update bpftime

docs/blogs/ebpf-papers.md

@@ -93,6 +93,12 @@ Our preliminary experimental results show that SPRIGHT achieves an order of magn
 
 <https://dl.acm.org/doi/10.1145/3544216.3544259>
 
+## bpftime: userspace eBPF Runtime for Uprobe, Syscall and Kernel-User Interactions
+
+In kernel-centric operations, the uprobe component of eBPF frequently encounters performance bottlenecks, largely attributed to the overheads borne by context switches. Transitioning eBPF operations to user space bypasses these hindrances, thereby optimizing performance. This also enhances configurability and obviates the necessity for root access or privileges for kernel eBPF, subsequently minimizing the kernel attack surface. This paper introduces bpftime, a novel user-space eBPF runtime, which leverages binary rewriting to implement uprobe and syscall hook capabilities. Through bpftime, userspace uprobes achieve a 10x speed enhancement compared to their kernel counterparts without requiring dual context switches. Additionally, this runtime facilitates the programmatic hooking of syscalls within a process, both safely and efficiently. Bpftime can be seamlessly attached to any running process, limiting the need for either a restart or manual recompilation. Our implementation also extends to interprocess eBPF Maps within shared memory, catering to summary aggregation or control plane communication requirements. Compatibility with existing eBPF toolchains such as clang and libbpf is maintained, not only simplifying the development of user-space eBPF without necessitating any modifications but also supporting CO-RE through BTF. Through bpftime, we not only enhance uprobe performance but also extend the versatility and user-friendliness of eBPF runtime in user space, paving the way for more efficient and secure kernel operations.
+
+<https://arxiv.org/abs/2311.07923#>
+
 ## Kgent: Kernel Extensions Large Language Model Agent
 
 The ability to modify and extend an operating system is an important feature for improving a system's security, reliability, and performance. The extended Berkeley Packet Filters (eBPF) ecosystem has emerged as the standard mechanism for extending the Linux kernel and has recently been ported to Windows. eBPF programs inject new logic into the kernel that the system will execute before or after existing logic. While the eBPF ecosystem provides a flexible mechanism for kernel extension, it is difficult for developers to write eBPF programs today. An eBPF developer must have deep knowledge of the internals of the operating system to determine where to place logic and cope with programming limitations on the control flow and data accesses of their eBPF program enforced by the eBPF verifier. This paper presents KEN, an alternative framework that alleviates the difficulty of writing an eBPF program by allowing Kernel Extensions to be written in Natural language. KEN uses recent advances in large language models (LLMs) to synthesize an eBPF program given a user's English language prompt. To ensure that LLM's output is semantically equivalent to the user's prompt, KEN employs a combination of LLM-empowered program comprehension, symbolic execution, and a series of feedback loops. KEN's key novelty is the combination of these techniques. In particular, the system uses symbolic execution in a novel structure that allows it to combine the results of program synthesis and program comprehension and build on the recent success that LLMs have shown for each of these tasks individually. To evaluate KEN, we developed a new corpus of natural language prompts for eBPF programs. We show that KEN produces correct eBPF programs on 80% which is an improvement of a factor of 2.67 compared to an LLM-empowered program synthesis baseline.

docs/blogs/ebpf-papers.zh.md

@@ -93,6 +93,12 @@ SIGCOMM 23: <https://dl.acm.org/doi/abs/10.1145/3594255.3594256>
 
 <https://dl.acm.org/doi/10.1145/3544216.3544259>
 
+## bpftime: userspace eBPF Runtime for Uprobe, Syscall and Kernel-User Interactions
+
+在内核为中心的操作中，eBPF 的 uprobe 组件经常遇到性能瓶颈，这主要是由于上下文切换带来的开销。将 eBPF 操作转移到用户空间可以绕过这些障碍，从而优化性能。这种方法还增强了可配置性，并避免了对内核 eBPF 进行操作时所需的 root 权限或特权，从而减少了内核攻击面。本文介绍了 bpftime，这是一种新型的用户空间 eBPF 运行时，它利用二进制重写技术实现了 uprobe 和系统调用钩子的功能。通过 bpftime，用户空间的 uprobes 相较于内核中的 counterparts 实现了 10 倍的速度提升，同时无需进行双重上下文切换。此外，该运行时还支持在进程内安全高效地进行系统调用钩挂。Bpftime 可以无缝地附加到任何正在运行的进程中，无需重新启动或手动重新编译。我们的实现还扩展了共享内存中跨进程 eBPF Maps 的功能，以满足汇总聚合或控制平面通信的需求。Bpftime 保持了与现有 eBPF 工具链（如 clang 和 libbpf）的兼容性，不仅简化了用户空间 eBPF 的开发，无需任何修改，还通过 BTF 支持 CO-RE。通过 bpftime，我们不仅提升了 uprobe 的性能，还扩展了用户空间中 eBPF 运行时的多功能性和用户友好性，为实现更高效和更安全的内核操作铺平了道路。
+
+<https://arxiv.org/abs/2311.07923#>
+
 ## Kgent: Kernel Extensions Large Language Model Agent
 
 修改和扩展操作系统的能力是提高系统安全性、可靠性和性能的重要功能。扩展的伯克利数据包过滤器（eBPF）生态系统已经成为扩展Linux内核的标准机制，并且最近已被移植到Windows。eBPF程序将新逻辑注入内核，使系统在现有逻辑之前或之后执行这些逻辑。虽然eBPF生态系统提供了一种灵活的内核扩展机制，但目前开发人员编写eBPF程序仍然困难。eBPF开发人员必须深入了解操作系统的内部结构，以确定在何处放置逻辑，并应对eBPF验证器对其eBPF程序的控制流和数据访问施加的编程限制。本文介绍了KEN，一种通过允许使用自然语言编写内核扩展来缓解编写eBPF程序难度的替代框架。KEN利用大语言模型（LLMs）的最新进展，根据用户的英文提示生成eBPF程序。为了确保LLM的输出在语义上等同于用户的提示，KEN结合了LLM增强的程序理解、符号执行和一系列反馈循环。KEN的关键创新在于这些技术的结合。特别是，该系统以一种新颖的结构使用符号执行，使其能够结合程序综合和程序理解的结果，并建立在LLMs在每个任务中单独展示的成功基础上。为了评估KEN，我们开发了一个新的自然语言提示eBPF程序的语料库。我们显示，KEN在80%的情况下生成了正确的eBPF程序，这比LLM增强的程序综合基线提高了2.67倍。