Description
The eBPF Track is going to bring together developers, maintainers, and other contributors from all around the globe to discuss improvements to the Linux kernel’s eBPF subsystem and its surrounding user space ecosystem such as libraries, loaders, compiler backends, related system tooling as well as eBPF use cases.
The gathering is designed to foster collaboration and face to face discussion of ongoing development topics as well as to encourage bringing new ideas into the development community for the advancement of the eBPF subsystem.
The track will be composed of talks, 30 minutes in length (including Q&A discussion).
eBPF Track's technical committee: Alexei Starovoitov, Daniel Borkmann, Andrii Nakryiko and Martin Lau.
-
Paul Chaignon (Isovalent)19/09/2024, 10:00
Over the past ten years, many fuzzers have been written specifically for the BPF subsystem. They follow diverse strategies, either porting the verifier to userspace [1, 2], describing the BPF syntax in details [3, 4], or devising new test oracles [5, 6]. Several such fuzzers have uncovered bugs and vulnerabilities, but none has a very good coverage of the whole BPF subsystem.
This talk will...
Go to contribution page -
Juan Jose Lopez Jaimez (Google)19/09/2024, 10:30
In 2023, we open sourced buzzer: A library to construct random, syntactically valid, eBPF programs, with the objective of validating the security assumptions of the verifier. Since then we have also developed new features into buzzer like coverage tracking and support for things like function calls and BTF.
The purpose of the talk is to share some of the lessons learned, what did/didn’t...
Go to contribution page -
Zhe Wang (Institute of Computing Technology, Chinese Academy of Sciences)19/09/2024, 11:00
While eBPF has been used in various scenarios, it presents two issues in use. The first is the complexity issue, where legal programs may fail in the verification due to the verifier’s limited capabilities. Researchers have resorted to ‘’verifier-oriented programming‘’ to circumvent this issue, such as masking memory accesses to reduce the verification complexity. Even so, it remains a...
Go to contribution page -
Paul Chaignon (Isovalent)19/09/2024, 12:00
First presented to the community at Linux Plumbers 2023 [1], Agni is a tool designed to formally verify the correctness of the verifier's range analysis. Agni automatically converts the verifier's source code into an SMT problem, which is then fed into the Z3 solver to check the soundness of the range analysis logic.
This talk will provide an update on Agni's recent developments. In...
Go to contribution page -
Hao Sun (ETH Zurich)19/09/2024, 12:30
This talk will present our approach to enhancing the eBPF verifier's precision: lazy abstraction refinement with proof. We will begin by discussing the fundamental sources of imprecision in the current verifier and reviewing relevant efforts towards these issues. Next, we will show how a proof-based approach can potentially improve precision without introducing much complexity. We achieve this...
Go to contribution page -
Shung-Hsi Yu (SUSE)19/09/2024, 13:00
Despite its vast use in the BPF verifier, tnum (tristate numbers or tracked numbers, i.e.
Go to contribution pagevar_offfield instruct bpf_reg_state) remain less understood compared to its more intuitive min/max counter parts, and for good reason (also perhaps to its own peril) — it works very well and comes with a comprehensive set of APIs; leaving little reason for further mangling and... -
Daniel Xu (Facebook)19/09/2024, 15:00
bpftrace is a popular and powerful dynamic tracer for Linux systems. In the vast majority of uses cases, bpftrace does its job quickly, efficiently, and accurately. However with the rapid increase of users, use cases, and features, the bpftrace community has started to feel (technical) growing pains. In particular, we've started to uncover various reliability issues. In this talk, we will...
Go to contribution page -
Viktor Malik (Red Hat)19/09/2024, 15:30
bpftrace is a popular, BPF-powered tool for observability of both the kernel and userspace. It comes with a domain-specific language, bpfscript, which it compiles into BPF bytecode.
In the past year, bpftrace modernized the way it creates BPF programs by making the emitted BPF ELF objects compatible with libbpf's bpf_object. This allows bpftrace to use modern BPF features such as...
Go to contribution page -
Yonghong Song (Meta), Alan Maguire (Oracle)19/09/2024, 16:00
Bpf provides ability to trace kernel functions (kprobe, kretprobe, fentry and fexit) and users often use such features to do kernel function tracing in order to gather information for their particular needs. But compiler optimization may make kernel func tracing difficulty. For example, complete inlining may make function going away in symbol table. Partial inlining may leave functions in...
Go to contribution page -
Alan Maguire (Oracle)19/09/2024, 17:00
There have been many improvements in reducing the overhead associated with user-space probes (uprobes) such as using system calls instead of traps to fire the probe. However it remains the fact that there is significant overhead associated with uprobe firing. Add to this that in many tracing cases, the predicate associated with the probe is negative;
- is execname == "foo"?
- is pid ==...
-
Song Liu (Meta), KP Singh (Google), Matt Bobrowski (Google)19/09/2024, 17:30
BPF LSM enables implementing flexible security policies without rebuilding the kernel. However, the flexibility and safety of BPF LSM comes with the limitation that not all kernel functions are available to the BPF programs. The answer to this limitation is BPF kfuncs. Since LPC 2024, a few important kfuncs are added (or being added) for BPF LSM use cases. [1][2][3]
In this talk, we would...
Go to contribution page -
Sean Young19/09/2024, 18:00
An quick intro to infrared on Linux, and introduce new tool called cir
Intro needed for context of what we're trying to do with finite automations.
https://github.com/seanyoung/cir
Show how to use finite automations to generate efficient BPF code
Compiles IRP mini language to BPF (in a single binary/process, written in pure rust).
- Parse IRP language, convert to...
-
Arpad Kiss20/09/2024, 10:00
While the BPF platform brings unique advantages not available elsewhere, it's rarely used in applications outside of the kernel. The natural explanation is to point out BPF's current limitations, and argue that it's only capable of supporting small, specialized programs.
To challenge these limitations, we venture into user-space with a suite of example projects, including a complete BPF...
Go to contribution page -
Kumar Kartikeya Dwivedi (EPFL)20/09/2024, 10:30
The ability to safely extend OS kernel functionality is a longstanding goal in OS design, with the widespread use of the eBPF framework in Linux and Windows only underlining the benefits of such extensibility. However, existing approaches to kernel extensibility constrain users in the extent of functionality that can be offloaded to the kernel or the performance overheads incurred by their...
Go to contribution page -
Gray Liang (Isovalent at Cisco), Martynas Pumputis (Isovalent at Cisco)20/09/2024, 11:00
During our involvement in the development of Cloud Native networking for almost a decade, we learned the hard way that troubleshooting networking problems even in a small environment can turn into a nightmare. Many complexities stem from the Linux kernel itself - sending a packet involves dozens of kernel functions from different subsystems. Traditional tools such as tcpdump fall short, as...
Go to contribution page -
Paul McKenney (Facebook), Puranjay Mohan (Amazon)20/09/2024, 12:00
This presentation will focus on the tooling for the BPF instruction-level memory model, an early prototype of which was demonstrated at LSF/MM/BPF. New features include control dependencies based on conditional branches along with additional atomic operations. This demo will include instruction on how to build the tooling and how to run it, along with some examples.
Attendees will be able...
Go to contribution page -
Luis Gerhorst (Friedrich-Alexander-Universität Erlangen-Nürnberg (FAU))20/09/2024, 12:30
To mitigate the Spectre-PHT (v1) vulnerability, mitigations which reject potentially-dangerous unprivileged eBPF programs have been merged into the kernel [1]. To assess their potential real-world impact, we analyze 364 object files from open source projects (Linux Samples and Selftests, BCC, Loxilb, Cilium, libbpf Examples, Parca, and Prevail) and find that this affects 31% to 54% of...
Go to contribution page -
Dimitrios Skarlatos (Carnegie Mellon University), Kaiyang Zhao (Carnegie Mellon University)20/09/2024, 13:00
The increase in memory capacity in datacenters, coupled with the proliferation of memory-intensive applications, has made memory management a significant performance bottleneck. This issue is poised to worsen due to several factors, such as the inherent hardware limits of TLB scaling and the advent of terabyte-scale memory capacity through technologies like CXL.
In this talk, I will present...
Go to contribution page -
Anton Protopopov (Isovalent)20/09/2024, 15:00
Previous work on implementing the Static Keys for BPF [1], [2] led to the introduction of an "instruction set" map. This map contains pointers to xlated BPF instructions and is relocated accordingly during load and verification.
The instructions set map can be further used to verify indirect jump instructions in BPF, which wasn't approachable before. Namely, a
Go to contribution pagegoto Rxinstruction can be... -
Arthur Fabre (Cloudflare), Jakub Sitnicki (Cloudflare)20/09/2024, 15:30
Currently, the only way to attach a piece of information to an [
sk_buff][1] that will travel with it through the network stack is the [mark field][2].Once set, the mark can be read in firewall rules, used to drive routing, and accessed by BPF programs, among other uses. This versatility leads to fierce competition over the mark’s bits. Being just 32 bits wide, it often ends up limiting...
Go to contribution page -
Kumar Kartikeya Dwivedi (EPFL)20/09/2024, 16:00
Datacenter workloads have demanding performance requirements, including the need for high throughput and low tail latency while maintaining high server utilization. While modern hardware is compatible with these goals, overheads and inefficiencies in today's operating systems remain a critical bottleneck. Several research proposals aim to address this problem by designing dataplane OSes with...
Go to contribution page -
Juntong Deng (Student)20/09/2024, 17:00
Currently CRIU mainly relies on procfs and extended system calls for dumping/restoring process information, but this has some performance and extensibility problems. In this talk, we want to discuss CRIB (Checkpoint/Restore In eBPF), an innovative checkpoint/restore method to dump/restore process information in the kernel via eBPF. CRIB can achieve better performance, more flexibility, more...
Go to contribution page -
Benjamin Tissoires (Red Hat)20/09/2024, 17:30
HID-BPF was announced at Plumbers 2022 in Dublin. Since then, it has been merged in the kernel v6.3 and started to see its first users. The promises were big, and I can now safely say that they actually delivered.
In this talk we will first give an overview of what has been done in these 2 years. We already have a few success stories to share. But this was just the beginning. And now that...
Go to contribution page -
Johannes Bechberger20/09/2024, 18:00
While there are eBPF libraries for languages like Rust and Go, there are none for Java, one of the most popular programming languages. We developed the hello-ebpf Java library to change this. Its aim is to integrate eBPF programs seamlessly into Java applications, making it possible to write the eBPF programs themselves directly in Java.
In this talk, we show the technology behind the...
Go to contribution page
