Why I'm OBSESSED With eBPF

Рет қаралды 3,408

Күн бұрын

An introduction to this powerful Linux kernel technology, that I think is the future of endpoint security!
0:00 Intro
1:15 The Name
2:28 Why It's Cool
3:32 Setup
6:52 BPFTrace one-liners
8:59 How It Works
11:38 Writing eBPF Programs
20:13 BlueBPF Intro
20:52 BPF Keylogger
22:43 SSHSpy
25:30 ShellGuardian
28:14 Going Further
Resources
Join our Discord! / discord
BCC: github.com/iovisor/bcc
BPFTrace: github.com/iovisor/bpftrace
BlueBPF: github.com/mttaggart/bluebpf
Kunai: github.com/0xrawsec/kunai

Пікірлер: 8

@nirmalyasengupta6883 26 күн бұрын

Very useful and well-presented. Thank you. I am taking baby-steps in Rust-Aya. Clips like this are fantastic aid. 😊

@maxsterling9908 3 ай бұрын

I have just started to get into it. Thank you for showing us some really cool programs your wrote.

@kalifornia909 6 ай бұрын

Great to see your content again

@alitarek319 5 ай бұрын

Hello, I've seen your let's build a soc live stream. Why haven't the been a part two it was absolute fire! I'm currently working on my thesis and that would help a lot fr

@majdahmad1095 Ай бұрын

Great work thank you

@yramagicman675 6 ай бұрын

How does this compare to dtrace from the bsd side of things?

@TheTaggartInstitute 6 ай бұрын

This is a really great question! DTrace is quite similar to BPFTrace (in fact, Brendan Gregg literally wrote the book on both!). However, as I understand it, DTrace is scoped to just the predefined tracepoints, without the more flexible probes that eBPF makes available. Additionally, I believe the method of writing the programs and loading them into the kernel is different, but I am certainly no expert on BSD.

@yramagicman675 6 ай бұрын

@@TheTaggartInstitute I'm no expert either, but I enjoy Bryan Cantrill's talks so I'm familiar with the ideas of Dtrace at a conceptual level. I know Dtrace has its own scripting language similar to eBPF, which makes sense if Brendan Gregg worked on both projects in some way. I do think you're correct about the instrumentation methods though. I'm not sure if Dtrace is as flexible as eBPF.