elastic/ebpf

[Spike] Do a walkthrough of string related bpf helpers

lrishi opened this issue · 3 comments

lrishi commented

To succeed as a viable security enabler, eBPF and eBPF LSM programs need to perform significant amount and variations of string comparisons on datasets unknown at compile time. Since we quickly start hitting the instruction (or other) limits at any kind of meaningful scale, it might help to deep dive into all the helpers at our disposal.

Outcome:

  1. Catalog all the string related (and adjacent) bpf helpers along with the kernel versions when they became available.
    Identify what use-cases these bpf helpers enable, which otherwise would be impossible using a custom written algorithm or code block.
  2. Present/Demo any significant findings to the team and the working group.

Motivation: https://github.com/elastic/security-team/issues/5114

rhysre commented

Catalog all the string related (and adjacent) bpf helpers along with the kernel versions when they became available.
Identify what use-cases these bpf helpers enable, which otherwise would be impossible using a custom written algorithm or code block.

I'll just drop this here. Google already provides a really comprehensive list of BPF features (including string helpers) and minimum kernel versions they correspond to.

https://android.googlesource.com/platform/external/bcc/+/master/docs/kernel-versions.md

  • 👍1
mmat11 commented

Catalog all the string related (and adjacent) bpf helpers along with the kernel versions when they became available.
Identify what use-cases these bpf helpers enable, which otherwise would be impossible using a custom written algorithm or code block.

I'll just drop this here. Google already provides a really comprehensive list of BPF features (including string helpers) and minimum kernel versions they correspond to.

https://android.googlesource.com/platform/external/bcc/+/master/docs/kernel-versions.md

that's BCC, this is the source (which should be more up to date) https://github.com/iovisor/bcc/blob/master/docs/kernel-versions.md

  • 👍2
norrietaylor commented

My guess is this one will be important!

BPF_FUNC_d_path() 5.10 6e22ab9da793