eBPF Journey: A Comprehensive Learning Path for Mastery
In every learning journey, one treads a unique path, leaving behind footsteps for others to either follow or diverge from. The realm of eBPF, with its complexities and nuances, was no different for me. What I present to you here is a comprehensive, yet personal roadmap I undertook to master the intricacies of eBPF. I wish to underscore that while this might provide a structured guide for many, it represents *my* route through the vast landscape of eBPF. Each learner might find their rhythm and sequence, and that’s the beauty of knowledge acquisition. Without further ado, allow me to share the sequence of milestones in my “eBPF Journey: A Comprehensive Learning Path for Mastery”. Whether you tread this exact path or carve out a new one for yourself, may your quest be fruitful and enlightening.
What Is eBPF, and Why Is It Important?
The Linux Kernel
Kernel Modules
Dynamic Loading of eBPF Programs
High Performance of eBPF Programs
eBPF in Cloud Native Environments
eBPF’s “Hello World”
“Hello world with userspace program in GO”
Running “Hello World”
BPF Maps
Hash Table Map
Perf and Ring Buffer Maps
Function Calls
Tail Calls
Anatomy of an eBPF Program
The eBPF Virtual Machine
eBPF Registers
eBPF Instructions
eBPF “Hello World” for a Network Interface
Compiling an eBPF Object File
Inspecting an eBPF Object File
Loading the Program into the Kernel
Inspecting the Loaded Program
The BPF Program Tag
The Translated Bytecode
The JIT-Compiled Machine Code
Attaching to an Event
Global Variables
Detaching the Program
Unloading the Program
BPF to BPF Calls
The bpf() System Call
Loading BTF Data
Creating Maps
Loading a Program
Modifying a Map from User Space
BPF Program and Map References
Pinning
BPF Links
Additional Syscalls Involved in eBPF
Initializing the Perf Buffer
Attaching to Kprobe Events
Setting Up and Reading Perf Events
Ring Buffers
Reading Information from a Map
Finding a Map
Reading Map Elements
CO-RE, BTF, and Libbpf
Approach to Portability
CO-RE Overview
BPF Type Format
BTF Use Cases
Listing BTF Information with bpftool
BTF Types
Maps with BTF Information
BTF Data for Functions and Function Prototypes
Inspecting BTF Data for Maps and Programs
Generating a Kernel Header File
CO-RE eBPF Programs
Header Files
Kernel header information
Headers from libbpf
Application-specific headers
Defining Maps
eBPF Program Sections
Memory Access with CO-RE
License Definition
Compiling eBPF Programs for CO-RE
Debug Information
Optimization
Target Architecture
Makefile
BTF Information in the Object File
BPF Relocations
CO-RE User Space Code
The Libbpf Library for User Space
BPF Skeletons
Code Examples
The eBPF Verifier
The Verification Process
The Verifier Log
Visualizing Control Flow
Validating Helper Functions
Helper Function Arguments
Checking the License
Checking Memory Access
Checking Pointers Before Dereferencing Them
Accessing Context
Running to Completion
Loops
Checking the Return Code
Invalid Instructions
Unreachable Instructions
eBPF Program and Attachment Types
Program Context Arguments
Helper Functions and Return Codes
Kfuncs
Tracing
Kprobes and Kretprobes
Attaching kprobes to syscall entry points
Fentry/Fexit
Tracepoints
BTF-Enabled Tracepoints
User Space Attachments
LSM
Networking
Sockets
Traffic Control
XDP
Flow Dissector
Lightweight Tunnels
Cgroups
Infrared Controllers
BPF Attachment Types
Tracing with BPF
Probes
Kernel Probes
Kprobes
Kretprobes
Tracepoints
User-Space Probes
Uprobes
Uretprobes
User Statically Defined Tracepoints
Visualizing Tracing Data
Flame graphs
Histograms
Perf Events
BPF Maps
Creating BPF Maps
ELF Conventions to Create BPF Maps
Working with BFP Maps
Updating Elements in a BPF Map
Reading Elements from a BPF Map
Removing an Element from a BPF Map
Looking Up and Deleting Elements
Concurrent Access to Map Elements
Types of BPF Maps
Hash-Table Maps
Array Maps
Program Array Maps
Perf Events Array Maps
Per-CPU Hash Maps
Per-CPU Array Maps
Stack Trace Maps
Cgroup Array Maps
LRU Hash and Per-CPU Hash Maps
LPM Trie Maps
Array of Maps and Hash of Maps
Device Map Maps
CPU Map Maps
Open Socket Maps
Socket Array and Hash Maps
Cgroup Storage and Per-CPU Storage Maps
Reuseport Socket Maps
Queue Maps
Stack Maps
The BPF Virtual Filesystem
eBPF for Networking
Packet Drops
XDP Program Return Codes
XDP Packet Parsing
Load Balancing and Forwarding
XDP Offloading
Traffic Control (TC)
Packet Encryption and Decryption
User Space SSL Libraries
eBPF and Kubernetes Networking
Avoiding iptables
Coordinated Network Programs
Network Policy Enforcement
Encrypted Connections
More resources on Linux Networking and BPF
BPF and Packet Filtering
tcpdump and BPF Expressions
Packet Filtering for Raw Sockets
BPF-Based Traffic Control Classifier
Terminology
Queueing disciplines
Classful qdiscs, filters, and classes
Classless qdiscs
Traffic Control Classifier Program Using cls_bpf
Differences Between Traffic Control and XDP
Express Data Path
XDP Programs Overview
Operation Modes
Native XDP
Offloaded XDP
Generic XDP
The Packet Processor
XDP result codes (packet processor actions)
XDP and iproute2 as a Loader
Writing XDP Program
Testing XDP Programs
XDP Testing Using the Python Unit Testing Framework
XDP Use Cases
Monitoring
DDoS Mitigation
Load Balancing
Firewalling
Linux Kernel Security, Capabilities, and Seccomp
Capabilities
Seccomp
Seccomp Errors
Seccomp BPF Filter Example
BPF LSM Hooks
eBPF for Security
Security Observability Requires Policy and Context
Using System Calls for Security Events
Seccomp
Generating Seccomp Profiles
Syscall-Tracking Security Tools
BPF LSM
Tracing Policy
Attaching to Internal Kernel Functions
Preventative Security
Network Security
eBPF Programming
Bpftrace
Language Choices for eBPF in the Kernel
BCC Python/Lua/C++
C and Libbpf
Go
Gobpf
Ebpf-go
Libbpfgo
Rust
Libbpf-rs
Redbpf
Aya
Rust-bcc
Testing BPF Programs
Multiple eBPF Programs
BPF Utilities
BPFTool
BPFTrace
kubectl-trace
eBPF Exporter
Security Observability with eBPF (Refer Security Observability with eBPF by Jed Salazar and Natalia Reka Ivanko)
The Lack of Visibility
What Should We Monitor?
High-Fidelity Observability
A Kubernetes Attack
Brief Guide to Container Security
Kernel Namespaces
Cgroups
Attack Points for Container Escapes
Linux Capabilities
Why Is eBPF the Optimal Tool for Security? (Refer Security Observability with eBPF by Jed Salazar and Natalia Reka Ivanko)
Precloud Security
Monitoring from Legacy Kernel, Disk, and Network Tools
A Cloud Native Approach
Deep Dive into the Security of eBPF
Virtual Machine in the Kernel
eBPF Programs
eBPF Hook Points
Why eBPF?
System Call Visibility
Network Visibility
Filesystem Visibility
The Underlying Host
Security Observability by eBPF (Refer Security Observability with eBPF by Jed Salazar and Natalia Reka Ivanko)
The Four Golden Signals of Security Observability
Process Execution
Network Sockets
File Access
Layer 7 Network Identity
Real-World Attack
Stealthy Container Escape
Reaching The Host Namespace
Persistence
Post Exploitation Techniques
Security Prevention by eBPF (Refer Security Observability with eBPF by Jed Salazar and Natalia Reka Ivanko)
Prevention by Way of Least-Privilege
Allowlist
Denylist
Testing Your Policy
Tracing Policy
Stage 1: Exploitation
Stage 2: Persistence and Defense Evasion
Stage 3: Post-Exploitation
Data-Driven Security
The Future Evolution of eBPF
The eBPF Foundation
eBPF for Windows
Linux eBPF Evolution
eBPF Is a Platform, Not a Feature