于桐 & 郑昱笙--基于用户态BPF运行时的高效uprobe.pdf

1、Bpftime:Userspace eBPFruntimehttps:/ Tong,Yusheng Z1第二届 eBPF开发者大会w w w.e b p f t r a v e l.c o m中 国 西 安Agenda Why a new userspace eBPF runtime?Kernel Uprobe Performance Issues Kernel eBPF Security Concerns and limited configurable Other userspace eBPF runtime limitations Existing Non-kernel eBPF Use

2、cases Introduction to bpftime How it works Examples&benchmark Roadmap Q&A2第 二 届 e B P F 开 发 者 大 会Why bpftime?Uprobe:User-level dynamic tracing1.Kernel Uprobe Performance Issues:Current UProbe implementation necessitates two kernel context copies.Results in significant performance overhead.Not suitab

3、le for real-time monitoring in latency-sensitive applications.And Kernel Syscall tracepoint:Syscall tracepoints will hook all syscalls and require filter for specific processUprobes Wide Adoption in Production Traces user-space protocols:SSL,TLS,HTTP2.Monitors memory allocation and detects leaks.Tra

4、cks threads and goroutine dynamics.Provides passive,non-instrumental tracing.And more.3第 二 届 e B P F 开 发 者 大 会Why bpftime?2.Kernel eBPF Security Concerns eBPF programs run in kernel mode,requiring root access.Increases attack surface,posing risks like container escape.Inherent vulnerabilities in eBP

5、F can lead to Kernel Exploits.Limitations of Kernel eBPF Older kernel version,unprivileged environments,non-Linux system may not have access to kernel eBPF Verifier limited the operation of eBPF,config or extend eBPF may require kernel changes4第 二 届 e B P F 开 发 者 大 会Existing Non-kernel eBPF Usecases

6、 Qemu+uBPF:Combines Qemu with uBPF.Video.Oko:Extends Open vSwitch-DPDK with BPF.Enhances tools for better integration.GitHub.Solana:Userspace eBPF for High-performance Smart Contract.GitHub.DPDK eBPF:Libraries for fast packet processing.Enhanced by Userspace eBPF.eBPF for Windows:Brings eBPF toolcha