuxlab_conf
 
PDF
Angelo Compagnucci - Upgrading buildroot based devices with swupdate
linuxlab_conf
 
PDF
Luca Abeni - Real-Time Virtual Machines with Linux and kvm
linuxlab_conf
 
PDF
Luca Ceresoli - Buildroot vs Yocto: Differences for Your Daily Job
linuxlab_conf
 
Jonathan Corbet - Keynote: The Kernel Report
linuxlab_conf
 
Marco Cavallini - Yocto Project, an automatic generator of embedded Linux dis...
linuxlab_conf
 
Bruno Verachten - The Android device farm that fits in a (cloudy) pocket
linuxlab_conf
 
Jagan Teki - U-boot from scratch
linuxlab_conf
 
Jacopo Mondi - Complex cameras are complex
linuxlab_conf
 
Dario Faggioli - Virtualization in the age of speculative execution HW bugs
linuxlab_conf
 
Angelo Compagnucci - Upgrading buildroot based devices with swupdate
linuxlab_conf
 
Luca Abeni - Real-Time Virtual Machines with Linux and kvm
linuxlab_conf
 
Luca Ceresoli - Buildroot vs Yocto: Differences for Your Daily Job
linuxlab_conf
 

Recently uploaded (20)

PPT
Introduction Database Management System for Course Database
ReinertYosua
 
PDF
Raksha Bandhan Grocery Pricing Trends in India 2025.pdf
Actowiz Solustions
 
PPTX
CHAPTER 12 - CYBER SECURITY AND FUTURE SKILLS (1) (1).pptx
AnujKumar530915
 
PPTX
Introduction to Artificial Intelligence
lohedi9363
 
PDF
System and Network Administraation Chapter 3
jaramharo
 
PDF
How to Choose the Right IT Partner for Your Business in Malaysia
Asian Business Services & Technologies
 
PPTX
Agentic AI Use Case- Contract Lifecycle Management (CLM).pptx
mhxyzzp
 
PDF
System and Network Administration Chapter 2
jaramharo
 
PDF
top salesforce developer skills in 2025.pdf
CloudMetic
 
PDF
Claude Code: Everyone is a 10x Developer - A Comprehensive AI-Powered CLI Tool
William Chong
 
PDF
Internet Downloader Manager (IDM) Crack 6.42 Build 42 Updates Latest 2025
itskinga12
 
PDF
Audit Checklist Design Aligning with ISO, IATF, and Industry Standards — Omne...
rohnjim07
 
PPTX
L1 - Introduction to python Backend.pptx
MoizAhmed480282
 
PPTX
Transform Your Business with a Software ERP System
Canada Software Company
 
PDF
Adobe Illustrator 28.6 Crack My Vision of Vector Design
ghrom2211g
 
PPTX
Lecture 3: Operating Systems Introduction to Computer Hardware Systems
hci7se
 
PDF
Wondershare Filmora 15 Crack With Activation Key [2025
ghrom2211g
 
PPTX
Oracle E-Business Suite: A Comprehensive Guide for Modern Enterprises
Conacent Consulting
 
PDF
AI in Product Development-omnex systems
omnex systems
 
PDF
T3DD25 TYPO3 Content Blocks - Deep Dive by André Kraus
Andre Kraus
 
Introduction Database Management System for Course Database
ReinertYosua
 
Raksha Bandhan Grocery Pricing Trends in India 2025.pdf
Actowiz Solustions
 
CHAPTER 12 - CYBER SECURITY AND FUTURE SKILLS (1) (1).pptx
AnujKumar530915
 
Introduction to Artificial Intelligence
lohedi9363
 
System and Network Administraation Chapter 3
jaramharo
 
How to Choose the Right IT Partner for Your Business in Malaysia
Asian Business Services & Technologies
 
Agentic AI Use Case- Contract Lifecycle Management (CLM).pptx
mhxyzzp
 
System and Network Administration Chapter 2
jaramharo
 
top salesforce developer skills in 2025.pdf
CloudMetic
 
Claude Code: Everyone is a 10x Developer - A Comprehensive AI-Powered CLI Tool
William Chong
 
Internet Downloader Manager (IDM) Crack 6.42 Build 42 Updates Latest 2025
itskinga12
 
Audit Checklist Design Aligning with ISO, IATF, and Industry Standards — Omne...
rohnjim07
 
L1 - Introduction to python Backend.pptx
MoizAhmed480282
 
Transform Your Business with a Software ERP System
Canada Software Company
 
Adobe Illustrator 28.6 Crack My Vision of Vector Design
ghrom2211g
 
Lecture 3: Operating Systems Introduction to Computer Hardware Systems
hci7se
 
Wondershare Filmora 15 Crack With Activation Key [2025
ghrom2211g
 
Oracle E-Business Suite: A Comprehensive Guide for Modern Enterprises
Conacent Consulting
 
AI in Product Development-omnex systems
omnex systems
 
T3DD25 TYPO3 Content Blocks - Deep Dive by André Kraus
Andre Kraus
 

Andrea Righi - Spying on the Linux kernel for fun and profit

  • 1. Spying on the Linux kernel for fun and profit Andrea Righi righi.andrea@gmail.com Twitter: @arighi Github profile: https://github.com/arighi
  • 2. Linux kernel is complex
  • 5. How to keep up with changes ● https://lwn.net/Kernel/ ● https://kernelnewbies.org/LinuxChanges ● http://vger.kernel.org/vger-lists.html#linux-kernel ● kernel source: Documentation/
  • 7. strace ● strace(1): system call tracer in Linux ● It uses the ptrace() system call that pauses the target process for each syscall so that the debugger can read the state ● And it’s doing this twice: when the syscall begins and when it ends!
  • 8. strace overhead ### Regular execution ### $ dd if=/dev/zero of=/dev/null bs=1 count=500k 512000+0 records in 512000+0 records out 512000 bytes (512 kB, 500 KiB) copied, 0,501455 s, 1.0 MB/s ### Strace execution (tracing a syscall that is never called) ### $ strace -e trace=accept dd if=/dev/zero of=/dev/null bs=1 count=500k 512000+0 records in 512000+0 records out 512000 bytes (512 kB, 500 KiB) copied, 44.0216 s, 11,6 kB/s +++ exited with 0 +++
  • 10. eBPF
  • 11. eBPF features ● Highly efficient VM that lives in the kernel ● Inject safe sanboxed bytecode into the kernel ● Attach code to kernel functions / events ● In-kernel JIT compiler – Dynamically translate eBPF bytecode into native opcodes ● eBPF makes kernel programmable without having to cross kernel/user-space boundaries ● Access in-kernel data structures directly without the risk of crashing, hanging or breaking the kernel in any way
  • 12. eBPF history ● Initially it was BPF: Berkeley Packet Filter ● It has its roots in BSD in the very early 1990’s ● Originally designed as a mechanism for fast filtering network packets ● 3.15: Linux introduced eBPF: extended Berkeley Packet Filter ● More efficient / more generic than the original BPF ● 3.18: eBPF VM exposed to user-space ● 4.9: eBPF programs can be attached to perf_events ● 4.10: eBPF programs can be attached to cgroups ● 4.15: eBPF LSM hooks
  • 13. eBPF as a VM ● Example assembly of a simple eBPF filter ● Load 16-bit quantity from offset 12 in the packet to the accumulator (ethernet type) ● Compare the value to see if the packet is an IP packet ● If the packet is IP, return TRUE (packet is accepted) ● otherwise return 0 (packet is rejected) ● Only 4 VM instructions to filter IP packets! ldh [12] jeq #ETHERTYPE_IP, l1, l2 l1: ret #TRUE l2: ret #0
  • 16. BCC tracing tools ● BPF Compiler Collection ● Front-end to eBPF ● BCC makes eBPF programs easier to write – Include C wrapper around LLVM – Python – Lua – C++ – C helper libs ● golang (gobpf) ● https://github.com/iovisor/gobpf https://github.com/iovisor/bcc
  • 18. Example #1: trace exec() ● Intercept all the processes executed in the system
  • 19. Example #2: keylogger ● Identify where and how keyboard characters are received and processed by the kernel
  • 20. Example #3: ping ● Identify where ICMP packets (ECHO_REQUEST / ECHO_REPLY) are received and processed by the kernel
  • 21. Example #4: task wait / wakeup ● Determine the stack trace of a sleeping process and the stack trace of the process that wakes up a sleeping process
  • 22. Conclusion ● Real-time tracing as a method to study the kernel ● Understanding what the kernel is doing can help to improve your application / service in terms of performance, reliability and security
  • 23. References ● Brendan Gregg blog ● http://brendangregg.com/blog/ ● BCC tools ● https://github.com/iovisor/bcc ● gobpf (BPF bindings for go): ● https://github.com/iovisor/gobpf ● The BSD Packet Filter: A New Architecture for User-level Packet Capture - S. McCanne and V. Jacobson ● http://www.tcpdump.org/papers/bpf-usenix93.pdf