>eBPF programs can’t access arbitrary kernel memory. Instead the kernel provides functions to get at some restricted subset of things.<p>I must finally becoming a security pessimist when I read those sentences and the first thing I think is: these statements will not age well.
Lots of good eBPF info from eBPF Summit: <a href="https://ebpf.io/summit-2021/" rel="nofollow">https://ebpf.io/summit-2021/</a> and <a href="https://ebpf.io/summit-2020/" rel="nofollow">https://ebpf.io/summit-2020/</a><p>Also videos from eBPF Day KubeCon 2021: <a href="https://www.youtube.com/playlist?list=PLj6h78yzYM2Pm5nF_GmNQHMyt9CUZr2uQ" rel="nofollow">https://www.youtube.com/playlist?list=PLj6h78yzYM2Pm5nF_GmNQ...</a>
One cool project that uses eBPF is Cilium. It allows restricting network traffic to / from containers in Kubernetes. Many of the problems it solves, in my opinion, are better solved via user-space solutions, e.g. service-to-service traffic is better controlled via signing / encryption, but overall Cilium is a pretty cool piece of technology.
BPF is indeed a pretty interesting technology. As the knowledge about it becomes more widespread, I anticipate that we will unlock some new capabilities both in terms of tracing. Brendan Gregg's book (<a href="https://www.brendangregg.com/bpf-performance-tools-book.html" rel="nofollow">https://www.brendangregg.com/bpf-performance-tools-book.html</a>) serves as a good intro to this, although you probably only need to read a small chunk of it as a lot of it is reference-book-style material.<p>The author's mentioned that you can trace MySQL with USDT, which is a tracepoint inserted by the developer at select locations in the code. This kind of tracepoints form a "stable interface" for tracing/performance debugging, whereas uprobe, which hooks into select userspace functions, are unstable as the binary is recompiled. Unfortunately, the USDT tracepoints (via DTrace) have been removed in MySQL 8.0. This makes it significantly more difficult to trace MySQL, although it's not impossibl<a href="https://news.ycombinator.com/item?id=29772927e" rel="nofollow">https://news.ycombinator.com/item?id=29772927e</a>. I've done a proof of concept of tracing MySQL with uprobe instead of USDT in this repo[1], which can kind of give you the same results (and possibly more stuff, as I can more easily read arbitrary memory address due to how the old USDT tracepoints are structured). This is not stable tho, as any MySQL upgrade may introduce incompatibility with the trace script, as I read memory address based on offsets (whereas with USDT this can be kept pretty stable). My appeal to Oracle to re-add this functionality[2] has unfortunately been rejected, which I think is a mistake given the wide range of possibilities unlocked via BPF.<p>[1]: <a href="https://github.com/shuhaowu/mysqld-bpf" rel="nofollow">https://github.com/shuhaowu/mysqld-bpf</a><p>[2]: <a href="https://bugs.mysql.com/bug.php?id=105741" rel="nofollow">https://bugs.mysql.com/bug.php?id=105741</a><p>Another thing that I've been recently thinking of is using BPF to validate programs written for real-time Linux (via PREEMPT_RT). To my understanding, one of the main thing to avoid is page faults [3]. With the proper BPF tracing scripts, I think we can validate that programs indeed avoids page faults in integration testing. I'm not sure if it is super useful yet, but as I'm trying to write a few RT programs, it's something that came to my mind.<p>[3]: <a href="https://lwn.net/Articles/837019/" rel="nofollow">https://lwn.net/Articles/837019/</a><p>In addition to tracing (so bpftrace-based/bcc-based tools), I've recently discovered that there there are:<p>1. ebpfsnitch (<a href="https://github.com/harporoeder/ebpfsnitch" rel="nofollow">https://github.com/harporoeder/ebpfsnitch</a>): which is an application-level firewall without kernel modules.<p>2. ebpf-traffic-monitor (<a href="https://source.android.com/devices/tech/datausage/ebpf-traffic-monitor" rel="nofollow">https://source.android.com/devices/tech/datausage/ebpf-traff...</a>): which appears to be using BPF to account for traffic for different apps on Android.<p>3. kubectl trace (<a href="https://github.com/iovisor/kubectl-trace" rel="nofollow">https://github.com/iovisor/kubectl-trace</a>): Run tracing on k8s.<p>There are apparently also use cases in the context of security, but I'm not familiar with it.
>things you can attach eBPF programs to<p>>...<p>>seccomp / landlock security things<p>Landlock does not use *BPF.<p>Seccomp can only use BPF at this point, not eBPF (though there has been some work on it).
I tried clicking on the link with these words: "The BSD Packet Filter: A New Architecture for User-level Packet Capture". The link appears to be an unsecure website that my internet browser preevented me from going on.