From 7e928b43d44039ccb148f93937bfdb4851c5a4af Mon Sep 17 00:00:00 2001 From: yunwei37 <1067852565@qq.com> Date: Thu, 9 Nov 2023 22:40:43 +0800 Subject: [PATCH] add talk and blog --- docs/blogs/ebpf-security.md | 49 ++++++-------- docs/blogs/ebpf-security.zh.md | 45 +++++-------- docs/blogs/index.md | 8 ++- docs/blogs/index.zh.md | 10 +-- .../wasm-bpf-kubecon.md | 4 +- docs/miscellaneous/wasm-bpf-talk.md | 67 +++++++++++++++++++ 6 files changed, 120 insertions(+), 63 deletions(-) rename docs/{blogs => miscellaneous}/wasm-bpf-kubecon.md (99%) create mode 100644 docs/miscellaneous/wasm-bpf-talk.md diff --git a/docs/blogs/ebpf-security.md b/docs/blogs/ebpf-security.md index 479341e1a..b996aee03 100644 --- a/docs/blogs/ebpf-security.md +++ b/docs/blogs/ebpf-security.md @@ -10,24 +10,22 @@ However, as with any system that interfaces closely with the kernel, the securit The security framework of eBPF is largely predicated on the robustness of its verifier. This component acts as the gatekeeper, ensuring that only safe and compliant programs are allowed to run within the kernel space. -### What the eBPF Verifier Is and What It Does - -At its core, the eBPF verifier is a static code analyzer. Its primary function is to vet the BPF program instructions before they are executed. It scrutinizes a copy of the program within the kernel, operating with the following objectives: - -- `Ensuring Program Termination` - - The verifier uses depth-first search (DFS) algorithms to traverse the program's control flow graph, which it ensures is a Directed Acyclic Graph (DAG). This is crucial for guaranteeing that the program cannot enter into an infinite loop, thereby ensuring its termination. It meticulously checks for any unbounded loops and malformed or out-of-bounds jumps that could disrupt the normal operation of the kernel or lead to a system hang. - -- `Ensuring Memory Safety` - - Memory safety is paramount in kernel operations. The verifier checks for potential out-of-bounds memory accesses that could lead to data corruption or security breaches. It also safeguards against use-after-free bugs and object leaks, which are common vulnerabilities that can be exploited. In addition to these, it takes into account hardware vulnerabilities like Spectre, enforcing mitigations to prevent such side-channel attacks. - -- `Ensuring Type Safety` - - Type safety is another critical aspect that the verifier ensures. By preventing type confusion bugs, it helps maintain the integrity of data within the kernel. The eBPF verifier utilizes BPF Type Format (BTF), which allows it to accurately understand and check the kernel's complex data structures, ensuring that the program's operations on these structures are valid and safe. - -- `Preventing Hardware Exceptions` - + + +- [The Secure Path Forward for eBPF: Challenges and Innovations](#the-secure-path-forward-for-ebpf-challenges-and-innovations) + - [How eBPF Ensures Security with Verifier](#how-ebpf-ensures-security-with-verifier) + - [How the eBPF Verifier Works](#how-the-ebpf-verifier-works) + - [Challenges](#challenges) + - [Other works to improve verifier](#other-works-to-improve-verifier) + - [Limitations in eBPF Access Control](#limitations-in-ebpf-access-control) + - [CAP\_BPF](#cap_bpf) + - [bpf namespace](#bpf-namespace) + - [Unprivileged eBPF](#unprivileged-ebpf) + - [Trusted Unprivileged BPF](#trusted-unprivileged-bpf) + - [Other possible solutions](#other-possible-solutions) + - [Conclusion](#conclusion) + + Hardware exceptions, such as division by zero, can cause abrupt program terminations and kernel panics. To prevent this, the verifier includes checks for divisions by unknown scalars, ensuring that instructions are rewritten or handled in a manner consistent with aarch64 specifications, which dictate safe handling of such exceptions. Through these mechanisms, the eBPF verifier plays a critical role in maintaining the security and stability of the kernel, making it an indispensable component of the eBPF infrastructure. It not only reinforces the system's defenses but also upholds the integrity of operations that eBPF programs intend to perform, making it a quintessential part of the eBPF ecosystem. @@ -168,8 +166,7 @@ reference ## Other possible solutions -Some research or discussions about how to improve the security of eBPF. Existing works can be roughly divided into three categories: virtualization, Software Fault Isolation (SFI), and -formal methods. +Here are also some research or discussions about how to improve the security of eBPF. Existing works can be roughly divided into three categories: virtualization, Software Fault Isolation (SFI), and formal methods. Use a sandbox like WebAssembly to deploy eBPF programs or run eBPF programs in userspace is also a possible solution. - MOAT: Towards Safe BPF Kernel Extension (Isolation) @@ -227,13 +224,13 @@ formal methods. - Wasm-bpf: WebAssembly eBPF library, toolchain and runtime - Wasm-bpf is a WebAssembly eBPF library, toolchain and runtime allows the construction of eBPF programs into Wasm with little to no changes to the code, and run them cross platforms with Wasm sandbox. + Wasm-bpf is a WebAssembly eBPF library, toolchain and runtime allows the construction of eBPF programs into Wasm with little to no changes to the code, and run them cross platforms with Wasm sandbox. - It provides a configurable environment with limited eBPF WASI behavior, enhancing security and control. This allows for fine-grained permissions, restricting access to kernel resources and providing a more secure environment. For instance, eBPF programs can be restricted to specific types of useage, such as network monitoring, it can also configure what kind of eBPF programs can be loaded in kernel, what kind of attach event it can access without the need for modify kernel eBPF permission models. + It provides a configurable environment with limited eBPF WASI behavior, enhancing security and control. This allows for fine-grained permissions, restricting access to kernel resources and providing a more secure environment. For instance, eBPF programs can be restricted to specific types of useage, such as network monitoring, it can also configure what kind of eBPF programs can be loaded in kernel, what kind of attach event it can access without the need for modify kernel eBPF permission models. - + - > It will require additional effort to port the application to WebAssembly. Additionally, Wasm interface of kernel eBPF also need more effort of maintain, as the BPF daemon does. + > It will require additional effort to port the application to WebAssembly. Additionally, Wasm interface of kernel eBPF also need more effort of maintain, as the BPF daemon does. - `bpftime`: Userspace eBPF runtime for uprobe & syscall hook & plugin @@ -245,6 +242,4 @@ formal methods. ## Conclusion -As we have traversed the multifaceted domain of eBPF security, it's clear that while eBPF’s verifier provides a robust first line of defense, there are inherent limitations within the current access control model that require attention. We have considered potential solutions from the realms of virtualization, software fault isolation, and formal methods, each offering unique approaches to fortify eBPF against vulnerabilities. However, as with any complex system, new questions and challenges continue to surface. The gaps identified between the theoretical security models and their practical implementation invite continued research and experimentation. The future of eBPF security is not only promising but also demands a collective effort to ensure the technology can be adopted with confidence in its capacity to safeguard systems. - - +As we have traversed the multifaceted domain of eBPF security, it's clear that while eBPF’s verifier provides a robust first line of defense, there are inherent limitations within the current access control model that require attention. We have considered potential solutions from the realms of virtualization, software fault isolation, and formal methods to WebAssembly or userspace eBPF runtime, each offering unique approaches to fortify eBPF against vulnerabilities. However, as with any complex system, new questions and challenges continue to surface. The gaps identified between the theoretical security models and their practical implementation invite continued research and experimentation. The future of eBPF security is not only promising but also demands a collective effort to ensure the technology can be adopted with confidence in its capacity to safeguard systems. diff --git a/docs/blogs/ebpf-security.zh.md b/docs/blogs/ebpf-security.zh.md index 9986154ae..18d24fa91 100644 --- a/docs/blogs/ebpf-security.zh.md +++ b/docs/blogs/ebpf-security.zh.md @@ -1,5 +1,7 @@ # The Secure Path Forward for eBPF: Challenges and Innovations +TODO: translate this blog to Chinese + Yusheng Zheng Extended Berkeley Packet Filter (eBPF) represents a significant evolution in the way we interact with and extend the capabilities of modern operating systems. As a powerful technology that enables the Linux kernel to run sandboxed programs in response to events, eBPF has become a cornerstone for system observability, networking, and security features. @@ -8,34 +10,21 @@ However, as with any system that interfaces closely with the kernel, the securit ## How eBPF Ensures Security with Verifier -The security framework of eBPF is largely predicated on the robustness of its verifier. This component acts as the gatekeeper, ensuring that only safe and compliant programs are allowed to run within the kernel space. - -### What the eBPF Verifier Is and What It Does - -At its core, the eBPF verifier is a static code analyzer. Its primary function is to vet the BPF program instructions before they are executed. It scrutinizes a copy of the program within the kernel, operating with the following objectives: - -- `Ensuring Program Termination` - - The verifier uses depth-first search (DFS) algorithms to traverse the program's control flow graph, which it ensures is a Directed Acyclic Graph (DAG). This is crucial for guaranteeing that the program cannot enter into an infinite loop, thereby ensuring its termination. It meticulously checks for any unbounded loops and malformed or out-of-bounds jumps that could disrupt the normal operation of the kernel or lead to a system hang. - -- `Ensuring Memory Safety` - - Memory safety is paramount in kernel operations. The verifier checks for potential out-of-bounds memory accesses that could lead to data corruption or security breaches. It also safeguards against use-after-free bugs and object leaks, which are common vulnerabilities that can be exploited. In addition to these, it takes into account hardware vulnerabilities like Spectre, enforcing mitigations to prevent such side-channel attacks. - -- `Ensuring Type Safety` - - Type safety is another critical aspect that the verifier ensures. By preventing type confusion bugs, it helps maintain the integrity of data within the kernel. The eBPF verifier utilizes BPF Type Format (BTF), which allows it to accurately understand and check the kernel's complex data structures, ensuring that the program's operations on these structures are valid and safe. - -- `Preventing Hardware Exceptions` - - Hardware exceptions, such as division by zero, can cause abrupt program terminations and kernel panics. To prevent this, the verifier includes checks for divisions by unknown scalars, ensuring that instructions are rewritten or handled in a manner consistent with aarch64 specifications, which dictate safe handling of such exceptions. - -Through these mechanisms, the eBPF verifier plays a critical role in maintaining the security and stability of the kernel, making it an indispensable component of the eBPF infrastructure. It not only reinforces the system's defenses but also upholds the integrity of operations that eBPF programs intend to perform, making it a quintessential part of the eBPF ecosystem. - -### How the eBPF Verifier Works - -The eBPF verifier is essentially a sophisticated simulation engine that exhaustively tests every possible execution path of a given eBPF program. This simulation is not a mere theoretical exercise but a stringent enforcement of security and safety policies in kernel operations. - + + +- [The Secure Path Forward for eBPF: Challenges and Innovations](#the-secure-path-forward-for-ebpf-challenges-and-innovations) + - [How eBPF Ensures Security with Verifier](#how-ebpf-ensures-security-with-verifier) + - [Challenges](#challenges) + - [Other works to improve verifier](#other-works-to-improve-verifier) + - [Limitations in eBPF Access Control](#limitations-in-ebpf-access-control) + - [CAP\_BPF](#cap_bpf) + - [bpf namespace](#bpf-namespace) + - [Unprivileged eBPF](#unprivileged-ebpf) + - [Trusted Unprivileged BPF](#trusted-unprivileged-bpf) + - [Other possible solutions](#other-possible-solutions) + - [Conclusion](#conclusion) + + - **Follows control flow graph** The verifier begins its analysis by constructing and following the control flow graph (CFG) of the eBPF program. It carefully computes the set of possible states for each instruction, considering the BPF register set and stack. Safety checks are then performed depending on the current instruction context. diff --git a/docs/blogs/index.md b/docs/blogs/index.md index ee9e78fc6..c428e364b 100644 --- a/docs/blogs/index.md +++ b/docs/blogs/index.md @@ -1,5 +1,6 @@ # Blogs about eunomia-bpf community +- [The Secure Path Forward for eBPF: Challenges and Innovations](ebpf-security.md) - [Userspace eBPF Runtimes: Overview and Applications](userspace-ebpf.md) - [Wasm-bpf: Bridging Webassembly and eBPF Kernel Programmability](introduce-to-wasm-bpf-bpf-community.md) - [Writing eBPF Programs in C/C++ and libbpf within WebAssembly](how-to-write-c-in-wasm.md) @@ -9,5 +10,8 @@ - [How to Embark on the eBPF Journey in the Linux Microscope (LMP) Project](lmp-eunomia.md) - [eunomia-bpf 0.3.0 Release: Write Kernel Mode Code Only and Easily Build, Package, and Publish Complete eBPF Applications](0_3_0-release.md) - [eunomia-bpf: Looking Forward to 2023, Letting eBPF Fly with Wasm Wings](coolbpf-eunomia.md) -- [eBPF Advanced: Overview of New Kernel Features](bpf-news.md) -- [ecli Running Tests on Android 13](test-for-Android.md) + + +- [Blogs about eunomia-bpf community](#blogs-about-eunomia-bpf-community) + + \ No newline at end of file diff --git a/docs/blogs/index.zh.md b/docs/blogs/index.zh.md index eecbd98d1..d60b5b419 100644 --- a/docs/blogs/index.zh.md +++ b/docs/blogs/index.zh.md @@ -2,6 +2,7 @@ Blogs about eunomia-bpf: +- [The Secure Path Forward for eBPF: Challenges and Innovations](ebpf-security.md) - [用户空间 eBPF 运行时:深度解析与应用实践](userspace-ebpf.md) - [Wasm-bpf: 架起 Webassembly 和 eBPF 内核可编程的桥梁](introduce-to-wasm-bpf-bpf-community.md) - [在 WebAssembly 中使用 C/C++ 和 libbpf 编写 eBPF 程序](how-to-write-c-in-wasm.md) @@ -9,7 +10,8 @@ Blogs about eunomia-bpf: - [使用 ChatGPT ,通过自然语言编写 eBPF 程序和追踪 Linux 系统](GPTtrace.md) - [当 Wasm 遇见 eBPF :使用 WebAssembly 编写、分发、加载运行 eBPF 程序](ebpf-wasm.md) - [如何在 Linux 显微镜(LMP)项目中开启 eBPF 之旅](lmp-eunomia.md) -- [eunomia-bpf 0.3.0 发布:只需编写内核态代码,轻松构建、打包、发布完整的 eBPF 应用](0_3_0-release.md) -- [eunomia-bpf:展望 2023,让 eBPF 插上 Wasm 的翅膀](coolbpf-eunomia.md) -- [eBPF 进阶: 内核新特性进展一览](bpf-news.md) -- [ecli 在安卓 13 上的运行测试](test-for-Android.md) + + +- [Blog](#blog) + + \ No newline at end of file diff --git a/docs/blogs/wasm-bpf-kubecon.md b/docs/miscellaneous/wasm-bpf-kubecon.md similarity index 99% rename from docs/blogs/wasm-bpf-kubecon.md rename to docs/miscellaneous/wasm-bpf-kubecon.md index aee844253..f0d90000d 100644 --- a/docs/blogs/wasm-bpf-kubecon.md +++ b/docs/miscellaneous/wasm-bpf-kubecon.md @@ -32,7 +32,7 @@ The post provides background on eBPF and Wasm, examines the deployment challenge - [Wasm + eBPF + LLM](#wasm--ebpf--llm) - [How can eBPF enhance Wasm: WASI and Debugging](#how-can-ebpf-enhance-wasm-wasi-and-debugging) - [Enhancing WASI access control with eBPF](#enhancing-wasi-access-control-with-ebpf) - - [Advancing Debugging Tools with eBPF](#advancing-debugging-tools-with-ebpf) + - [Wasm runtime Debug with eBPF](#wasm-runtime-debug-with-ebpf) - [Other possibilitys](#other-possibilitys) - [conclusion](#conclusion) - [reference](#reference) @@ -303,7 +303,7 @@ Consider an example where there's a need to hook into directory removal operatio Besides LSM hooks in the kernel, we can also use uprobes or userspace eBPF runtime to dynamically control the behavior of WASI, hotpatching the vulnerabilities in wasm runtime, without mannually intergration in Wasm runtimes. -### Advancing Debugging Tools with eBPF +### Wasm runtime Debug with eBPF When it comes to debugging, Wasm's current tracing methodologies are somewhat rudimentary, lacking the depth required for intricate analysis. eBPF's uprobes (user-space probes) can bridge this gap by enabling detailed tracing of any user-space function invoked by a Wasm module, all without the need for additional code instrumentation. diff --git a/docs/miscellaneous/wasm-bpf-talk.md b/docs/miscellaneous/wasm-bpf-talk.md new file mode 100644 index 000000000..18f68739a --- /dev/null +++ b/docs/miscellaneous/wasm-bpf-talk.md @@ -0,0 +1,67 @@ +# talk draft in kubecon + +## IntroductionOpening (1 minute) + +Welcome, everyone. + +Thank you for joining me to discuss the innovative intersection of eBPF and WebAssembly—technologies revolutionizing observability within our systems. + +Combining eBPF with Wasm provides a robust solution for non-intrusive deployment and advanced security checks within Kubernetes pods. Today, we'll explore how these technologies can be leveraged for efficient and secure software development. Let's dive into a detailed discussion on their benefits, challenges, and the future they hold. + +My name is Yusheng Zheng, currently maintaining a small community called eunomia-bpf, building open source projects to make eBPF easier to use, and exploring new technologies and runtimes related to eBPF. + +## Slide 2: Agenda (2 minutes) + +In the next minute, we'll outline our exploration into eBPF and WebAssembly, or Wasm—a journey into enhancing the deployment and security of eBPF programs. We begin by introducing eBPF, the kernel-level technology that powers efficient networking and security, followed by Wasm, which brings a multi-language, secure execution environment to user space. + +We'll uncover how Wasm streamlines the eBPF experience, enabling non-intrusive deployments into Kubernetes pods, offering separation from application workloads for greater flexibility. We'll emphasize the simplicity of implementing security with declarative checks at deployment and discuss how eBPF data analytics can drive insights for performance tuning. By supporting user-space eBPF, it opens the door to more secure and versatile observability tools. + +Finally, we'll flip the script and look at eBPF through the lens of Wasm, enhancing security sandboxing, host call observability, and providing a robust debugging toolkit. This bidirectional enrichment is pivotal for cloud-native development, and we're excited to delve into these transformative technologies with you. + +## Slide 3: Introduction to eBPF (1 minutes) + +First, let's talk about eBPF, or Extended Berkeley Packet Filter. This is not just a technology but a paradigm shift, allowing developers to dynamically and safely program the Linux kernel. It's at the heart of performance-sensitive tasks like networking and security, and it's changing the game for kernel-level instrumentation. + +## Slide 4: Introduction to WebAssembly (Wasm) (1 minutes) + +Turning our attention to WebAssembly, or Wasm, we enter the realm of a revolutionary binary format designed for user space security. Wasm is not only language-agnostic, supporting a wide array of programming languages, but it's also incredibly lightweight and swift, making it ideal for performance-critical applications. + +What sets Wasm apart is its capability-based security model, which allows fine-grained access to host resources, ensuring that applications remain secure while performing at their best. Moreover, Wasm's cross-platform nature facilitates an unprecedented level of portability, enabling code to run consistently across different environments. + +## Slide 5: + +## Slide 6: How Wasm Improves eBPF Developer Experience (3 minutes) + +"Stepping into the developer's shoes, we see how Wasm refines the eBPF development workflow. It ensures non-intrusive, Kubernetes-native deployment processes and facilitates security checks at deployment time, making our systems more resilient and our developer experience smoother." + +## Slide 7-10: eBPF Deployment Models (5 minutes) + +"We'll dissect the eBPF deployment models, contrasting the integrated control plane against the decoupled sidecar approach. The former, despite its direct control benefits, raises concerns about security and multi-user conflicts. The latter, while modular, introduces complexity in maintaining consistency and kernel feature integration." + +## Slide 11-12: Wasm + eBPF: The Synergy (3 minutes) + +Here, we'll illustrate a typical Kubernetes pod setup, integrating eBPF into containers running in an LXC environment, alongside other workload-specific containers. This hybrid model capitalizes on the strengths of Wasm and eBPF, creating a robust, modular observability framework. + +## Slide 13-14: WasmEdge eBPF plugin (2 minutes) + +We'll showcase the WasmEdge eBPF plugin, wasm-bpf. Its compactness, ease of management, and security enhancements over traditional containerized eBPF deployments signal a leap forward in deploying eBPF programs. + +## Slide 15-17: Developer Experience and Trade-offs (3 minutes) + +However, there are trade-offs. The migration of libraries and toolchains to this new model is not trivial, with considerations around limited eBPF features in Wasm environments. But the familiar development experience, akin to that provided by libbpf-bootstrap, is a testament to our progress. + +## Slide 18-19: Examples and Challenges (3 minutes) + +We will present practical examples showcasing eBPF's versatility in observability, networking, and security. Simultaneously, we'll confront the challenges: porting libraries, reconciling data layouts, and ensuring kernel compatibility, all of which are critical to mainstream adoption. + +## Slide 20-22: How it Works (3 minutes) + +We will then delve into the mechanics—how we use toolchains to facilitate seamless integration and development of eBPF programs. This process not only supports kernel-level eBPF but also enables a fully user space runtime, expanding eBPF's applicability. + +Slide 23-26: How eBPF Enhances Wasm Developer Experience (3 minutes) + +To wrap up our technical discussion, we will explore how eBPF elevates the Wasm development experience, particularly through advanced security mechanisms for WASI and sophisticated tracing capabilities that simplify debugging. + +Closing (1 minute) + +In closing, the fusion of Wasm and eBPF is more than just a technological innovation; it's a new frontier in Kubernetes pod deployment, data analytics, and system security. We're excited for you to explore these possibilities and contribute to their evolution. Thank you for joining us today, and we look forward to your questions and insights.