eBPF - eBPF In Action using BCC

Explore how eBPF empowers kernel-level tracing and syscall manipulation using BCC, enabling advanced security monitoring and network control with efficient, event-driven programs—unlocking new capabilities for real-time cybersecurity defenses.

Abstract

Abstract

After explaining the working of eBPF and its architecture, now we are going to try some eBPF programs to see and know what kind of operations and syscalls we can execute using it.

Using BCC ( # BPF Compiler Collection)

As already explained on the last 2 articles I wrote about eBPF,
BCC is a toolkit for creating efficient kernel tracing and manipulation programs, and includes several useful tools and examples. It makes use of extended BPF (Berkeley Packet Filters), formally known as eBPF, a new feature that was first added to Linux 3.15. Much of what BCC uses requires Linux 4.1 and above.

Kernel Configuration

In general, to use these features, a Linux kernel version 4.1 or newer is required. In addition, the kernel should have been compiled with the following flags set:

CONFIG_BPF=y
CONFIG_BPF_SYSCALL=y
# [optional, for tc filters]
CONFIG_NET_CLS_BPF=m
# [optional, for tc actions]
CONFIG_NET_ACT_BPF=m
CONFIG_BPF_JIT=y
# [for Linux kernel versions 4.1 through 4.6]
CONFIG_HAVE_BPF_JIT=y
# [for Linux kernel versions 4.7 and later]
CONFIG_HAVE_EBPF_JIT=y
# [optional, for kprobes]
CONFIG_BPF_EVENTS=y
# Need kernel headers through /sys/kernel/kheaders.tar.xz
CONFIG_IKHEADERS=y

There are a few optional kernel flags needed for running bcc networking examples on vanilla kernel:

CONFIG_NET_SCH_SFQ=m
CONFIG_NET_ACT_POLICE=m
CONFIG_NET_ACT_GACT=m
CONFIG_DUMMY=m
CONFIG_VXLAN=m

You can check the Kernel compile flags by copying & extracting the /proc/config.gz and checking the containing config file

Execute this command to check the flags on your Kernel.

cd /tmp && cp /proc/config.gz  . && gzip -d config.gz && cat config

Installation

You can check the whole installation process here : BCC Install

installing

Tracing Examples

:warning: : Using those scripts needs root permission to work properly

Trace a Block I/O size

using BiteHist.py

eBPF - eBPF In Action using BCC

Trace block device I/O latency

using DiskSnoop.py

eBPF - eBPF In Action using BCC

Trace IPv4 and IPv6 bind() system calls

using bindsnoop.py

eBPF - eBPF In Action using BCC

Capturing Examples

Capture new processes via exec() syscalls.

using execsnoop.py

eBPF - eBPF In Action using BCC

    Those are the executed commands on my computer in loop for Polybar scipts**

Capturing open() syscalls (file opening)

using opensnoop.py

eBPF - eBPF In Action using BCC

Capturing TCP active connections (connect())

using tcpconnect.py

eBPF - eBPF In Action using BCC

And much more…

check the whole BCC Tools Pack BCC Tools

here is a picture explaining the different BCC Tracing tools / BPF programs.

eBPF - eBPF In Action using BCC

So now, you do understand and know how BPF, eBPF and BPF programs work.

For better and more much scalable solutions, you will have to :

  1. Develop your own BPF programs and tools.
  2. Use Open Source projects already working with full functional structure for each fonctionality.
  3. Use paid products and solutions.

We’ll try exploring all of this on the next articles.

I just do cybersecurity stuff.

Discussion

Leave a Comment

Guest comments will be reviewed before appearing on the site.

No comments yet. Be the first to start the discussion!

Suggestions or Report a bug? Contact us!