Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Writing an experimental eBPF disassembler

Avatar for Drumato Drumato
July 24, 2021
Programming
0
370

Writing an experimental eBPF disassembler

適当にLTネタになるかな,と思って作った話.
https://github.com/Drumato/ebpf-disasm

Avatar for Drumato

Drumato

July 24, 2021
Tweet

More Decks by Drumato

See All by Drumato
仕様と実装で学ぶOpenTelemetry
Avatar for Drumato drumato
2
2.9k
Activities about Kubernetes operation improvements as an SRE
Avatar for Drumato drumato
3
680
DEMO Apps recently implemented
Avatar for Drumato drumato
0
110
An incremental approach to implement an admission controller
Avatar for Drumato drumato
0
270
Components of Kubernetes Cluster
Avatar for Drumato drumato
0
380
cybozu-labs-youth-10th
Avatar for Drumato drumato
1
1.2k

Other Decks in Programming

See All in Programming
The Ralph Wiggum Loop: First Principles of Autonomous Development
Avatar for Ryuichiro Semba sembayui
0
3.7k
maplibre-gl-layers - 地図に移動体たくさん表示したい
Avatar for Kouji Matsui kekyo
PRO
0
270
DevinとClaude Code、SREの現場で使い倒してみた件
Avatar for karia/Y.Hisamatsu karia
1
1.1k
Takumiから考えるSecurity_Maturity_Model.pdf
Avatar for gessy0129 gessy0129
1
140
New in Go 1.26 Implementing go fix in product development
Avatar for sunecosuri sunecosuri
0
440
CS教育のDX AIによる育成の効率化
Avatar for ニフティ株式会社 niftycorp
PRO
0
110
猫の手も借りたい!ので AIエージェント猫を作って社内に放した話 Claude Code × Container Lambda の Slack Bot "DevNeko"
Avatar for naramomi7 naramomi7
0
260
Codexに役割を持たせる 他のAIエージェントと組み合わせる実務Tips
Avatar for o8n o8n
4
1.3k
Windows on Ryzen and I
Avatar for 瀬尾佳隆 seosoft
0
290
TipKitTips
Avatar for Ryomm ktcryomm
0
170
AI Assistants for Your Angular Solutions
Avatar for Manfred Steyer manfredsteyer
PRO
0
140
OTP を自動で入力する裏技
Avatar for Megabits_mzq megabitsenmzq
0
100

Featured

See All Featured
Build The Right Thing And Hit Your Dates
Avatar for Maggie C. maggiecrowley
39
3.1k
Digital Projects Gone Horribly Wrong (And the UX Pros Who Still Save the Day) - Dean Schuster
Avatar for UX Y'all uxyall
0
720
The browser strikes back
Avatar for Jono Alderson jonoalderson
0
790
Cheating the UX When There Is Nothing More to Optimize - PixelPioneers
Avatar for Stéphanie Walter stephaniewalter
287
14k
Effective software design: The role of men in debugging patriarchy in IT @ Voxxed Days AMS
Avatar for Kenny Baas-Schwegler baasie
0
250
The Director’s Chair: Orchestrating AI for Truly Effective Learning
Avatar for Mike Taylor tmiket
1
130
Writing Fast Ruby
Avatar for Erik Berlin sferik
630
63k
Accessibility Awareness
Avatar for Sarah Abderemane sabderemane
0
80
Chrome DevTools: State of the Union 2024 - Debugging React & Beyond
Avatar for Addy Osmani addyosmani
10
1.1k
Into the Great Unknown - MozCon
Avatar for Noah Learner thekraken
40
2.3k
"I'm Feeling Lucky" - Building Great Search Experiences for Today's Users (#IAC19)
Avatar for Dan Newman danielanewman
231
22k
Testing 201, or: Great Expectations
Avatar for Joseph Mastey jmmastey
46
8.1k

Transcript

  1. eBPF disassemblerを作る Drumato

  2. Attention! • 完全準拠ではない • torvalds/linux/samples/bpfのkernel side sourceがそれっぽくなればOKまで をやった

  3. 背景

  4. なんとなくeBPFについての記事を読んでた

  5. "基本的に命令長は64bit固定" という記述を見る

  6. 素敵! disasm書きたい! (x64を想いつつ)

  7. 書く

  8. 身につける必要があった知識 • Object file上でeBPF functionがどのように表現されているか • Opcode encoding/immediateの形式を知る

  9. あとは頑張って書く

  10. これはassembler自作と大して変わらない

  11. ELF Header

  12. eBPF object file#ELF Header

  13. eBPF object file#ELF Header

  14. E_machine以外は普通のrelocに見える

  15. Section Header Table

  16. eBPF object file#SHT

  17. eBPF object file#SHT .textはあるけど 中身は空

  18. eBPF object file#SHT SEC("socket1")のように 書いたsymbolが sectionに

  19. eBPF object file#SHT eBPF mapsもsectionに Entry sizeは Programで決まっていて, Shdr.sh_entsizeを読んでも わからない

    Key + valueのどちらも可変なので entsizeは使えないか(linkとinfoは?)

  20. eBPF object file#SHT これは単に"GPL\0"という文字列が 入っているだけ

  21. Symbol table

  22. eBPF object file#symtab

  23. ぱっと見特に気になる点はなし

  24. eBPF object file#summary • なんとなく以下を満たすsectionをdisasすれば良さそう ◦ Shdr.sh_type == SHT_PROGBITS ◦

    Shdr.sh_flags & (SHF_ALLOC | SHF_EXECINSTR) != 0 ◦ Shdr.sh_size > 0

  25. eBPF instruction architecture

  26. eBPF instruction architecture#overview

  27. eBPF instruction architecture#overview OpcodeEncoding head byteをどう解釈するか

  28. eBPF instruction architecture#overview InstructionClass Opcodeをどう解釈するか Ex1. ic=0x04ならopcode=0x00はAdd ic=0x05ならopcode=0x00はJA

  29. eBPF instruction format ArithOrJump Memory

  30. eBPF instruction format ArithOrJump Memory ADD/SUB/MUL/DIV/MOD/LSH etc.. JA/JEQ/JGT/JSLT/ etc...

  31. eBPF instruction format ArithOrJump Memory Use src field as register

    If S bit is up

  32. eBPF instruction format ArithOrJump Memory ALU/ALU64/JMP/JMP64

  33. eBPF instruction format ArithOrJump Memory IMM/MEM/IND/ABS etc

  34. eBPF instruction format ArithOrJump Memory Byte/Half word/Word/Double Word

  35. eBPF instruction format ArithOrJump Memory LD/LDX/ST/STX

  36. わかったら書く!書く!

  37. 機械語programmingは手動かす!

  38. disasm#tips • Building block的に作ると良い ◦ Opcode type/InstClass typeを作ってEncoding typeを作る ▪

    それぞれのdecoderを書く ◦ それら(とsrc/dst/offset/imm)をまとめてInstruction typeを作る ▪ decoderを次々呼ぶだけ • srcは ooooxxxx のようになっているけど,4bit rshすると使いやすい ◦ Register numberに変換する感覚

  39. disasm#summary

  40. disasm#summary

  41. このくらいのしょぼ完成度なら サクッと数時間で作れる

  42. references • Linux Socket Filtering aka Berkeley Packet Filter (BPF)

    - www.kernel.org • Drumato/ebpf-disasm … 実装 ◦ 完全じゃないよ(Memory InstClassは適当)

  43. Thanks!