发布求助
文献互助 智能选刊 最新文献

Proceedings of the 1st Workshop on eBPF and Kernel Extensions最新文献

筛选
英文 中文
Enabling BPF Runtime policies for better BPF management 启用BPF运行时策略以更好地管理BPF
Proceedings of the 1st Workshop on eBPF and Kernel Extensions Pub Date : 2023-09-10 DOI: 10.1145/3609021.3609297
R. Sahu, Dan Williams
{"title":"Enabling BPF Runtime policies for better BPF management","authors":"R. Sahu, Dan Williams","doi":"10.1145/3609021.3609297","DOIUrl":"https://doi.org/10.1145/3609021.3609297","url":null,"abstract":"As eBPF increasingly and rapidly gains popularity for observability, performance, troubleshooting, and security in production environments, a problem is emerging around how to manage the multitude of BPF programs installed into the kernel. Operators of distributed systems are already beginning to use BPF-orchestration frameworks with which they can set load and access policies for who can load BPF programs and access their resultant data. However, other than a guarantee of eventual termination, operators currently have little to no visibility into the runtime characteristics of BPF programs and thus cannot set policies that ensure their systems still meet crucial performance targets when instrumented with BPF programs. In this paper, we propose that having a runtime estimate will enable better policies that will govern the allowed latency in critical paths. Our key insight is to leverage the existing architecture within the verifier to statically track the runtime cost of all possible branches. Along with dynamically determined runtime estimates for helper functions and knowledge of loop-based helpers' effects on control flow, we generate an accurate---although broad---range estimate for making runtime policy decisions. We further discuss some of the limitations of this approach, particularly in the case of broad estimate ranges as well as complementary tools for BPF runtime management.","PeriodicalId":206230,"journal":{"name":"Proceedings of the 1st Workshop on eBPF and Kernel Extensions","volume":"1 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2023-09-10","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"129829780","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
引用次数: 0
Practical and Flexible Kernel CFI Enforcement using eBPF 使用eBPF实现实用灵活的内核CFI
Proceedings of the 1st Workshop on eBPF and Kernel Extensions Pub Date : 2023-09-10 DOI: 10.1145/3609021.3609293
Jinghao Jia, Michael V. Le, Salman Ahmed, Dan Williams, H. Jamjoom
{"title":"Practical and Flexible Kernel CFI Enforcement using eBPF","authors":"Jinghao Jia, Michael V. Le, Salman Ahmed, Dan Williams, H. Jamjoom","doi":"10.1145/3609021.3609293","DOIUrl":"https://doi.org/10.1145/3609021.3609293","url":null,"abstract":"Enforcing control flow integrity (CFI) in the kernel (kCFI) can prevent control-flow hijack attacks. Unfortunately, current kCFI approaches have high overhead or are inflexible and cannot support complex context-sensitive policies. To overcome these limitations, we propose a kCFI approach that makes use of eBPF (eKCFI) as the enforcement mechanism. The focus of this work is to demonstrate through implementation optimizations how to overcome the enormous performance overhead of this approach, thereby enabling the potential benefits with only modest performance tradeoffs.","PeriodicalId":206230,"journal":{"name":"Proceedings of the 1st Workshop on eBPF and Kernel Extensions","volume":"38 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2023-09-10","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"122497634","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
引用次数: 0
HEELS: A Host-Enabled eBPF-Based Load Balancing Scheme 一个基于主机的ebp负载均衡方案
Proceedings of the 1st Workshop on eBPF and Kernel Extensions Pub Date : 2023-09-10 DOI: 10.1145/3609021.3609307
Rui Yang, Marios Kogias
{"title":"HEELS: A Host-Enabled eBPF-Based Load Balancing Scheme","authors":"Rui Yang, Marios Kogias","doi":"10.1145/3609021.3609307","DOIUrl":"https://doi.org/10.1145/3609021.3609307","url":null,"abstract":"Layer 4 (L4) load balancing is crucial in cloud computing and elastic microservices. Existing L4 load balancer designs can be split into two main categories: centralized designs using a hardware or software middlebox, and decentralized designs in which every node can play the role of the load balancer. Centralized designs offer better scheduling policies and easier worker node management, but suffer from I/O and CPU limitations. Decentralized designs scale better, but are harder to manage. We introduce HEELS, a novel load balancing scheme designed for internal cloud workloads and microservices, achieving the best of both worlds. HEELS uses the load balancer only during the connection establishment and allows clients and servers to communicate directly after that. Supporting general L4 load balancers and requiring no kernel changes, HEELS is readily deployable on the public cloud. We implement HEELS as a set of eBPF programs split across the client and server. Our evaluation shows that HEELS introduces minimal overheads, works with off-the-shelf load balancers (e.g., Katran by Meta), and significantly reduces the costs of cloud load balancers.","PeriodicalId":206230,"journal":{"name":"Proceedings of the 1st Workshop on eBPF and Kernel Extensions","volume":"94 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2023-09-10","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"124752830","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
引用次数: 0
Unleashing Unprivileged eBPF Potential with Dynamic Sandboxing 利用动态沙箱释放普通eBPF的潜力
Proceedings of the 1st Workshop on eBPF and Kernel Extensions Pub Date : 2023-08-03 DOI: 10.1145/3609021.3609301
S. Lim, Xueyuan Han, Thomas Pasquier
{"title":"Unleashing Unprivileged eBPF Potential with Dynamic Sandboxing","authors":"S. Lim, Xueyuan Han, Thomas Pasquier","doi":"10.1145/3609021.3609301","DOIUrl":"https://doi.org/10.1145/3609021.3609301","url":null,"abstract":"For safety reasons, unprivileged users today have only limited ways to customize the kernel through the extended Berkeley Packet Filter (eBPF). This is unfortunate, especially since the eBPF framework itself has seen an increase in scope over the years. We propose SandBPF, a software-based kernel isolation technique that dynamically sandboxes eBPF programs to allow unprivileged users to safely extend the kernel, unleashing eBPF's full potential. Our early proof-of-concept shows that SandBPF can effectively prevent exploits missed by eBPF's native safety mechanism (i.e., static verification) while incurring 0%-10% overhead on web server benchmarks.","PeriodicalId":206230,"journal":{"name":"Proceedings of the 1st Workshop on eBPF and Kernel Extensions","volume":"15 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2023-08-03","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"121405323","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
引用次数: 1
Proceedings of the 1st Workshop on eBPF and Kernel Extensions 第一届eBPF与内核扩展研讨会论文集
Proceedings of the 1st Workshop on eBPF and Kernel Extensions Pub Date : 1900-01-01 DOI: 10.1145/3609021
{"title":"Proceedings of the 1st Workshop on eBPF and Kernel Extensions","authors":"","doi":"10.1145/3609021","DOIUrl":"https://doi.org/10.1145/3609021","url":null,"abstract":"","PeriodicalId":206230,"journal":{"name":"Proceedings of the 1st Workshop on eBPF and Kernel Extensions","volume":"35 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"1900-01-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"127506485","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
引用次数: 0
首页 上一页
0
×
引用
GB/T 7714-2015
复制
MLA
复制
APA
复制
导出至
BibTeX EndNote RefMan NoteFirst NoteExpress
×
提示
您的信息不完整,为了账户安全,请先补充。
现在去补充
×
提示
您因"违规操作"
具体请查看互助需知
我知道了
×
提示
现在去查看 取消
×
提示
确定
请完成安全验证×
相关产品
×
本文献相关产品
联系我们:info@booksci.cn Book学术提供免费学术资源搜索服务,方便国内外学者检索中英文文献。致力于提供最便捷和优质的服务体验。 Copyright © 2023 布克学术 All rights reserved.
京ICP备2023020795号-1
ghs 京公网安备 11010802042870号
Book学术文献互助
Book学术文献互助群
群 号:604180095
Book学术官方微信