Add some desc for userspace eBPF

eunomia-bpf · Jan 13, 2024 · 3468fab · 3468fab
1 parent 01e85ee
commit 3468fab
Show file tree

Hide file tree

Showing 13 changed files with 329 additions and 9 deletions.
diff --git a/README.md b/README.md
@@ -74,6 +74,7 @@ Android:
 - [使用 eBPF 替换任意程序读取或写入的文本](src/27-replace/README.md)
 - [BPF的生命周期：使用 Detached 模式在用户态应用退出后持续运行 eBPF 程序](src/28-detach/README.md)
 - [eBPF 运行时的安全性与面临的挑战](src/18-further-reading/ebpf-security.zh.md)
+- [用户空间 eBPF 运行时：深度解析与应用实践](src\36-userspace-ebpf\README.md)
 
 持续更新中...
 
@@ -171,7 +172,7 @@ eunomia-bpf 由一个编译工具链和一个运行时库组成, 对比传统的
 
 ## 让 ChatGPT 来帮助我们
 
-本教程借助 ChatGPT 来学习编写 eBPF 程序，同时我们尝试教会 ChatGPT 编写 eBPF 程序，大概步骤如下：
+本教程也尝试借助 ChatGPT 来学习编写 eBPF 程序，同时我们尝试教会 ChatGPT 编写 eBPF 程序，大概步骤如下：
 
 1. 告诉它基本的 eBPF 编程相关的常识
 2. 告诉它一些案例：hello world，eBPF 程序的基本结构，如何使用 eBPF 程序进行追踪，并且让它开始编写教程
@@ -181,7 +182,7 @@ eunomia-bpf 由一个编译工具链和一个运行时库组成, 对比传统的
 
 ![ebpf-chatgpt-signal](imgs/ebpf-chatgpt-signal.png)
 
-完整的对话记录可以在这里找到: [ChatGPT.md](ChatGPT.md)
+完整的对话记录可以在这里找到: [ChatGPT.md](src/ChatGPT.md)
 
 我们也构建了一个命令行工具的 demo ，通过本教程的训练， 让它通过自然语言描述即可自动编写 eBPF 程序，追踪 Linux 系统：<https://github.com/eunomia-bpf/GPTtrace>
 

diff --git a/README_en.md b/README_en.md
@@ -62,6 +62,7 @@ Security:
 - [Adding sudo users using eBPF](src/26-sudo/README_en.md)
 - [Replacing text read or written by any program using eBPF](src/27-replace/README_en.md)
 - [BPF lifecycle: Running eBPF programs continuously in Detached mode after user-mode applications exit](src/28-detach/README_en.md)
+- [Userspace eBPF Runtimes: Overview and Applications](src\36-userspace-ebpf\README_en.md)
 
 Continuously updated...
 

diff --git a/src/0-introduce/README.md b/src/0-introduce/README.md
@@ -32,6 +32,8 @@ Linux 内核的主要目的是抽象出硬件或虚拟硬件，并提供一个
 
 不仅如此，eBPF 还有能力往用户空间任意进程的任意地址写入数据（bpf_probe_write_user[7]），有限度地修改内核函数的返回值（bpf_override_return[8]），甚至在内核态直接执行某些系统调用[9]；所幸的是，eBPF 在加载进内核之前对字节码会进行严格的安全检查，确保没有内存越界等操作，同时，许多可能会扩大攻击面、带来安全风险的功能都是需要在编译内核时明确选择启用才能使用的；在 Wasm 虚拟机将字节码加载进内核之前，也可以明确选择启用或者禁用某些 eBPF 功能，以确保沙箱的安全性。
 
+除了内核态的 eBPF 运行时，eBPF 也可以拓展到用户空间，例如 [bpftime](https://github.com/eunomia-bpf/bpftime)，实现更高性能的用户态追踪、性能分析、插件等等。
+
 ## 2. 关于如何学习 eBPF 相关的开发的一些建议
 
 本文不会对 eBPF 的原理做更详细的介绍，不过这里有一个学习规划和参考资料，也许会有一些价值：

diff --git a/src/0-introduce/README_en.md b/src/0-introduce/README_en.md
@@ -25,6 +25,8 @@ Currently, eBPF is still in the early stages. However, with the help of the kern
 
 Moreover, eBPF has the ability to write data to any address of a user space process (bpf_probe_write_user[7]), partially modify the return value of a kernel function (bpf_override_return[8]), and even directly execute certain system calls in kernel mode[9]. Fortunately, eBPF performs strict security checks on the bytecode before loading it into the kernel to ensure that there are no operations such as memory out-of-bounds. Moreover, many features that may expand the attack surface and pose security risks need to be explicitly enabled during kernel compilation. Before loading the bytecode into the kernel, the Wasm virtual machine can also choose to enable or disable certain eBPF features to ensure the security of the sandbox.
 
+In addition to the kernel mode eBPF runtime, eBPF can also be extended to user space, for example, [bpftime](https://github.com/eunomia-bpf/bpftime) to achieve higher performance user space tracing, performance analysis, plugins, etc.
+
 ## 2. Some Tips on Learning eBPF Development
 
 This article will not provide a more detailed introduction to the principles of eBPF, but here is a learning plan and reference materials that may be of value:

diff --git a/src/30-sslsniff/README.md b/src/30-sslsniff/README.md
@@ -42,7 +42,7 @@ TLS 和 SSL 不完全适合 OSI 模型或 TCP/IP 模型的任何单一层次。T
 
 eBPF (Extended Berkeley Packet Filter): 是一种内核技术，允许用户在内核空间中运行预定义的程序，不需要修改内核源代码或重新加载模块。它创建了一个桥梁，使得用户空间和内核空间可以交互，从而为系统监控、性能分析和网络流量分析等任务提供了无前例的能力。
 
-uprobes 是eBPF的一个重要特性，允许我们在用户空间应用程序中动态地插入探测点，特别适用于跟踪SSL/TLS库中的函数调用。
+uprobes 是eBPF的一个重要特性，允许我们在用户空间应用程序中动态地插入探测点，特别适用于跟踪SSL/TLS库中的函数调用。Uprobe 在内核态 eBPF 运行时，也可能产生比较大的性能开销，这时候也可以考虑使用用户态 eBPF 运行时，例如  [bpftime](https://github.com/eunomia-bpf/bpftime)。bpftime 是一个基于 LLVM JIT/AOT 的用户态 eBPF 运行时，它可以在用户态运行 eBPF 程序，和内核态的 eBPF 兼容，避免了内核态和用户态之间的上下文切换，从而提高了 eBPF 程序的执行效率。对于 uprobe 而言，bpftime 的性能开销比 kernel 小一个数量级。
 
 ### 用户态库
 

diff --git a/src/30-sslsniff/README_en.md b/src/30-sslsniff/README_en.md
@@ -42,7 +42,7 @@ TLS and SSL don't perfectly align with any single layer of the OSI model or the
 
 eBPF (Extended Berkeley Packet Filter): It's a kernel technology that allows users to run predefined programs in the kernel space without modifying kernel source code or reloading modules. It creates a bridge that enables interaction between user space and kernel space, providing unprecedented capabilities for tasks like system monitoring, performance analysis, and network traffic analysis.
 
-uprobes are a significant feature of eBPF, allowing dynamic insertion of probe points in user space applications, particularly useful for tracking function calls in SSL/TLS libraries.
+uprobes are a significant feature of eBPF, allowing dynamic insertion of probe points in user space applications, particularly useful for tracking function calls in SSL/TLS libraries. Uprobe in kernel mode eBPF runtime may also cause relatively large performance overhead. In this case, you can also consider using user mode eBPF runtime, such as [bpftime](https://github.com/eunomia-bpf/bpftime)。bpftime is a user mode eBPF runtime based on LLVM JIT/AOT. It can run eBPF programs in user mode and is compatible with kernel mode eBPF, avoiding context switching between kernel mode and user mode, thereby improving the execution efficiency of eBPF programs. bpftime can have a performance overhead that is one order of magnitude smaller than that of kernel mode eBPF.
 
 ### User-Space Libraries