The king of gesticulation is back and I am here for it. What an interesting topic.

An example of eBPF use in production is NGINX webserver, when running as multiple processes and using just one shared UDP port for QUIC & HTTP/3, the eBPF program would route the packets to the correct NGINX webserver process. Which is a very useful optimization.

Similar to shader programming where the c code is passed as a string to the GPU driver. The GPU driver compiles, schedules, then executes the shader on whatever hardware you have.

You said the compiler rejected the infinite loop, but the kernel actually contains a verifier to prevent infinite eBPF programs from loading, and from the traceback it looks like the failure happened when you tried to attach the program, not when you compiled it. Also, the failure location is given in instructions, not line numbers, so this would be a very unusual compiler error. The fact that eBOF programs are verified by the kernel before being run is an important part of the system, because it means the kernel, not a compiler, determines what kind of programs are safe to run (and the kernel can adjust that definition over time).

Recently the kernel introduced eBPF for the Human interface device subsystem. In short apparently an absurdly fast way to support new mice/keyboards with many buttons. It is absolutely fascinating!!!

Great Episode! I am writing my bachelors thesis on a protocol that uses eBPF to send duplicated udp packets over an redundant path. It also deduplicates the packets with XDP at the destination, it's been really interesting. Also, BCC indeed is a bit dated as far as I read - thats why I used libbpf-rs, which I am really happy with so far. One huge plus of libbpf is that you can write portable code (they call it Compile Once - Run Everywhere) - basically it abstracts away the memory accesses. This way the changing kernel source won't affect compiled eBPF Programs.

I always pictured userland above the kernel and the hardware at the bottom. I will have to watch this video upside down to be able to follow along.

Brilliant explanation of eBPF and great introduction. Thank you!

Always happy to see a new Dr Clegg video!

loved this episode! gave me lots of ideas!

Dr Clegg looks surprisingly similar to Tarantino! Interestingly I am now finishing up my thesis and at one point I was using eBPF to solve a problem. It is such a powerful tool.

eBPF is fantastic! we used it all the time in grad school. it's an absolutely essential tool for doing OS research

This is kind of missing the part of the video where he actually runs the infinite loop and sees what happens to the computer when a rogue kernel process actually runs... Still very interesting video, as someone who worked with userspace networking code (kind of going in the other direction with RDMA - moving all the TCP processing off to the NIC and utilizing userspace to do the rest), this BPF stuff is pretty neat!

Patton Oswalt is such a renaissance man.

"Let's imagine you are working on..Linux - which everyone should be" - truer words were never apoken

That example looks very cool - I usually implement LuaJIT in my projects if i need any extensibility, but i have considered alternatives incl. BPF. It's probably too low level for my needs, but I may play around the example as I've never used BPF before.

Fascinating stuff! Would be nice with another video going deeper on eBPF, looking into how we determine if a program is safe to run. And yes ... everybody loves the Fibonacci sequence hehe

It's an amazing topic, I think it deserves a better videos

Really cool stuff!

Super interesting, I've never heard of this before. I see in the comments that there is even an intermediate compilation standard. Presumably that's something like JVM bytecode but for a kernel VM. I do have to wonder about security though. All the problems with virtual machines, now in your kernel!

When I first looked up “eBPF”, the “packet filtering” bit threw me off 😅. Explaining how this went from a simple packet filter to what eBPF is now was very helpful.

Very nice 👌

I build my own kernels, and I never include anything BPF in them. Same goes for IPv6, Bluetooth, WiFi, initrd and so on. All of a sudden the kernel is a mere 5 MB - instead 100MB plus kernel objects plus initrd.

I'm getting bad flashbacks seeing BPF, XDP and other stuff like this, did some work with that and it was a real pain, although mostly because of the custom kernel and NIC drivers.

Very informative - lots going on under the covers. A rich potential attack vector? Or not, if the eBPF code has to run as root?

You could make a cruel prank where whatever file is open, you could randomly inject extra characters that is returned to the user

Importantly, the kernel verifier not only prevents guaranteed infinite loops, it also prevents any loops which can't be proven to be finite. That might seem like a trivial difference, but it means that the subset of "runnable" eBPF (as opposed to all compilable eBPF) is also not Turing complete, because you can't prove whether or not an arbitrary Turing machine holds, so if we only allow turing machines for which this is possible (i.e. equivalent automata of a higher Chomsky Type), we've excluded some possible programs. I would have really liked a more in-depth look into eBPF bytecode in the video for that reason. As far as I know the verifier checks the programs control flow graph, and if that is not acyclic, rejects the program (consequently loops have to be unrolled by the compiler to be able to pass the verification). But I would have liked to know a bit more about the verification process, and what additionally goes into it. I'm still glad you've shown this demo, thank you!

So if a program require a kernel feature but my kernel isn't compiled with that feature I could use eBPF to essentially run the program without the need of recompiling the kernel with necessary feature?

Justine Tunney used eBPF to make really easy-to-use process-level sandboxing on Linux, inspired by OpenBSD's pledge/unveil syscalls. I would paste a link but Google would eat my comment.

it's still c promotional rules, bpf has a known word size, untyped variables are ints, changing it to u64 is probably the same resulting type

One minor correction at 6:04: I think you're referring to XDP, not XDF.

This is so weird, I just learned about eBPF like a week ago and got really interested in it and started writing some toy programs with it to get a feel for it. So seeing a Computerphile video uploaded just now is kinda creepy.

Induct molz~tmp prnt LN''

I am very tired/Jetlagged and thought I was watching a Ronnie Barker video for a second there!

The only thing more sustantial than the content of the video is the gesticulation :D

Great, more!

Why not load the custom kernel module for this?

wouldn't this (from your example) still run into the problem of that you can't tell if a program will run forever due to the halting problem?

Why would a fibonacci number with N larger than 40 overflow? He was using 64 bit unsgined integers so the limit would be over 18446744073709551615, which is between N=92 and N=93

The correct ways to monitor use of a kernel function on Linux is ftrace. Ideally systemtap would work but in my experience it doesn’t. Dtrace on the other has always worked as documented (on those platforms). For general code write a module.

What if you modify the compiler to allow malicious code?

Its Fletch from Porridge! LEGEND! Nice to see he's finally going straight... 😂

What is that drawing on his wall?

It can detect infinite loops - that's insane

Question: is there any reason to do this in python, or is it because the original code that used python for logic and sorting/filtering of data? Without knowing how much stuff the python class does on the background, it seems like a method to circumvent any help your IDE could offer for writing C, which sounds like a bad time. But if the python-class is doing some magic on the background, writing this in C directly could be much more code than shown here.

The immediate 2 questions I have are: Did they solve the halting problem? And have you tried expressing recursion in terms of the Y combinator? You really need to be careful with your language design when you want to guarantee all programs in it will terminate.

Is this the same as system hooks in windows?

can you do a video on io_uring please

17:00 -- So basically the same as everything else on Linux then?

How does this compare to microkernel where most things are in user space?

Cool. Very.

"what javascript is to the web" ... a mistake?

So you can use Python for EBPF but is not possible with Golang

Looks like a great tool for hackers wanting to implement persistent attacks!

I never realised NICs could run BPF

I really hope that it doesn't become anything like what JavaScript is for the Web.

ok, but if it's so limited, why this weird C syntax ? - Why not something simple? Or Zig like even? (that has built in maximal stack depth, etc.)

I am interested in learning kernel programming.Can anyone suggest where to begin.

nice video!

DKMS is another solution, though not as portable

Wait, you're telling me that the developers of BPF haven't managed to solve the halting problem?

I love hearing the Brits, their accents are so posh!

eBPF controls the Kernel, like an arduino controls a LCD display. This type of technology should be called "Controlling the Kernel as a toy" 🤖

"... let's imagine you're on linux, which everybody should be..."

What implications does it have on security?

Would love to see a video on this by somebody who really knows the topic.

Wow, so this is a fully fledged Linux backdoor, then? How can this be safe at all? Surely there must be exploits that can bypass whatever heuristic they have that prevents compiling and running malicious code.

That white IDE theme is criminal; not only is it blindingly bright but also regular code and comments have the same color 🤣

I think there's a guy whom the devs can ask about whether their "infinite loop detection" system can ever work. Name was Kurt Gödel, if I remember correctly.

ChatGPT thinks they should call it KernelScript.

TempleOS is always ring 0 baby

bro is zesty

This isn't kernel-less as it's still very much using the kernel.

eBPF IS THE BEST THING EVER BUT WITH THE WORST DEVELOPMENT EXPERIENCE 😩😩 eBPF appeals to the masochist in me

Ah yes the human utopian dream. Doing something without actually doing it.

Gee .. Linux developers discovered DTrace😄

Too slow, man - I'm up to 3:40 and you still haven't gotten to the POINT of what eBPF actually is. You just made me curious, so I've gone now to look it up elsewhere...

first

Why is someone who doesn't know much about eBPF is explaining it to other people?

So in short it's a MAJOR security flaw that needs to be patched pronto