Papers
Topics
Authors
Recent
Gemini 2.5 Flash
Gemini 2.5 Flash
167 tokens/sec
GPT-4o
7 tokens/sec
Gemini 2.5 Pro Pro
42 tokens/sec
o3 Pro
4 tokens/sec
GPT-4.1 Pro
38 tokens/sec
DeepSeek R1 via Azure Pro
28 tokens/sec
2000 character limit reached

bpftime: userspace eBPF Runtime for Uprobe, Syscall and Kernel-User Interactions (2311.07923v2)

Published 14 Nov 2023 in cs.OS

Abstract: In kernel-centric operations, the uprobe component of eBPF frequently encounters performance bottlenecks, largely attributed to the overheads borne by context switches. Transitioning eBPF operations to user space bypasses these hindrances, thereby optimizing performance. This also enhances configurability and obviates the necessity for root access or privileges for kernel eBPF, subsequently minimizing the kernel attack surface. This paper introduces bpftime, a novel user-space eBPF runtime, which leverages binary rewriting to implement uprobe and syscall hook capabilities. Through bpftime, userspace uprobes achieve a 10x speed enhancement compared to their kernel counterparts without requiring dual context switches. Additionally, this runtime facilitates the programmatic hooking of syscalls within a process, both safely and efficiently. Bpftime can be seamlessly attached to any running process, limiting the need for either a restart or manual recompilation. Our implementation also extends to interprocess eBPF Maps within shared memory, catering to summary aggregation or control plane communication requirements. Compatibility with existing eBPF toolchains such as clang and libbpf is maintained, not only simplifying the development of user-space eBPF without necessitating any modifications but also supporting CO-RE through BTF. Through bpftime, we not only enhance uprobe performance but also extend the versatility and user-friendliness of eBPF runtime in user space, paving the way for more efficient and secure kernel operations.

Definition Search Book Streamline Icon: https://streamlinehq.com
References (20)
  1. W. Authors. Webassembly specifications. https://webassembly.github.io/spec/.
  2. DynamoRIO. Dynamic instrumentation tool platform. https://github.com/DynamoRIO/dynamorio.
  3. frida. Cross-platform instrumentation and introspection library written in c. https://github.com/frida/frida-gum.
  4. gojue. Capture ssl/tls text content without a ca certificate using ebpf. https://github.com/gojue/ecapture.
  5. {{\{{RapidPatch}}\}}: Firmware hotpatching for {{\{{Real-Time}}\}} embedded devices. In 31st USENIX Security Symposium (USENIX Security 22), pages 2225–2242, 2022a.
  6. RapidPatch: Firmware hotpatching for Real-Time embedded devices. In 31st USENIX Security Symposium (USENIX Security 22), pages 2225–2242, Boston, MA, Aug. 2022b. USENIX Association. ISBN 978-1-939133-31-1. URL https://www.usenix.org/conference/usenixsecurity22/presentation/he-yi.
  7. Cross container attacks: The bewildered {{\{{eBPF}}\}} on clouds. In 32nd USENIX Security Symposium (USENIX Security 23), pages 5971–5988, 2023.
  8. iovisor. Userspace ebpf vm, a. https://doc.dpdk.org/guides/prog_guide/bpf_lib.html.
  9. iovisor. Userspace ebpf vm, b. https://github.com/iovisor/ubpf.
  10. Ptrace, utrace, uprobes: Lightweight, dynamic tracing of user apps. In Proceedings of the 2007 Linux symposium, pages 215–224, 2007.
  11. Unleashing unprivileged ebpf potential with dynamic sandboxing. In Proceedings of the 1st Workshop on eBPF and Kernel Extensions, pages 42–48, 2023.
  12. microsoft. ebpf for windows. https://github.com/microsoft/ebpf-for-windows.
  13. Pinpointing representative portions of large intel ® itanium ® programs with dynamic instrumentation. In 37th International Symposium on Microarchitecture (MICRO-37’04), pages 81–92, 2004. doi: 10.1109/MICRO.2004.28.
  14. I. V. Project. Bpf compiler collection (bcc), 2023. Available: https://github.com/iovisor/bcc.
  15. qmonnet. Rust virtual machine and jit compiler for ebpf programs. https://github.com/qmonnet/rbpf.
  16. Network-centric distributed tracing with deepflow: Troubleshooting your microservices in zero code. In Proceedings of the ACM SIGCOMM 2023 Conference, pages 420–437, 2023.
  17. zpoline: a system call hook mechanism based on binary rewriting. In 2023 USENIX Annual Technical Conference (USENIX ATC 23), pages 293–300, 2023.
  18. K. Zandberg and E. Baccelli. Femto-containers: Devops on microcontrollers with lightweight virtualization & isolation for iot software modules. arXiv preprint arXiv:2106.12553, 2021.
  19. Femto-containers: Lightweight virtualization and fault isolation for small software functions on low-power iot microcontrollers. In Proceedings of the 23rd ACM/IFIP International Middleware Conference, pages 161–173, 2022.
  20. XRP: In-Kernel storage functions with eBPF. In 16th USENIX Symposium on Operating Systems Design and Implementation (OSDI 22), pages 375–393, Carlsbad, CA, July 2022. USENIX Association. ISBN 978-1-939133-28-1. URL https://www.usenix.org/conference/osdi22/presentation/zhong.
Citations (1)
View on Semantic Scholar

Summary

We haven't generated a summary for this paper yet.

Ai Sparkles Streamline Icon: https://streamlinehq.com Summarize Now