diff --git a/docs/bibliography/bibliography.bib b/docs/bibliography/bibliography.bib index 0572dab..88c4cee 100644 --- a/docs/bibliography/bibliography.bib +++ b/docs/bibliography/bibliography.bib @@ -129,6 +129,11 @@ url={https://ebpf.io/what-is-ebpf/} }, +@manual{ebpf_io_arch, + title={eBPF Documentation: Loader and verification architecture}, + url={https://ebpf.io/what-is-ebpf/#loader--verification-architecture} +}, + @manual{index_register, title={Index register}, url={https://gunkies.org/wiki/Index_register} @@ -160,7 +165,7 @@ @manual{ebpf_inst_set, title={eBPF instruction set}, url={https://www.kernel.org/doc/html/latest/bpf/instruction-set.html} -} +}, @manual{8664_inst_set_specs, title={Intel® 64 and IA-32 Architectures Software Developer’s Manual Combined Volumes: 1, 2A, 2B, 2C, 2D, 3A, 3B, 3C, 3D, and 4}, @@ -169,13 +174,57 @@ pages={507}, urldate={2022-05-13}, url={https://www.intel.com/content/www/us/en/developer/articles/technical/intel-sdm.html} -} +}, @proceedings{ebpf_starovo_slides, title={BPF – in-kernel virtual machine}, url={http://vger.kernel.org/netconf2015Starovoitov-bpf_collabsummit_2015feb20.pdf}, date={2015-02-20}, institution={PLUMgrid} +}, + +@proceedings{ebpf_starovo_slides_page23, + title={BPF – in-kernel virtual machine}, + url={http://vger.kernel.org/netconf2015Starovoitov-bpf_collabsummit_2015feb20.pdf}, + date={2015-02-20}, + institution={PLUMgrid}, + pages={23} +}, + +@manual{ebpf_JIT, + title={A JIT for packet filters}, + url={https://lwn.net/Articles/437981/}, + date={2011-04-12}, + author={Jonathan Corbet} +}, + +@proceedings{ebpf_JIT_demystify_page13, + title={Demystify eBPF JIT Compiler}, + url={https://www.netronome.com/media/documents/demystify-ebpf-jit-compiler.pdf}, + institution={Netronome}, + author={Jiong Wang}, + date={2018-09-11}, + pages={13} +}, + +@proceedings{ebpf_JIT_demystify_page14, + title={Demystify eBPF JIT Compiler}, + url={https://www.netronome.com/media/documents/demystify-ebpf-jit-compiler.pdf}, + institution={Netronome}, + author={Jiong Wang}, + date={2018-09-11}, + pages={14} +}, + +@book{brendan_gregg_bpf_book_bpf_vm, + title={BPF performance tools}, + author={Brendan Gregg}, + url={https://learning.oreilly.com/library/view/bpf-performance-tools/9780136588870/ch02.xhtml#:-:text=With%20JIT%20compiled%20code%2C%20i,%20other%20native%20kernel%20code} +}, + +@manual{jit_enable_setting, + title={bpf\_jit\_enable}, + url={https://sysctl-explorer.net/net/core/bpf_jit_enable/} } @@ -185,3 +234,4 @@ + diff --git a/docs/bibliography/texput.log b/docs/bibliography/texput.log index f17ab2e..3559194 100644 --- a/docs/bibliography/texput.log +++ b/docs/bibliography/texput.log @@ -1,4 +1,4 @@ -This is pdfTeX, Version 3.14159265-2.6-1.40.21 (TeX Live 2020/Debian) (preloaded format=pdflatex 2022.4.27) 24 MAY 2022 20:47 +This is pdfTeX, Version 3.14159265-2.6-1.40.21 (TeX Live 2020/Debian) (preloaded format=pdflatex 2022.4.27) 25 MAY 2022 19:59 entering extended mode restricted \write18 enabled. %&-line parsing enabled. diff --git a/docs/document.aux b/docs/document.aux index 67938cc..118229b 100644 --- a/docs/document.aux +++ b/docs/document.aux @@ -63,28 +63,29 @@ \@writefile{lot}{\defcounter {refsection}{0}\relax }\@writefile{lot}{\addvspace {10\p@ }} \@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {section}{\numberline {2.1}eBPF history - Classic BPF}{5}{section.2.1}\protected@file@percent } \@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {subsection}{\numberline {2.1.1}Introduction to the BPF system}{5}{subsection.2.1.1}\protected@file@percent } -\@writefile{lof}{\defcounter {refsection}{0}\relax }\@writefile{lof}{\contentsline {figure}{\numberline {2.1}{\ignorespaces Sketch of the functionality of classic BPF\relax }}{5}{figure.caption.7}\protected@file@percent } -\providecommand*\caption@xref[2]{\@setref\relax\@undefined{#1}} -\newlabel{fig:classif_bpf}{{2.1}{5}{Sketch of the functionality of classic BPF\relax }{figure.caption.7}{}} \abx@aux@cite{bpf_bsd_origin_bpf_page1} \abx@aux@segm{0}{0}{bpf_bsd_origin_bpf_page1} \abx@aux@cite{index_register} \abx@aux@segm{0}{0}{index_register} +\@writefile{lof}{\defcounter {refsection}{0}\relax }\@writefile{lof}{\contentsline {figure}{\numberline {2.1}{\ignorespaces Sketch of the functionality of classic BPF\relax }}{6}{figure.caption.7}\protected@file@percent } +\providecommand*\caption@xref[2]{\@setref\relax\@undefined{#1}} +\newlabel{fig:classif_bpf}{{2.1}{6}{Sketch of the functionality of classic BPF\relax }{figure.caption.7}{}} \@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {subsection}{\numberline {2.1.2}The BPF virtual machine}{6}{subsection.2.1.2}\protected@file@percent } -\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {subsection}{\numberline {2.1.3}Analysis of a BPF filter program}{6}{subsection.2.1.3}\protected@file@percent } +\newlabel{section:bpf_vm}{{2.1.2}{6}{The BPF virtual machine}{subsection.2.1.2}{}} \abx@aux@cite{bpf_bsd_origin_bpf_page5} \abx@aux@segm{0}{0}{bpf_bsd_origin_bpf_page5} \abx@aux@cite{bpf_organicprogrammer_analysis} \abx@aux@segm{0}{0}{bpf_organicprogrammer_analysis} +\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {subsection}{\numberline {2.1.3}Analysis of a BPF filter program}{7}{subsection.2.1.3}\protected@file@percent } \@writefile{lof}{\defcounter {refsection}{0}\relax }\@writefile{lof}{\contentsline {figure}{\numberline {2.2}{\ignorespaces Execution of a BPF filter.\relax }}{7}{figure.caption.8}\protected@file@percent } \newlabel{fig:cbpf_prog}{{2.2}{7}{Execution of a BPF filter.\relax }{figure.caption.8}{}} -\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {subsection}{\numberline {2.1.4}BPF bytecode instruction format}{7}{subsection.2.1.4}\protected@file@percent } -\@writefile{lot}{\defcounter {refsection}{0}\relax }\@writefile{lot}{\contentsline {table}{\numberline {2.1}{\ignorespaces Table showing BPF instruction format. It is a fixed-length 64 bit instruction, the number of bits used by each field are indicated.\relax }}{7}{table.caption.9}\protected@file@percent } -\newlabel{table:bpf_inst_format}{{2.1}{7}{Table showing BPF instruction format. It is a fixed-length 64 bit instruction, the number of bits used by each field are indicated.\relax }{table.caption.9}{}} \abx@aux@cite{bpf_bsd_origin_bpf_page7} \abx@aux@segm{0}{0}{bpf_bsd_origin_bpf_page7} \abx@aux@cite{bpf_bsd_origin_bpf_page8} \abx@aux@segm{0}{0}{bpf_bsd_origin_bpf_page8} +\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {subsection}{\numberline {2.1.4}BPF bytecode instruction format}{8}{subsection.2.1.4}\protected@file@percent } +\@writefile{lot}{\defcounter {refsection}{0}\relax }\@writefile{lot}{\contentsline {table}{\numberline {2.1}{\ignorespaces Table showing BPF instruction format. It is a fixed-length 64 bit instruction, the number of bits used by each field are indicated.\relax }}{8}{table.caption.9}\protected@file@percent } +\newlabel{table:bpf_inst_format}{{2.1}{8}{Table showing BPF instruction format. It is a fixed-length 64 bit instruction, the number of bits used by each field are indicated.\relax }{table.caption.9}{}} \@writefile{lof}{\defcounter {refsection}{0}\relax }\@writefile{lof}{\contentsline {figure}{\numberline {2.3}{\ignorespaces Table of supported classic BPF instructions, as shown by McCanne and Jacobson\cite {bpf_bsd_origin_bpf_page7}\relax }}{8}{figure.caption.10}\protected@file@percent } \newlabel{fig:bpf_instructions}{{2.3}{8}{Table of supported classic BPF instructions, as shown by McCanne and Jacobson\cite {bpf_bsd_origin_bpf_page7}\relax }{figure.caption.10}{}} \abx@aux@cite{bpf_bsd_origin_bpf_page8} @@ -95,49 +96,71 @@ \abx@aux@segm{0}{0}{tcpdump_page} \@writefile{lof}{\defcounter {refsection}{0}\relax }\@writefile{lof}{\contentsline {figure}{\numberline {2.4}{\ignorespaces Table explaining the column address modes in Figure\ref {fig:bpf_instructions}, as shown by McCanne and Jacobson\cite {bpf_bsd_origin_bpf_page8}\relax }}{9}{figure.caption.11}\protected@file@percent } \newlabel{fig:bpf_address_mode}{{2.4}{9}{Table explaining the column address modes in Figure\ref {fig:bpf_instructions}, as shown by McCanne and Jacobson\cite {bpf_bsd_origin_bpf_page8}\relax }{figure.caption.11}{}} -\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {subsection}{\numberline {2.1.5}An example of BPF filter - \textit {tcpdump}}{9}{subsection.2.1.5}\protected@file@percent } +\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {subsection}{\numberline {2.1.5}An example of BPF filter - \textit {tcpdump}}{10}{subsection.2.1.5}\protected@file@percent } \@writefile{lof}{\defcounter {refsection}{0}\relax }\@writefile{lof}{\contentsline {figure}{\numberline {2.5}{\ignorespaces BPF bytecode tcpdump needs to set a filter to display packets directed to port 80.\relax }}{10}{figure.caption.12}\protected@file@percent } \newlabel{fig:bpf_tcpdump_example}{{2.5}{10}{BPF bytecode tcpdump needs to set a filter to display packets directed to port 80.\relax }{figure.caption.12}{}} -\@writefile{lof}{\defcounter {refsection}{0}\relax }\@writefile{lof}{\contentsline {figure}{\numberline {2.6}{\ignorespaces Shortest path in the CFG described in the example of figure \ref {fig:bpf_tcpdump_example} that a packet needs to follow to be accepted by the BPF filter set with \textit {tcpdump}.\relax }}{10}{figure.caption.13}\protected@file@percent } -\newlabel{fig:tcpdump_ex_sol}{{2.6}{10}{Shortest path in the CFG described in the example of figure \ref {fig:bpf_tcpdump_example} that a packet needs to follow to be accepted by the BPF filter set with \textit {tcpdump}.\relax }{figure.caption.13}{}} \abx@aux@cite{ebpf_funcs_by_ver} \abx@aux@segm{0}{0}{ebpf_funcs_by_ver} \abx@aux@cite{ebpf_funcs_by_ver} \abx@aux@segm{0}{0}{ebpf_funcs_by_ver} +\@writefile{lof}{\defcounter {refsection}{0}\relax }\@writefile{lof}{\contentsline {figure}{\numberline {2.6}{\ignorespaces Shortest path in the CFG described in the example of figure \ref {fig:bpf_tcpdump_example} that a packet needs to follow to be accepted by the BPF filter set with \textit {tcpdump}.\relax }}{11}{figure.caption.13}\protected@file@percent } +\newlabel{fig:tcpdump_ex_sol}{{2.6}{11}{Shortest path in the CFG described in the example of figure \ref {fig:bpf_tcpdump_example} that a packet needs to follow to be accepted by the BPF filter set with \textit {tcpdump}.\relax }{figure.caption.13}{}} +\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {section}{\numberline {2.2}Analysis of modern eBPF}{11}{section.2.2}\protected@file@percent } \abx@aux@cite{brendan_gregg_bpf_book} \abx@aux@segm{0}{0}{brendan_gregg_bpf_book} +\abx@aux@cite{brendan_gregg_bpf_book} +\abx@aux@segm{0}{0}{brendan_gregg_bpf_book} +\abx@aux@cite{ebpf_io_arch} +\abx@aux@segm{0}{0}{ebpf_io_arch} +\@writefile{lot}{\defcounter {refsection}{0}\relax }\@writefile{lot}{\contentsline {table}{\numberline {2.2}{\ignorespaces Table showing relevant eBPF updates. Note that only those relevant for our research objectives are shown. This is a selection of the official complete table at \cite {ebpf_funcs_by_ver}.\relax }}{12}{table.caption.14}\protected@file@percent } +\newlabel{table:ebpf_history}{{2.2}{12}{Table showing relevant eBPF updates. Note that only those relevant for our research objectives are shown. This is a selection of the official complete table at \cite {ebpf_funcs_by_ver}.\relax }{table.caption.14}{}} +\@writefile{lof}{\defcounter {refsection}{0}\relax }\@writefile{lof}{\contentsline {figure}{\numberline {2.7}{\ignorespaces Figure showing overall eBPF architecture in the Linux kernel and the process of loading an eBPF program. Based on\cite {brendan_gregg_bpf_book} and \cite {ebpf_io_arch}.\relax }}{12}{figure.caption.15}\protected@file@percent } +\newlabel{fig:ebpf_architecture}{{2.7}{12}{Figure showing overall eBPF architecture in the Linux kernel and the process of loading an eBPF program. Based on\cite {brendan_gregg_bpf_book} and \cite {ebpf_io_arch}.\relax }{figure.caption.15}{}} \abx@aux@cite{ebpf_inst_set} \abx@aux@segm{0}{0}{ebpf_inst_set} \abx@aux@cite{8664_inst_set_specs} \abx@aux@segm{0}{0}{8664_inst_set_specs} \abx@aux@cite{ebpf_inst_set} \abx@aux@segm{0}{0}{ebpf_inst_set} +\abx@aux@cite{ebpf_inst_set} +\abx@aux@segm{0}{0}{ebpf_inst_set} \abx@aux@cite{ebpf_starovo_slides} \abx@aux@segm{0}{0}{ebpf_starovo_slides} \abx@aux@cite{ebpf_inst_set} \abx@aux@segm{0}{0}{ebpf_inst_set} \abx@aux@cite{ebpf_starovo_slides} \abx@aux@segm{0}{0}{ebpf_starovo_slides} -\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {section}{\numberline {2.2}Analysis of modern eBPF}{11}{section.2.2}\protected@file@percent } -\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {subsection}{\numberline {2.2.1}Architecture of eBPF}{11}{subsection.2.2.1}\protected@file@percent } -\@writefile{lot}{\defcounter {refsection}{0}\relax }\@writefile{lot}{\contentsline {table}{\numberline {2.2}{\ignorespaces Table showing relevant eBPF updates. Note that only those relevant for our research objectives are shown. This is a selection of the official complete table at \cite {ebpf_funcs_by_ver}.\relax }}{11}{table.caption.14}\protected@file@percent } -\newlabel{table:ebpf_history}{{2.2}{11}{Table showing relevant eBPF updates. Note that only those relevant for our research objectives are shown. This is a selection of the official complete table at \cite {ebpf_funcs_by_ver}.\relax }{table.caption.14}{}} -\@writefile{lot}{\defcounter {refsection}{0}\relax }\@writefile{lot}{\contentsline {table}{\numberline {2.3}{\ignorespaces Table showing eBPF instruction format. It is a fixed-length 64 bit instruction, the number of bits used by each field are indicated.\relax }}{11}{table.caption.15}\protected@file@percent } -\newlabel{table:ebpf_inst_format}{{2.3}{11}{Table showing eBPF instruction format. It is a fixed-length 64 bit instruction, the number of bits used by each field are indicated.\relax }{table.caption.15}{}} -\@writefile{lot}{\defcounter {refsection}{0}\relax }\@writefile{lot}{\contentsline {table}{\numberline {2.4}{\ignorespaces Table showing eBPF registers and their purpose in the BPF VM.\cite {ebpf_inst_set}\cite {ebpf_starovo_slides}.\relax }}{12}{table.caption.16}\protected@file@percent } -\newlabel{table:ebpf_regs}{{2.4}{12}{Table showing eBPF registers and their purpose in the BPF VM.\cite {ebpf_inst_set}\cite {ebpf_starovo_slides}.\relax }{table.caption.16}{}} -\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {subsection}{\numberline {2.2.2}JIT compilation}{12}{subsection.2.2.2}\protected@file@percent } -\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {chapter}{\numberline {3}Methods??}{13}{chapter.3}\protected@file@percent } +\abx@aux@cite{ebpf_JIT} +\abx@aux@segm{0}{0}{ebpf_JIT} +\abx@aux@cite{ebpf_JIT_demystify_page13} +\abx@aux@segm{0}{0}{ebpf_JIT_demystify_page13} +\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {subsection}{\numberline {2.2.1}eBPF instruction set}{13}{subsection.2.2.1}\protected@file@percent } +\newlabel{subsection:ebpf_inst_set}{{2.2.1}{13}{eBPF instruction set}{subsection.2.2.1}{}} +\@writefile{lot}{\defcounter {refsection}{0}\relax }\@writefile{lot}{\contentsline {table}{\numberline {2.3}{\ignorespaces Table showing eBPF instruction format. It is a fixed-length 64 bit instruction, the number of bits used by each field are indicated.\relax }}{13}{table.caption.16}\protected@file@percent } +\newlabel{table:ebpf_inst_format}{{2.3}{13}{Table showing eBPF instruction format. It is a fixed-length 64 bit instruction, the number of bits used by each field are indicated.\relax }{table.caption.16}{}} +\@writefile{lot}{\defcounter {refsection}{0}\relax }\@writefile{lot}{\contentsline {table}{\numberline {2.4}{\ignorespaces Table showing eBPF registers and their purpose in the BPF VM.\cite {ebpf_inst_set}\cite {ebpf_starovo_slides}.\relax }}{13}{table.caption.17}\protected@file@percent } +\newlabel{table:ebpf_regs}{{2.4}{13}{Table showing eBPF registers and their purpose in the BPF VM.\cite {ebpf_inst_set}\cite {ebpf_starovo_slides}.\relax }{table.caption.17}{}} +\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {subsection}{\numberline {2.2.2}JIT compilation}{13}{subsection.2.2.2}\protected@file@percent } +\abx@aux@cite{ebpf_JIT_demystify_page14} +\abx@aux@segm{0}{0}{ebpf_JIT_demystify_page14} +\abx@aux@cite{jit_enable_setting} +\abx@aux@segm{0}{0}{jit_enable_setting} +\abx@aux@cite{ebpf_starovo_slides_page23} +\abx@aux@segm{0}{0}{ebpf_starovo_slides_page23} +\abx@aux@cite{brendan_gregg_bpf_book_bpf_vm} +\abx@aux@segm{0}{0}{brendan_gregg_bpf_book_bpf_vm} +\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {subsection}{\numberline {2.2.3}eBPF architecture}{14}{subsection.2.2.3}\protected@file@percent } +\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {chapter}{\numberline {3}Methods??}{15}{chapter.3}\protected@file@percent } \@writefile{lof}{\defcounter {refsection}{0}\relax }\@writefile{lof}{\addvspace {10\p@ }} \@writefile{lot}{\defcounter {refsection}{0}\relax }\@writefile{lot}{\addvspace {10\p@ }} -\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {chapter}{\numberline {4}Results}{14}{chapter.4}\protected@file@percent } +\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {chapter}{\numberline {4}Results}{16}{chapter.4}\protected@file@percent } \@writefile{lof}{\defcounter {refsection}{0}\relax }\@writefile{lof}{\addvspace {10\p@ }} \@writefile{lot}{\defcounter {refsection}{0}\relax }\@writefile{lot}{\addvspace {10\p@ }} -\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {chapter}{\numberline {5}Conclusion and future work}{15}{chapter.5}\protected@file@percent } +\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {chapter}{\numberline {5}Conclusion and future work}{17}{chapter.5}\protected@file@percent } \@writefile{lof}{\defcounter {refsection}{0}\relax }\@writefile{lof}{\addvspace {10\p@ }} \@writefile{lot}{\defcounter {refsection}{0}\relax }\@writefile{lot}{\addvspace {10\p@ }} -\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {chapter}{Bibliography}{16}{chapter.5}\protected@file@percent } -\abx@aux@read@bbl@mdfivesum{A0263F600A6B69AA4741D30C7A5AD15D} +\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {chapter}{Bibliography}{18}{chapter.5}\protected@file@percent } +\abx@aux@read@bbl@mdfivesum{5F7A9629AD8490B1B0F141D5BD6DF521} \abx@aux@refcontextdefaultsdone \abx@aux@defaultrefcontext{0}{ransomware_pwc}{none/global//global/global} \abx@aux@defaultrefcontext{0}{rootkit_ptsecurity}{none/global//global/global} @@ -161,8 +184,15 @@ \abx@aux@defaultrefcontext{0}{tcpdump_page}{none/global//global/global} \abx@aux@defaultrefcontext{0}{ebpf_funcs_by_ver}{none/global//global/global} \abx@aux@defaultrefcontext{0}{brendan_gregg_bpf_book}{none/global//global/global} +\abx@aux@defaultrefcontext{0}{ebpf_io_arch}{none/global//global/global} \abx@aux@defaultrefcontext{0}{ebpf_inst_set}{none/global//global/global} \abx@aux@defaultrefcontext{0}{8664_inst_set_specs}{none/global//global/global} \abx@aux@defaultrefcontext{0}{ebpf_starovo_slides}{none/global//global/global} +\abx@aux@defaultrefcontext{0}{ebpf_JIT}{none/global//global/global} +\abx@aux@defaultrefcontext{0}{ebpf_JIT_demystify_page13}{none/global//global/global} +\abx@aux@defaultrefcontext{0}{ebpf_JIT_demystify_page14}{none/global//global/global} +\abx@aux@defaultrefcontext{0}{jit_enable_setting}{none/global//global/global} +\abx@aux@defaultrefcontext{0}{ebpf_starovo_slides_page23}{none/global//global/global} +\abx@aux@defaultrefcontext{0}{brendan_gregg_bpf_book_bpf_vm}{none/global//global/global} \ttl@finishall -\gdef \@abspage@last{33} +\gdef \@abspage@last{36} diff --git a/docs/document.bbl b/docs/document.bbl index 46e7ce5..bd7dcb8 100644 --- a/docs/document.bbl +++ b/docs/document.bbl @@ -497,6 +497,7 @@ \strng{authorbibnamehash}{b45aef384111d7e9dd71b74ba427b5f1} \strng{authornamehash}{b45aef384111d7e9dd71b74ba427b5f1} \strng{authorfullhash}{b45aef384111d7e9dd71b74ba427b5f1} + \field{extraname}{1} \field{sortinit}{3} \field{sortinithash}{a37a8ef248a93c322189792c34fc68c9} \field{labelnamesource}{author} @@ -509,6 +510,18 @@ \verb https://www.oreilly.com/library/view/bpf-performance-tools/9780136588870/ \endverb \endentry + \entry{ebpf_io_arch}{manual}{} + \field{sortinit}{3} + \field{sortinithash}{a37a8ef248a93c322189792c34fc68c9} + \field{labeltitlesource}{title} + \field{title}{eBPF Documentation: Loader and verification architecture} + \verb{urlraw} + \verb https://ebpf.io/what-is-ebpf/#loader--verification-architecture + \endverb + \verb{url} + \verb https://ebpf.io/what-is-ebpf/#loader--verification-architecture + \endverb + \endentry \entry{ebpf_inst_set}{manual}{} \field{sortinit}{3} \field{sortinithash}{a37a8ef248a93c322189792c34fc68c9} @@ -571,6 +584,168 @@ \verb http://vger.kernel.org/netconf2015Starovoitov-bpf_collabsummit_2015feb20.pdf \endverb \endentry + \entry{ebpf_JIT}{manual}{} + \name{author}{1}{}{% + {{hash=729670cd9d39b9b575390147a29d51d7}{% + family={Corbet}, + familyi={C\bibinitperiod}, + given={Jonathan}, + giveni={J\bibinitperiod}}}% + } + \strng{namehash}{729670cd9d39b9b575390147a29d51d7} + \strng{fullhash}{729670cd9d39b9b575390147a29d51d7} + \strng{bibnamehash}{729670cd9d39b9b575390147a29d51d7} + \strng{authorbibnamehash}{729670cd9d39b9b575390147a29d51d7} + \strng{authornamehash}{729670cd9d39b9b575390147a29d51d7} + \strng{authorfullhash}{729670cd9d39b9b575390147a29d51d7} + \field{sortinit}{4} + \field{sortinithash}{e071e0bcb44634fab398d68ad04e69f4} + \field{labelnamesource}{author} + \field{labeltitlesource}{title} + \field{day}{12} + \field{month}{4} + \field{title}{A JIT for packet filters} + \field{year}{2011} + \field{dateera}{ce} + \verb{urlraw} + \verb https://lwn.net/Articles/437981/ + \endverb + \verb{url} + \verb https://lwn.net/Articles/437981/ + \endverb + \endentry + \entry{ebpf_JIT_demystify_page13}{proceedings}{} + \name{author}{1}{}{% + {{hash=0fcaa32b080db12cbc8b11b27d05ad61}{% + family={Wang}, + familyi={W\bibinitperiod}, + given={Jiong}, + giveni={J\bibinitperiod}}}% + } + \list{institution}{1}{% + {Netronome}% + } + \strng{namehash}{0fcaa32b080db12cbc8b11b27d05ad61} + \strng{fullhash}{0fcaa32b080db12cbc8b11b27d05ad61} + \strng{bibnamehash}{0fcaa32b080db12cbc8b11b27d05ad61} + \strng{authorbibnamehash}{0fcaa32b080db12cbc8b11b27d05ad61} + \strng{authornamehash}{0fcaa32b080db12cbc8b11b27d05ad61} + \strng{authorfullhash}{0fcaa32b080db12cbc8b11b27d05ad61} + \field{extraname}{1} + \field{sortinit}{4} + \field{sortinithash}{e071e0bcb44634fab398d68ad04e69f4} + \field{labelnamesource}{author} + \field{labeltitlesource}{title} + \field{day}{11} + \field{month}{9} + \field{title}{Demystify eBPF JIT Compiler} + \field{year}{2018} + \field{dateera}{ce} + \field{pages}{13} + \range{pages}{1} + \verb{urlraw} + \verb https://www.netronome.com/media/documents/demystify-ebpf-jit-compiler.pdf + \endverb + \verb{url} + \verb https://www.netronome.com/media/documents/demystify-ebpf-jit-compiler.pdf + \endverb + \endentry + \entry{ebpf_JIT_demystify_page14}{proceedings}{} + \name{author}{1}{}{% + {{hash=0fcaa32b080db12cbc8b11b27d05ad61}{% + family={Wang}, + familyi={W\bibinitperiod}, + given={Jiong}, + giveni={J\bibinitperiod}}}% + } + \list{institution}{1}{% + {Netronome}% + } + \strng{namehash}{0fcaa32b080db12cbc8b11b27d05ad61} + \strng{fullhash}{0fcaa32b080db12cbc8b11b27d05ad61} + \strng{bibnamehash}{0fcaa32b080db12cbc8b11b27d05ad61} + \strng{authorbibnamehash}{0fcaa32b080db12cbc8b11b27d05ad61} + \strng{authornamehash}{0fcaa32b080db12cbc8b11b27d05ad61} + \strng{authorfullhash}{0fcaa32b080db12cbc8b11b27d05ad61} + \field{extraname}{2} + \field{sortinit}{4} + \field{sortinithash}{e071e0bcb44634fab398d68ad04e69f4} + \field{labelnamesource}{author} + \field{labeltitlesource}{title} + \field{day}{11} + \field{month}{9} + \field{title}{Demystify eBPF JIT Compiler} + \field{year}{2018} + \field{dateera}{ce} + \field{pages}{14} + \range{pages}{1} + \verb{urlraw} + \verb https://www.netronome.com/media/documents/demystify-ebpf-jit-compiler.pdf + \endverb + \verb{url} + \verb https://www.netronome.com/media/documents/demystify-ebpf-jit-compiler.pdf + \endverb + \endentry + \entry{jit_enable_setting}{manual}{} + \field{sortinit}{4} + \field{sortinithash}{e071e0bcb44634fab398d68ad04e69f4} + \field{labeltitlesource}{title} + \field{title}{bpf\_jit\_enable} + \verb{urlraw} + \verb https://sysctl-explorer.net/net/core/bpf_jit_enable/ + \endverb + \verb{url} + \verb https://sysctl-explorer.net/net/core/bpf_jit_enable/ + \endverb + \endentry + \entry{ebpf_starovo_slides_page23}{proceedings}{} + \list{institution}{1}{% + {PLUMgrid}% + } + \field{sortinit}{4} + \field{sortinithash}{e071e0bcb44634fab398d68ad04e69f4} + \field{labeltitlesource}{title} + \field{day}{20} + \field{month}{2} + \field{title}{BPF – in-kernel virtual machine} + \field{year}{2015} + \field{dateera}{ce} + \field{pages}{23} + \range{pages}{1} + \verb{urlraw} + \verb http://vger.kernel.org/netconf2015Starovoitov-bpf_collabsummit_2015feb20.pdf + \endverb + \verb{url} + \verb http://vger.kernel.org/netconf2015Starovoitov-bpf_collabsummit_2015feb20.pdf + \endverb + \endentry + \entry{brendan_gregg_bpf_book_bpf_vm}{book}{} + \name{author}{1}{}{% + {{hash=b45aef384111d7e9dd71b74ba427b5f1}{% + family={Gregg}, + familyi={G\bibinitperiod}, + given={Brendan}, + giveni={B\bibinitperiod}}}% + } + \strng{namehash}{b45aef384111d7e9dd71b74ba427b5f1} + \strng{fullhash}{b45aef384111d7e9dd71b74ba427b5f1} + \strng{bibnamehash}{b45aef384111d7e9dd71b74ba427b5f1} + \strng{authorbibnamehash}{b45aef384111d7e9dd71b74ba427b5f1} + \strng{authornamehash}{b45aef384111d7e9dd71b74ba427b5f1} + \strng{authorfullhash}{b45aef384111d7e9dd71b74ba427b5f1} + \field{extraname}{2} + \field{sortinit}{4} + \field{sortinithash}{e071e0bcb44634fab398d68ad04e69f4} + \field{labelnamesource}{author} + \field{labeltitlesource}{title} + \field{title}{BPF performance tools} + \verb{urlraw} + \verb https://learning.oreilly.com/library/view/bpf-performance-tools/9780136588870/ch02.xhtml#:-:text=With%20JIT%20compiled%20code%2C%20i,%20other%20native%20kernel%20code + \endverb + \verb{url} + \verb https://learning.oreilly.com/library/view/bpf-performance-tools/9780136588870/ch02.xhtml#:-:text=With%20JIT%20compiled%20code%2C%20i,%20other%20native%20kernel%20code + \endverb + \endentry \enddatalist \endrefsection \endinput diff --git a/docs/document.bcf b/docs/document.bcf index 122c763..4373ec2 100644 --- a/docs/document.bcf +++ b/docs/document.bcf @@ -2348,37 +2348,46 @@ bibliography/bibliography.bib - ransomware_pwc - rootkit_ptsecurity - ebpf_linux318 - bvp47_report - bpfdoor_pwc - ebpf_windows - ebpf_android - evil_ebpf - bad_ebpf - ebpf_friends - ebpf_io - bpf_bsd_origin - ebpf_history_opensource - bpf_bsd_origin_bpf_page1 - index_register - bpf_bsd_origin_bpf_page5 - bpf_organicprogrammer_analysis - bpf_bsd_origin_bpf_page7 - bpf_bsd_origin_bpf_page8 - bpf_bsd_origin_bpf_page8 - bpf_bsd_origin_bpf_page1 - tcpdump_page - ebpf_funcs_by_ver - ebpf_funcs_by_ver - brendan_gregg_bpf_book - ebpf_inst_set - 8664_inst_set_specs - ebpf_inst_set - ebpf_starovo_slides + ransomware_pwc + rootkit_ptsecurity + ebpf_linux318 + bvp47_report + bpfdoor_pwc + ebpf_windows + ebpf_android + evil_ebpf + bad_ebpf + ebpf_friends + ebpf_io + bpf_bsd_origin + ebpf_history_opensource + bpf_bsd_origin_bpf_page1 + index_register + bpf_bsd_origin_bpf_page5 + bpf_organicprogrammer_analysis + bpf_bsd_origin_bpf_page7 + bpf_bsd_origin_bpf_page8 + bpf_bsd_origin_bpf_page8 + bpf_bsd_origin_bpf_page1 + tcpdump_page + ebpf_funcs_by_ver + ebpf_funcs_by_ver + brendan_gregg_bpf_book + brendan_gregg_bpf_book + ebpf_io_arch ebpf_inst_set - ebpf_starovo_slides + 8664_inst_set_specs + ebpf_inst_set + ebpf_inst_set + ebpf_starovo_slides + ebpf_inst_set + ebpf_starovo_slides + ebpf_JIT + ebpf_JIT_demystify_page13 + ebpf_JIT_demystify_page14 + jit_enable_setting + ebpf_starovo_slides_page23 + brendan_gregg_bpf_book_bpf_vm diff --git a/docs/document.blg b/docs/document.blg index 0cb8286..16baa25 100644 --- a/docs/document.blg +++ b/docs/document.blg @@ -1,38 +1,47 @@ [0] Config.pm:311> INFO - This is Biber 2.16 [0] Config.pm:314> INFO - Logfile is 'document.blg' -[59] biber:340> INFO - === Tue May 24, 2022, 20:47:37 -[72] Biber.pm:415> INFO - Reading 'document.bcf' -[141] Biber.pm:952> INFO - Found 25 citekeys in bib section 0 -[156] Biber.pm:4340> INFO - Processing section 0 -[164] Biber.pm:4531> INFO - Looking for bibtex format file 'bibliography/bibliography.bib' for section 0 -[166] bibtex.pm:1689> INFO - LaTeX decoding ... -[177] bibtex.pm:1494> INFO - Found BibTeX data source 'bibliography/bibliography.bib' -[263] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_ELaU/f4d088b3f9f145b5c3058da33afd57d4_129078.utf8, line 9, warning: 1 characters of junk seen at toplevel -[263] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_ELaU/f4d088b3f9f145b5c3058da33afd57d4_129078.utf8, line 15, warning: 1 characters of junk seen at toplevel -[263] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_ELaU/f4d088b3f9f145b5c3058da33afd57d4_129078.utf8, line 22, warning: 1 characters of junk seen at toplevel -[263] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_ELaU/f4d088b3f9f145b5c3058da33afd57d4_129078.utf8, line 28, warning: 1 characters of junk seen at toplevel -[263] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_ELaU/f4d088b3f9f145b5c3058da33afd57d4_129078.utf8, line 35, warning: 1 characters of junk seen at toplevel -[263] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_ELaU/f4d088b3f9f145b5c3058da33afd57d4_129078.utf8, line 42, warning: 1 characters of junk seen at toplevel -[263] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_ELaU/f4d088b3f9f145b5c3058da33afd57d4_129078.utf8, line 50, warning: 1 characters of junk seen at toplevel -[263] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_ELaU/f4d088b3f9f145b5c3058da33afd57d4_129078.utf8, line 58, warning: 1 characters of junk seen at toplevel -[263] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_ELaU/f4d088b3f9f145b5c3058da33afd57d4_129078.utf8, line 65, warning: 1 characters of junk seen at toplevel -[264] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_ELaU/f4d088b3f9f145b5c3058da33afd57d4_129078.utf8, line 70, warning: 1 characters of junk seen at toplevel -[264] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_ELaU/f4d088b3f9f145b5c3058da33afd57d4_129078.utf8, line 77, warning: 1 characters of junk seen at toplevel -[264] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_ELaU/f4d088b3f9f145b5c3058da33afd57d4_129078.utf8, line 85, warning: 1 characters of junk seen at toplevel -[264] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_ELaU/f4d088b3f9f145b5c3058da33afd57d4_129078.utf8, line 94, warning: 1 characters of junk seen at toplevel -[264] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_ELaU/f4d088b3f9f145b5c3058da33afd57d4_129078.utf8, line 103, warning: 1 characters of junk seen at toplevel -[264] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_ELaU/f4d088b3f9f145b5c3058da33afd57d4_129078.utf8, line 112, warning: 1 characters of junk seen at toplevel -[264] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_ELaU/f4d088b3f9f145b5c3058da33afd57d4_129078.utf8, line 121, warning: 1 characters of junk seen at toplevel -[264] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_ELaU/f4d088b3f9f145b5c3058da33afd57d4_129078.utf8, line 127, warning: 1 characters of junk seen at toplevel -[264] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_ELaU/f4d088b3f9f145b5c3058da33afd57d4_129078.utf8, line 132, warning: 1 characters of junk seen at toplevel -[264] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_ELaU/f4d088b3f9f145b5c3058da33afd57d4_129078.utf8, line 143, warning: 1 characters of junk seen at toplevel -[264] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_ELaU/f4d088b3f9f145b5c3058da33afd57d4_129078.utf8, line 148, warning: 1 characters of junk seen at toplevel -[264] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_ELaU/f4d088b3f9f145b5c3058da33afd57d4_129078.utf8, line 154, warning: 1 characters of junk seen at toplevel -[264] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_ELaU/f4d088b3f9f145b5c3058da33afd57d4_129078.utf8, line 160, warning: 1 characters of junk seen at toplevel -[284] UCollate.pm:68> INFO - Overriding locale 'en-US' defaults 'normalization = NFD' with 'normalization = prenormalized' -[284] UCollate.pm:68> INFO - Overriding locale 'en-US' defaults 'variable = shifted' with 'variable = non-ignorable' -[284] Biber.pm:4168> INFO - Sorting list 'none/global//global/global' of type 'entry' with template 'none' and locale 'en-US' -[284] Biber.pm:4174> INFO - No sort tailoring available for locale 'en-US' -[300] bbl.pm:654> INFO - Writing 'document.bbl' with encoding 'UTF-8' -[306] bbl.pm:757> INFO - Output to document.bbl -[307] Biber.pm:128> INFO - WARNINGS: 22 +[57] biber:340> INFO - === Wed May 25, 2022, 21:58:47 +[69] Biber.pm:415> INFO - Reading 'document.bcf' +[139] Biber.pm:952> INFO - Found 32 citekeys in bib section 0 +[153] Biber.pm:4340> INFO - Processing section 0 +[161] Biber.pm:4531> INFO - Looking for bibtex format file 'bibliography/bibliography.bib' for section 0 +[163] bibtex.pm:1689> INFO - LaTeX decoding ... +[176] bibtex.pm:1494> INFO - Found BibTeX data source 'bibliography/bibliography.bib' +[266] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_rEOa/f4d088b3f9f145b5c3058da33afd57d4_134458.utf8, line 9, warning: 1 characters of junk seen at toplevel +[266] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_rEOa/f4d088b3f9f145b5c3058da33afd57d4_134458.utf8, line 15, warning: 1 characters of junk seen at toplevel +[266] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_rEOa/f4d088b3f9f145b5c3058da33afd57d4_134458.utf8, line 22, warning: 1 characters of junk seen at toplevel +[266] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_rEOa/f4d088b3f9f145b5c3058da33afd57d4_134458.utf8, line 28, warning: 1 characters of junk seen at toplevel +[267] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_rEOa/f4d088b3f9f145b5c3058da33afd57d4_134458.utf8, line 35, warning: 1 characters of junk seen at toplevel +[267] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_rEOa/f4d088b3f9f145b5c3058da33afd57d4_134458.utf8, line 42, warning: 1 characters of junk seen at toplevel +[267] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_rEOa/f4d088b3f9f145b5c3058da33afd57d4_134458.utf8, line 50, warning: 1 characters of junk seen at toplevel +[267] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_rEOa/f4d088b3f9f145b5c3058da33afd57d4_134458.utf8, line 58, warning: 1 characters of junk seen at toplevel +[267] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_rEOa/f4d088b3f9f145b5c3058da33afd57d4_134458.utf8, line 65, warning: 1 characters of junk seen at toplevel +[267] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_rEOa/f4d088b3f9f145b5c3058da33afd57d4_134458.utf8, line 70, warning: 1 characters of junk seen at toplevel +[267] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_rEOa/f4d088b3f9f145b5c3058da33afd57d4_134458.utf8, line 77, warning: 1 characters of junk seen at toplevel +[267] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_rEOa/f4d088b3f9f145b5c3058da33afd57d4_134458.utf8, line 85, warning: 1 characters of junk seen at toplevel +[267] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_rEOa/f4d088b3f9f145b5c3058da33afd57d4_134458.utf8, line 94, warning: 1 characters of junk seen at toplevel +[267] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_rEOa/f4d088b3f9f145b5c3058da33afd57d4_134458.utf8, line 103, warning: 1 characters of junk seen at toplevel +[267] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_rEOa/f4d088b3f9f145b5c3058da33afd57d4_134458.utf8, line 112, warning: 1 characters of junk seen at toplevel +[267] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_rEOa/f4d088b3f9f145b5c3058da33afd57d4_134458.utf8, line 121, warning: 1 characters of junk seen at toplevel +[267] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_rEOa/f4d088b3f9f145b5c3058da33afd57d4_134458.utf8, line 127, warning: 1 characters of junk seen at toplevel +[267] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_rEOa/f4d088b3f9f145b5c3058da33afd57d4_134458.utf8, line 132, warning: 1 characters of junk seen at toplevel +[267] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_rEOa/f4d088b3f9f145b5c3058da33afd57d4_134458.utf8, line 137, warning: 1 characters of junk seen at toplevel +[267] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_rEOa/f4d088b3f9f145b5c3058da33afd57d4_134458.utf8, line 148, warning: 1 characters of junk seen at toplevel +[267] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_rEOa/f4d088b3f9f145b5c3058da33afd57d4_134458.utf8, line 153, warning: 1 characters of junk seen at toplevel +[267] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_rEOa/f4d088b3f9f145b5c3058da33afd57d4_134458.utf8, line 159, warning: 1 characters of junk seen at toplevel +[267] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_rEOa/f4d088b3f9f145b5c3058da33afd57d4_134458.utf8, line 165, warning: 1 characters of junk seen at toplevel +[267] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_rEOa/f4d088b3f9f145b5c3058da33afd57d4_134458.utf8, line 170, warning: 1 characters of junk seen at toplevel +[268] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_rEOa/f4d088b3f9f145b5c3058da33afd57d4_134458.utf8, line 179, warning: 1 characters of junk seen at toplevel +[268] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_rEOa/f4d088b3f9f145b5c3058da33afd57d4_134458.utf8, line 186, warning: 1 characters of junk seen at toplevel +[268] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_rEOa/f4d088b3f9f145b5c3058da33afd57d4_134458.utf8, line 194, warning: 1 characters of junk seen at toplevel +[268] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_rEOa/f4d088b3f9f145b5c3058da33afd57d4_134458.utf8, line 201, warning: 1 characters of junk seen at toplevel +[268] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_rEOa/f4d088b3f9f145b5c3058da33afd57d4_134458.utf8, line 210, warning: 1 characters of junk seen at toplevel +[268] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_rEOa/f4d088b3f9f145b5c3058da33afd57d4_134458.utf8, line 219, warning: 1 characters of junk seen at toplevel +[268] Utils.pm:384> WARN - BibTeX subsystem: /tmp/biber_tmp_rEOa/f4d088b3f9f145b5c3058da33afd57d4_134458.utf8, line 225, warning: 1 characters of junk seen at toplevel +[291] UCollate.pm:68> INFO - Overriding locale 'en-US' defaults 'variable = shifted' with 'variable = non-ignorable' +[291] UCollate.pm:68> INFO - Overriding locale 'en-US' defaults 'normalization = NFD' with 'normalization = prenormalized' +[291] Biber.pm:4168> INFO - Sorting list 'none/global//global/global' of type 'entry' with template 'none' and locale 'en-US' +[291] Biber.pm:4174> INFO - No sort tailoring available for locale 'en-US' +[311] bbl.pm:654> INFO - Writing 'document.bbl' with encoding 'UTF-8' +[320] bbl.pm:757> INFO - Output to document.bbl +[320] Biber.pm:128> INFO - WARNINGS: 31 diff --git a/docs/document.lof b/docs/document.lof index 3c4c6a9..b24b3f6 100644 --- a/docs/document.lof +++ b/docs/document.lof @@ -5,7 +5,7 @@ \defcounter {refsection}{0}\relax \addvspace {10\p@ } \defcounter {refsection}{0}\relax -\contentsline {figure}{\numberline {2.1}{\ignorespaces Sketch of the functionality of classic BPF\relax }}{5}{figure.caption.7}% +\contentsline {figure}{\numberline {2.1}{\ignorespaces Sketch of the functionality of classic BPF\relax }}{6}{figure.caption.7}% \defcounter {refsection}{0}\relax \contentsline {figure}{\numberline {2.2}{\ignorespaces Execution of a BPF filter.\relax }}{7}{figure.caption.8}% \defcounter {refsection}{0}\relax @@ -15,7 +15,9 @@ \defcounter {refsection}{0}\relax \contentsline {figure}{\numberline {2.5}{\ignorespaces BPF bytecode tcpdump needs to set a filter to display packets directed to port 80.\relax }}{10}{figure.caption.12}% \defcounter {refsection}{0}\relax -\contentsline {figure}{\numberline {2.6}{\ignorespaces Shortest path in the CFG described in the example of figure \ref {fig:bpf_tcpdump_example} that a packet needs to follow to be accepted by the BPF filter set with \textit {tcpdump}.\relax }}{10}{figure.caption.13}% +\contentsline {figure}{\numberline {2.6}{\ignorespaces Shortest path in the CFG described in the example of figure \ref {fig:bpf_tcpdump_example} that a packet needs to follow to be accepted by the BPF filter set with \textit {tcpdump}.\relax }}{11}{figure.caption.13}% +\defcounter {refsection}{0}\relax +\contentsline {figure}{\numberline {2.7}{\ignorespaces Figure showing overall eBPF architecture in the Linux kernel and the process of loading an eBPF program. Based on\cite {brendan_gregg_bpf_book} and \cite {ebpf_io_arch}.\relax }}{12}{figure.caption.15}% \defcounter {refsection}{0}\relax \addvspace {10\p@ } \defcounter {refsection}{0}\relax diff --git a/docs/document.log b/docs/document.log index 5eb719a..3718c3d 100644 --- a/docs/document.log +++ b/docs/document.log @@ -1,4 +1,4 @@ -This is pdfTeX, Version 3.14159265-2.6-1.40.21 (TeX Live 2020/Debian) (preloaded format=pdflatex 2022.4.27) 24 MAY 2022 20:52 +This is pdfTeX, Version 3.14159265-2.6-1.40.21 (TeX Live 2020/Debian) (preloaded format=pdflatex 2022.4.27) 25 MAY 2022 21:59 entering extended mode restricted \write18 enabled. %&-line parsing enabled. @@ -1089,7 +1089,7 @@ File: t1txss.fd 2000/12/15 v3.1 ) LaTeX Font Info: Font shape `T1/txss/m/n' will be (Font) scaled to size 11.39996pt on input line 186. - + File: images//Portada_Logo.png Graphic file (type png) Package pdftex.def Info: images//Portada_Logo.png used on input line 190. @@ -1102,7 +1102,7 @@ LaTeX Font Info: Font shape `T1/txss/m/n' will be (Font) scaled to size 23.63593pt on input line 201. LaTeX Font Info: Font shape `T1/txss/m/n' will be (Font) scaled to size 19.70294pt on input line 205. - + File: images/creativecommons.png Graphic file (type png) Package pdftex.def Info: images/creativecommons.png used on input line 215. @@ -1210,88 +1210,116 @@ Overfull \hbox (0.50073pt too wide) in paragraph at lines 355--356 [3] [4] Chapter 2. - + +LaTeX Warning: Reference `section:analysis_offensive_capabilities' on page 5 un +defined on input line 412. + + File: images//classic_bpf.jpg Graphic file (type jpg) -Package pdftex.def Info: images//classic_bpf.jpg used on input line 423. +Package pdftex.def Info: images//classic_bpf.jpg used on input line 426. (pdftex.def) Requested size: 341.43306pt x 251.12224pt. [5 - <./images//classic_bpf.jpg>] - +] [6 <./images//classic_bpf.jpg>] + File: images//cbpf_prog.jpg Graphic file (type jpg) -Package pdftex.def Info: images//cbpf_prog.jpg used on input line 450. +Package pdftex.def Info: images//cbpf_prog.jpg used on input line 453. (pdftex.def) Requested size: 227.62204pt x 254.80415pt. - [6] [7 <./images/cBPF_prog.jpg>] - + [7 <./images/cBPF_prog.jpg>] + File: images//bpf_instructions.png Graphic file (type png) -Package pdftex.def Info: images//bpf_instructions.png used on input line 490. +Package pdftex.def Info: images//bpf_instructions.png used on input line 493. (pdftex.def) Requested size: 227.62204pt x 283.99998pt. [8 <./images//bpf_instructions.png>] - + File: images//bpf_address_mode.png Graphic file (type png) -Package pdftex.def Info: images//bpf_address_mode.png used on input line 506. +Package pdftex.def Info: images//bpf_address_mode.png used on input line 509. (pdftex.def) Requested size: 227.62204pt x 171.19905pt. LaTeX Font Info: Font shape `T1/txr/b/it' in size <12> not available -(Font) Font shape `T1/txr/bx/it' tried instead on input line 514. - +(Font) Font shape `T1/txr/bx/it' tried instead on input line 517. + [9 <./images//bpf_address_mode.png>] + File: images//tcpdump_example.png Graphic file (type png) -Package pdftex.def Info: images//tcpdump_example.png used on input line 521. +Package pdftex.def Info: images//tcpdump_example.png used on input line 524. (pdftex.def) Requested size: 284.52756pt x 241.82869pt. - [9 <./images//bpf_address_mode.png>] - + File: images//cBPF_prog_ex_sol.png Graphic file (type png) -Package pdftex.def Info: images//cBPF_prog_ex_sol.png used on input line 532. +Package pdftex.def Info: images//cBPF_prog_ex_sol.png used on input line 535. (pdftex.def) Requested size: 170.71652pt x 225.74026pt. - [10 <./images//tcpdump_example.png> <./images//cBPF_prog_ex_sol.png>] -Overfull \hbox (3.10062pt too wide) in paragraph at lines 586--603 + [10 <./images//tcpdump_example.png>] [11 <./images//cBPF_prog_ex_sol.png>] + +File: images//ebpf_arch.jpg Graphic file (type jpg) + +Package pdftex.def Info: images//ebpf_arch.jpg used on input line 574. +(pdftex.def) Requested size: 426.79134pt x 272.75464pt. + [12 <./images//ebpf_arch.jpg>] +Overfull \hbox (3.10062pt too wide) in paragraph at lines 601--618 [][] [] -[11] [12] +[13] +Overfull \hbox (17.02478pt too wide) in paragraph at lines 627--628 +[]\T1/txr/m/n/12 Therefore, when us-ing JIT com-pil-ing (a set-ting de-fined by + the vari-able \T1/txr/m/it/12 bpf_jit_enable\T1/txr/m/n/12 [[][]30[][]], + [] + +[14] Chapter 3. -[13 - -] -Chapter 4. -[14 - -] -Chapter 5. [15 +] +Chapter 4. +[16 + +] +Chapter 5. +[17 + ] LaTeX Font Info: Trying to load font information for T1+txtt on input line 6 -45. +76. (/usr/share/texlive/texmf-dist/tex/latex/txfonts/t1txtt.fd File: t1txtt.fd 2000/12/15 v3.1 ) -Overfull \hbox (5.34976pt too wide) in paragraph at lines 646--646 +Overfull \hbox (5.34976pt too wide) in paragraph at lines 677--677 \T1/txtt/m/n/12 threat -[] intelligence / cyber -[] year -[] in -[] retrospect / yir -[] cyber -[] threats -[] [] -[16 +[18 ] -Overfull \hbox (6.22696pt too wide) in paragraph at lines 646--646 +Overfull \hbox (6.22696pt too wide) in paragraph at lines 677--677 []\T1/txr/m/it/12 Bpf fea-tures by linux ker-nel ver-sion\T1/txr/m/n/12 , io-vi -sor. [On-line]. Avail-able: [][]$\T1/txtt/m/n/12 https : / / github . [] -Overfull \hbox (21.24973pt too wide) in paragraph at lines 646--646 +Overfull \hbox (7.34976pt too wide) in paragraph at lines 677--677 +[][]$\T1/txtt/m/n/12 https : / / ebpf . io / what -[] is -[] ebpf / #loader -[] +-[] verification -[] architecture$[][]\T1/txr/m/n/12 . + [] + + +Overfull \hbox (21.24973pt too wide) in paragraph at lines 677--677 \T1/txtt/m/n/12 vger . kernel . org / netconf2015Starovoitov -[] bpf _ collabsu mmit _ 2015feb20 . [] -[17] [1 +[19] +Overfull \hbox (9.14975pt too wide) in paragraph at lines 677--677 +\T1/txtt/m/n/12 ch02 . xhtml# :-[]: text = With % 20JIT % 20compiled % 20code % + 2C % 20i ,[] %20other % + [] + +[20] [1 ] @@ -1302,30 +1330,24 @@ pdfTeX warning (ext4): destination with the same identifier (name{page.}) has b een already used, duplicate ignored \relax -l.662 \end{document} +l.693 \end{document} [2 ] (./document.aux) -LaTeX Warning: Label(s) may have changed. Rerun to get cross-references right. +LaTeX Warning: There were undefined references. - -Package rerunfilecheck Warning: File `document.out' has changed. -(rerunfilecheck) Rerun to get outlines right -(rerunfilecheck) or use package `bookmark'. - -Package rerunfilecheck Info: Checksums for `document.out': -(rerunfilecheck) Before: 260AE7FF5C653A434FB11872FD491CEC;1464 -(rerunfilecheck) After: 78EEF05F3FA16DD01514ABFEEF3266FA;1536. +Package rerunfilecheck Info: File `document.out' has not changed. +(rerunfilecheck) Checksum: 66497A77734FDFAA905ECBF53B99BCD1;1610. Package logreq Info: Writing requests to 'document.run.xml'. \openout1 = `document.run.xml'. ) Here is how much of TeX's memory you used: - 27329 strings out of 481209 - 434770 string characters out of 5914747 - 1172582 words of memory out of 5000000 - 43751 multiletter control sequences out of 15000+600000 + 27367 strings out of 481209 + 436043 string characters out of 5914747 + 1175417 words of memory out of 5000000 + 43776 multiletter control sequences out of 15000+600000 456974 words of font info for 103 fonts, out of 8000000 for 9000 36 hyphenation exceptions out of 8191 88i,11n,90p,1029b,3093s stack positions out of 5000i,500n,10000p,200000b,80000s @@ -1340,9 +1362,9 @@ texmf-dist/fonts/type1/urw/helvetic/uhvr8a.pfb> -Output written on document.pdf (33 pages, 495134 bytes). +Output written on document.pdf (36 pages, 573346 bytes). PDF statistics: - 523 PDF objects out of 1000 (max. 8388607) - 93 named destinations out of 1000 (max. 500000) - 213 words of extra memory for PDF output out of 10000 (max. 10000000) + 591 PDF objects out of 1000 (max. 8388607) + 105 named destinations out of 1000 (max. 500000) + 234 words of extra memory for PDF output out of 10000 (max. 10000000) diff --git a/docs/document.lot b/docs/document.lot index b7d317f..c7e447c 100644 --- a/docs/document.lot +++ b/docs/document.lot @@ -5,13 +5,13 @@ \defcounter {refsection}{0}\relax \addvspace {10\p@ } \defcounter {refsection}{0}\relax -\contentsline {table}{\numberline {2.1}{\ignorespaces Table showing BPF instruction format. It is a fixed-length 64 bit instruction, the number of bits used by each field are indicated.\relax }}{7}{table.caption.9}% +\contentsline {table}{\numberline {2.1}{\ignorespaces Table showing BPF instruction format. It is a fixed-length 64 bit instruction, the number of bits used by each field are indicated.\relax }}{8}{table.caption.9}% \defcounter {refsection}{0}\relax -\contentsline {table}{\numberline {2.2}{\ignorespaces Table showing relevant eBPF updates. Note that only those relevant for our research objectives are shown. This is a selection of the official complete table at \cite {ebpf_funcs_by_ver}.\relax }}{11}{table.caption.14}% +\contentsline {table}{\numberline {2.2}{\ignorespaces Table showing relevant eBPF updates. Note that only those relevant for our research objectives are shown. This is a selection of the official complete table at \cite {ebpf_funcs_by_ver}.\relax }}{12}{table.caption.14}% \defcounter {refsection}{0}\relax -\contentsline {table}{\numberline {2.3}{\ignorespaces Table showing eBPF instruction format. It is a fixed-length 64 bit instruction, the number of bits used by each field are indicated.\relax }}{11}{table.caption.15}% +\contentsline {table}{\numberline {2.3}{\ignorespaces Table showing eBPF instruction format. It is a fixed-length 64 bit instruction, the number of bits used by each field are indicated.\relax }}{13}{table.caption.16}% \defcounter {refsection}{0}\relax -\contentsline {table}{\numberline {2.4}{\ignorespaces Table showing eBPF registers and their purpose in the BPF VM.\cite {ebpf_inst_set}\cite {ebpf_starovo_slides}.\relax }}{12}{table.caption.16}% +\contentsline {table}{\numberline {2.4}{\ignorespaces Table showing eBPF registers and their purpose in the BPF VM.\cite {ebpf_inst_set}\cite {ebpf_starovo_slides}.\relax }}{13}{table.caption.17}% \defcounter {refsection}{0}\relax \addvspace {10\p@ } \defcounter {refsection}{0}\relax diff --git a/docs/document.out b/docs/document.out index 9cf83d0..3543f55 100644 --- a/docs/document.out +++ b/docs/document.out @@ -13,9 +13,10 @@ \BOOKMARK [2][-]{subsection.2.1.4}{BPF\040bytecode\040instruction\040format}{section.2.1}% 13 \BOOKMARK [2][-]{subsection.2.1.5}{An\040example\040of\040BPF\040filter\040-\040tcpdump}{section.2.1}% 14 \BOOKMARK [1][-]{section.2.2}{Analysis\040of\040modern\040eBPF}{chapter.2}% 15 -\BOOKMARK [2][-]{subsection.2.2.1}{Architecture\040of\040eBPF}{section.2.2}% 16 +\BOOKMARK [2][-]{subsection.2.2.1}{eBPF\040instruction\040set}{section.2.2}% 16 \BOOKMARK [2][-]{subsection.2.2.2}{JIT\040compilation}{section.2.2}% 17 -\BOOKMARK [0][-]{chapter.3}{Methods??}{}% 18 -\BOOKMARK [0][-]{chapter.4}{Results}{}% 19 -\BOOKMARK [0][-]{chapter.5}{Conclusion\040and\040future\040work}{}% 20 -\BOOKMARK [0][-]{chapter.5}{Bibliography}{}% 21 +\BOOKMARK [2][-]{subsection.2.2.3}{eBPF\040architecture}{section.2.2}% 18 +\BOOKMARK [0][-]{chapter.3}{Methods??}{}% 19 +\BOOKMARK [0][-]{chapter.4}{Results}{}% 20 +\BOOKMARK [0][-]{chapter.5}{Conclusion\040and\040future\040work}{}% 21 +\BOOKMARK [0][-]{chapter.5}{Bibliography}{}% 22 diff --git a/docs/document.pdf b/docs/document.pdf index 43661a0..406adf2 100644 Binary files a/docs/document.pdf and b/docs/document.pdf differ diff --git a/docs/document.synctex.gz b/docs/document.synctex.gz index 91dba10..3b2bef0 100644 Binary files a/docs/document.synctex.gz and b/docs/document.synctex.gz differ diff --git a/docs/document.tex b/docs/document.tex index 4857d98..a674193 100644 --- a/docs/document.tex +++ b/docs/document.tex @@ -409,8 +409,11 @@ The rootkit will work in a fresh-install of a Linux system with the following ch % I WILL NOT INCLUDE A ROOTKIT BACKGROUND, considering that a deep study of that is not fully relevant for us. I explained what it is, its two main types (should we include bootkits, maybe?) and its relation with eBPF in the introduction, since it is needed to introduce the overall context. Should we do otherwise? This chapter is dedicated to an study of the eBPF technology. Firstly, we will analyse its origins, understanding what it is and how it works, and discuss the reasons why it is a necessary component of the Linux kernel today. Afterwards, we will cover the main features of eBPF in detail. Finally, an study of the existing alternatives for developing eBPF applications will be also included. +Although during our discussion of the offensive capabilities of eBPF in section\ref{section:analysis_offensive_capabilities} we use a library that will provide us with a layer of abstraction over the underlying operations, this background is needed to understand how eBPF is embedded in the kernel and which capabilities and limits we can expect to achieve with it. + \section{eBPF history - Classic BPF} % Is it ok to have sections / chapters without individual intros? +In this section we will detail the origins of eBPF in the Linux kernel. By offering us background into the earlier versions of the system, the goal is to acquire insight on the design decisions included in modern versions of eBPF. \subsection{Introduction to the BPF system} Nowadays eBPF is not officially considered to be an acronym anymore\cite{ebpf_io}, but it remains largely known as "extended Berkeley Packet Filters", given its roots in the Berkeley Packet Filter (BPF) technology, now known as classic BPF. @@ -425,11 +428,11 @@ BPF was introduced in 1992 by Steven McCanne and Van Jacobson in the paper "The \label{fig:classif_bpf} \end{figure} -Figure \ref{fig:classif_bpf} shows how BPF was integrated in the existing network packet processing by the kernel. After receiving a packet, it would first be analysed by BPF filters, programs directly developed by the user. The filter decides whether the packet is to be accepted by analysing the packet properties, such as its length or the type and values of its headers. If a packet is accepted, the filter proceeds to decide how many bytes of the original buffer are passed to the application at the user space. Otherwise, the packet is redirected to the original network stack, where it is managed as usual. +Figure \ref{fig:classif_bpf} shows how BPF was integrated in the existing network packet processing by the kernel. After receiving a packet via the Network Interface Controller (NIC) driver, it would first be analysed by BPF filters, which are programs directly developed by the user. This filter decides whether the packet is to be accepted by analysing the packet properties, such as its length or the type and values of its headers. If a packet is accepted, the filter proceeds to decide how many bytes of the original buffer are passed to the application at the user space. Otherwise, the packet is redirected to the original network stack, where it is managed as usual. -\subsection{The BPF virtual machine} -In a technical level, BPF comprises both the BPF filter programs developed by the user and the BPF module included in the kernel which allows for loading and running the BPF filters. This BPF module in the kernel works as a virtual machine\cite{bpf_bsd_origin_bpf_page1}. Therefore, it is usually referred as the BPF Virtual Machine (BPF VM). The BPF VM comprises the following components: +\subsection{The BPF virtual machine} \label{section:bpf_vm} +In a technical level, BPF comprises both the BPF filter programs developed by the user and the BPF module included in the kernel which allows for loading and running the BPF filters. This BPF module in the kernel works as a virtual machine\cite{bpf_bsd_origin_bpf_page1}, meaning that it parses and interprets the filter program by providing simulated components needed for its execution, turning into a software-based CPU. Because of this reason, it is usually referred as the BPF Virtual Machine (BPF VM). The BPF VM comprises the following components: \begin{itemize} \item \textbf{An accumulator register}, used to store intermediate values of operations. \item \textbf{An index register}, used to modify operand addresses, it is usually incorporated to optimize vector operations\cite{index_register}. @@ -439,7 +442,7 @@ In a technical level, BPF comprises both the BPF filter programs developed by th \subsection{Analysis of a BPF filter program} -The components of the BPF VM are used to support running BPF filter programs. A BPF filter is implemented as a boolean function: +As we mentioned in section \ref{section:bpf_vm}, the components of the BPF VM are used to support running BPF filter programs. A BPF filter is implemented as a boolean function: \begin{itemize} \item If it returns \textit{true}, the kernel copies the packet to the application. \item If it returns \textit{false}, the packet is not accepted by the filter (and thus the network stack will be the next to operate it). @@ -525,7 +528,7 @@ At the time, by filtering packets before they are handled by the kernel instead Figure \ref{fig:bpf_tcpdump_example} shows how tcpdump sets a filter to display traffic directed to all interfaces (\textit{-i any}) directed to port 80. Flag \textit{-d} instructs tcpdump to display BPF bytecode. -In the example, using the \textit{jf} and \textit{jt} fields, we can label the nodes of the CFG described by the BPF filter. Figure \ref{fig:tcpdump_ex_sol} is the shortest graph path that a true comparison will need to follow to be accepted by the filter. Note how instruction 010 is checking the value 80, the one our filter is looking for in the port. +In the example, using the \textit{jf} and \textit{jt} fields, we can label the nodes of the CFG described by the BPF filter. Figure \ref{fig:tcpdump_ex_sol} describes the shortest graph path that a true comparison will need to follow to be accepted by the filter. Note how instruction 010 is checking the value 80, the one our filter is looking for in the port. \begin{figure}[H] \centering @@ -535,8 +538,9 @@ In the example, using the \textit{jf} and \textit{jt} fields, we can label the n \end{figure} \section{Analysis of modern eBPF} -\subsection{Architecture of eBPF} -The addition of classic BPF in the Linux kernel set the foundations of eBPF, but nowadays it has already extended its presence to many other components other than traffic filtering. Table \ref{table:ebpf_history} shows the main updates that were incorporated and shaped modern eBPF of today. +This section discusses the current state of modern eBPF in the Linux kernel. By building on the previous architecture described in classic BPF, we will be able to provide a comprehensive picture of the underlying infrastructure in which eBPF relies today. + +The addition of classic BPF in the Linux kernel set the foundations of eBPF, but nowadays it has already extended its presence to many other components other than traffic filtering. Similarly to how BPF filters were included in the networking module of the Linux kernel, we will now study the necessary changes made in the kernel to support these new program types. Table \ref{table:ebpf_history} shows the main updates that were incorporated and shaped modern eBPF of today. \begin{table}[H] \begin{tabular}{|c|c|c|} @@ -548,7 +552,6 @@ Description & Kernel version & Year\\ \textit{BPF+}: New JIT assembler & 3.0 & 2011\\ \textit{eBPF}: Added eBPF support & 3.15 & 2014\\ \textit New bpf() syscall & 3.18 & 2014\\ -\textit eBPF for sockets & 3.19 & 2015\\ \textit Introduction of eBPF maps & 3.19 & 2015\\ \textit eBPF attached to kprobes & 4.1 & 2015\\ \textit Introduction of Traffic Control & 4.5 & 2016\\ @@ -564,6 +567,18 @@ Description & Kernel version & Year\\ As it can be observed in the table above, the main breakthrough happened in the 3.15 version, where Alexei Starovoitov, along with Daniel Borkmann, decided to expand the capabilities of BPF by remodelling the BPF instruction set and overall architecture\cite{brendan_gregg_bpf_book}. +Figure \ref{fig:ebpf_architecture} offers an overview of the current eBPF architecture. During the subsequent subsections, we will proceed to explain its components in detail. + +\begin{figure}[H] + \centering + \includegraphics[width=15cm]{ebpf_arch.jpg} + \caption{Figure showing overall eBPF architecture in the Linux kernel and the process of loading an eBPF program. Based on\cite{brendan_gregg_bpf_book} and \cite{ebpf_io_arch}.} + \label{fig:ebpf_architecture} +\end{figure} + +\subsection{eBPF instruction set} \label{subsection:ebpf_inst_set} +The eBPF update included a complete remodel of the instruction set architecture (ISA) of the BPF VM. Therefore, eBPF programs will need to follow the new architecture in order to be interpreted as valid and executed. + \begin{table}[H] \begin{tabular}{|c|c|c|c|c|c|} \hline @@ -577,7 +592,7 @@ BITS & 32 & 16 & 4 & 4 & 8\\ \end{table} -Table \ref{table:ebpf_inst_format} shows the new instruction format for eBPF programs\cite{ebpf_inst_set}. The new fields are similar to x86\_64 assembly, incorporating the typically found immediate and offset fields, and source and destination registers\cite{8664_inst_set_specs}. +Table \ref{table:ebpf_inst_format} shows the new instruction format for eBPF programs\cite{ebpf_inst_set}. The new fields are similar to x86\_64 assembly, incorporating the typically found immediate and offset fields, and source and destination registers\cite{8664_inst_set_specs}. Similarly, the instruction set is extended to be similar to the one typically found on x86\_64 systems, the complete list can be consulted in the official documentation\cite{ebpf_inst_set}. %Should I talk about assembly or this more in detail? With respect to the BPF VM registers, they get extended from 32 to 64 bits of length, and the number of registers is incremented to 10, instead of the original accumulator and index registers. These registers are also adapted to be similar to those in assembly, as it is shown in table \ref{table:ebpf_regs}. @@ -605,7 +620,23 @@ r10 & rbp & Frame pointer for stack, read only\\ \end{table} \subsection{JIT compilation} -The p +We mentioned in subsection \ref{subsection:ebpf_inst_set} that eBPF registers and instructions describe an almost one-to-one correspondence to those in x86 assembly. This is in fact not a coincidence, but rather it is with the purpose of improving a functionality that was included in Linux kernel 3.0, called Just-in-Time (JIT) compilation\cite{ebpf_JIT}\cite{ebpf_JIT_demystify_page13}. + +JIT compiling is an extra step that optimizes the execution speed of eBPF programs. It consists of translating BPF bytecode into machine-specific instructions, so that they run as fast as native code in the kernel. Machine instructions are generated during runtime, written directly into executable memory and executed there\cite{ebpf_JIT_demystify_page14}. + +Therefore, when using JIT compiling (a setting defined by the variable \textit{bpf\_jit\_enable}\cite{jit_enable_setting}, BPF registers are translated into machine-specific registers following their one-to-one mapping and bytecode instructions are translated into machine-specific instructions\cite{ebpf_starovo_slides_page23}. There no longer exists an interpretation step by the BPF VM, since we can execute the code directly\cite{brendan_gregg_bpf_book_bpf_vm}. + +The programs developed during this project will always have JIT compiling active. + + +\subsection{eBPF architecture} +Provided the instruction set architecture (ISA) described in section + + + + + + diff --git a/docs/document.toc b/docs/document.toc index 30dd9d9..1122e26 100644 --- a/docs/document.toc +++ b/docs/document.toc @@ -23,23 +23,25 @@ \defcounter {refsection}{0}\relax \contentsline {subsection}{\numberline {2.1.2}The BPF virtual machine}{6}{subsection.2.1.2}% \defcounter {refsection}{0}\relax -\contentsline {subsection}{\numberline {2.1.3}Analysis of a BPF filter program}{6}{subsection.2.1.3}% +\contentsline {subsection}{\numberline {2.1.3}Analysis of a BPF filter program}{7}{subsection.2.1.3}% \defcounter {refsection}{0}\relax -\contentsline {subsection}{\numberline {2.1.4}BPF bytecode instruction format}{7}{subsection.2.1.4}% +\contentsline {subsection}{\numberline {2.1.4}BPF bytecode instruction format}{8}{subsection.2.1.4}% \defcounter {refsection}{0}\relax -\contentsline {subsection}{\numberline {2.1.5}An example of BPF filter - \textit {tcpdump}}{9}{subsection.2.1.5}% +\contentsline {subsection}{\numberline {2.1.5}An example of BPF filter - \textit {tcpdump}}{10}{subsection.2.1.5}% \defcounter {refsection}{0}\relax \contentsline {section}{\numberline {2.2}Analysis of modern eBPF}{11}{section.2.2}% \defcounter {refsection}{0}\relax -\contentsline {subsection}{\numberline {2.2.1}Architecture of eBPF}{11}{subsection.2.2.1}% +\contentsline {subsection}{\numberline {2.2.1}eBPF instruction set}{13}{subsection.2.2.1}% \defcounter {refsection}{0}\relax -\contentsline {subsection}{\numberline {2.2.2}JIT compilation}{12}{subsection.2.2.2}% +\contentsline {subsection}{\numberline {2.2.2}JIT compilation}{13}{subsection.2.2.2}% \defcounter {refsection}{0}\relax -\contentsline {chapter}{\numberline {3}Methods??}{13}{chapter.3}% +\contentsline {subsection}{\numberline {2.2.3}eBPF architecture}{14}{subsection.2.2.3}% \defcounter {refsection}{0}\relax -\contentsline {chapter}{\numberline {4}Results}{14}{chapter.4}% +\contentsline {chapter}{\numberline {3}Methods??}{15}{chapter.3}% \defcounter {refsection}{0}\relax -\contentsline {chapter}{\numberline {5}Conclusion and future work}{15}{chapter.5}% +\contentsline {chapter}{\numberline {4}Results}{16}{chapter.4}% \defcounter {refsection}{0}\relax -\contentsline {chapter}{Bibliography}{16}{chapter.5}% +\contentsline {chapter}{\numberline {5}Conclusion and future work}{17}{chapter.5}% +\defcounter {refsection}{0}\relax +\contentsline {chapter}{Bibliography}{18}{chapter.5}% \contentsfinish diff --git a/docs/images/ebpf_arch.jpg b/docs/images/ebpf_arch.jpg new file mode 100644 index 0000000..abde9fd Binary files /dev/null and b/docs/images/ebpf_arch.jpg differ diff --git a/docs/pdfa.xmpi b/docs/pdfa.xmpi index 6b528e1..206b025 100644 --- a/docs/pdfa.xmpi +++ b/docs/pdfa.xmpi @@ -73,15 +73,15 @@ LaTeX with hyperref - 2022-05-24T20:52:21-04:00 - 2022-05-24T20:52:21-04:00 - 2022-05-24T20:52:21-04:00 + 2022-05-25T21:59:30-04:00 + 2022-05-25T21:59:30-04:00 + 2022-05-25T21:59:30-04:00 uuid:467B87E0-A1EA-A037-7CB7-0477245DEBC3 - uuid:7FB75CFF-80A8-7F24-B8F1-755FFABF2F4A + uuid:AED25E85-D80C-CF5E-E310-D04CC694E463