Your search keyword '"Berkeley Packet Filter"' showing total 54 results

1. Randomization Can’t Stop BPF JIT Spray

Author

Reshetova, Elena, Bonazzi, Filippo, Asokan, N., Hutchison, David, Series editor, Kanade, Takeo, Series editor, Kittler, Josef, Series editor, Kleinberg, Jon M., Series editor, Mattern, Friedemann, Series editor, Mitchell, John C., Series editor, Naor, Moni, Series editor, Pandu Rangan, C., Series editor, Steffen, Bernhard, Series editor, Terzopoulos, Demetri, Series editor, Tygar, Doug, Series editor, Weikum, Gerhard, Series editor, Yan, Zheng, editor, Molva, Refik, editor, Mazurczyk, Wojciech, editor, and Kantola, Raimo, editor

Published

2017

2. Towards securing hard real-time networked embedded devices and systems : a cBPF implementation for an FPGA

Author

Doran, Hans Dermot, Schneider, Sven, Leibundgut, Prosper, Neuhaus, Stephan, Eberli, Stefan, Doran, Hans Dermot, Schneider, Sven, Leibundgut, Prosper, Neuhaus, Stephan, and Eberli, Stefan

Abstract

In this body of work we describe preliminary work implementing a Berkely Packet Filter, in its original conception, in an FPGA. The purpose is packet filtering and ingress traffic shaping in security-relevant applications in distributed embedded nodes. We specifically target PROFINET nodes in hard real-time applications where network security is an open issue. We describe the motivation, implementation and verification including performance characteristics. We conclude that such a filter can be used to not only for protection against simple denial-of-service attacks but also for ingress protocol management and potentially for the implementation of system-wide security policies.

Published

2023

3. PPTMon: Real-Time and Fine-Grained Packet Processing Time Monitoring in Virtual Network Functions

Author

James Won-Ki Hong, Jae-Hyoung Yoo, and Nguyen Van Tu

Subjects

Flexibility (engineering), Computer Networks and Communications, Computer science, Berkeley Packet Filter, Network packet, Packet processing, Real-time computing, Overhead (computing), Timestamp, Electrical and Electronic Engineering, Virtual network, Network operations center

Abstract

By softwarizing the legacy network functions, Network Function Virtualization (NFV) allows rapid development and deployment of network services as well as simplicity and flexibility in network operations and management. Monitoring the performance characteristics of Virtual Network Functions (VNFs), particularly packet processing time, is important to ensure that VNFs are operating correctly with desired performance. This is especially crucial for low-latency network services. In this paper, we present Packet Processing Time Monitoring (PPTMon), a real-time, fine-grained, and end-to-end solution for VNF packet processing time monitoring. PPTMon can provide per-hop monitoring for a single VNF as well as end-to-end monitoring for multiple VNFs in a service function chain. PPTMon allows monitoring in both sampling and continuous fashions. Continuously monitoring every packet may greatly degrade the performance of the VNFs and generate a huge amount of monitoring data. PPTMon’s event-filtering algorithm effectively filters out non-important data and reduces the performance overhead. PPTMon processes packets in-stack by embedding timestamp information directly into the packets, thus further reducing the effect on the VNF performance. PPTMon is implemented on top of extended Berkeley Packet Filter (eBPF) – a Linux framework that allows high-speed packet processing. Our experiment results shows that PPTMon can monitor VNF packet processing time with high accuracy and low impact on performance.

Published

2021

4. A Runtime-Enabled P4 Extension to the Open vSwitch Packet Processing Pipeline

Author

Paul Chaignon, Halina Tarasiuk, Mateusz Kossakowski, and Tomasz Osinski

Subjects

Computer Networks and Communications, Computer science, Network packet, Berkeley Packet Filter, Node (networking), Packet processing, computer.software_genre, Pipeline (software), Stateful firewall, Operating system, Forwarding plane, Electrical and Electronic Engineering, computer, Protocol (object-oriented programming)

Abstract

A hypervisor switch, such as Open vSwitch (OVS), plays a key role in the virtualized data centers implementing overlay networking to provide network isolation. The hypervisor switch is running on each compute node as a software application and switches packets between virtual machines. Software switches frequently require upgrading and customization of network protocol’s stack to introduce novel or domain-specific networking techniques. However, it is still difficult to extend OVS to support new network features as it requires mastery of network protocol design, programming expertise, and familiarity with the complex codebase of OVS. Moreover, there is currently no solution that enables the deployment of network features recompilation of OVS. In this article, we present P4rt-OVS, an original extension of OVS that enables runtime programming of protocol-independent and stateful packet processing pipelines. It extends the forwarding model of OVS with the userspace Berkeley Packet Filter (uBPF), bringing a new extensibility mechanism. Moreover, P4rt-OVS comes with a P4-to-uBPF compiler, which allows developers to write data plane programs in the high-level P4 language, compile them to the BPF bytecode and inject them to the OVS packet processing pipeline at runtime. Our design results in a hybrid approach that provides P4 programmability without sacrificing the well-known features of OVS. We provide thorough performance results, including end-to-end performance tests, microbenchmarks and a performance test of an exemplary network application (Broadband Network Gateway). The performance evaluation shows that P4rt-OVS does not introduce significant processing overhead, yet enables runtime protocol extensions and stateful packet processing. Moreover, we discuss features of P4rt-OVS and provide programming guidelines to help developers achieve the best performance of P4 programs for P4rt-OVS.

Published

2021

5. SmartX Multi-Sec: A Visibility-Centric Multi-Tiered Security Framework for Multi-Site Cloud-Native Edge Clusters

Author

Jun-Sik Shin and JongWon Kim

Subjects

General Computer Science, Network packet, business.industry, Computer science, Berkeley Packet Filter, Visibility (geometry), General Engineering, Cloud computing, Network topology, lightweight flow capture and filtering, Automated function deployment, three-dimensional visualization, TK1-9971, Visualization, multi-site cloud-native edge clouds, security-oriented flow-centric visibility, Scalability, General Materials Science, Electrical engineering. Electronics. Nuclear engineering, Enhanced Data Rates for GSM Evolution, business, Computer network

Abstract

Recently, to match the emerging demands for multi-site edge clouds, the cloud-based information and communication technology (ICT) infrastructure is rapidly expanding. To protect distributed edge-based cloud assets from networking-based threats by recognizing suspicious traffic, cloud operators should monitor the overall underlying topology to categorize and identify diversified networking packet traffic, flowing through various paths among virtualized and containerized cloud nodes. Perimeter-based networking security, which employs security appliances in fixed locations, cannot address this visibility challenge. As a result, in this paper, we propose the SmartX Multi-tier Security (Multi-Sec) framework, which aims to provide intuitive and systematic visibility for multi-site edge-cloud security. SmartX Multi-Sec abstracts the underlying networking topology among multi-site edge clusters as multiple onion-ring-based tiers of physical, virtualized, and containerized cloud nodes. It also provides collective DevSecOps automation features for monitoring, visualizing, and filtering targeted networking traffic from the respective tiers of the abstracted networking topology. The resulting flow-centric visibility using SmartX Multi-Sec can be featured with extended Berkeley Packet Filter and eXpress Data Path (eBPF/XDP)-leveraged lightweight flow capture and filtering, three-dimensional onion-ring visualization, and automated deployment of DevSecOps functions. By integrating these features, the Proof-of-Concept (PoC)-version of the SmartX Multi-Sec framework is realized to verify the flexible and scalable flow-centric security for multi-site cloud-native edge clouds.

Published

2021

6. Fast Packet Processing with eBPF and XDP

Author

Luiz F. M. Vieira, Marcos A. M. Vieira, Matheus S. Castanho, Elerson R. S. Santos, Eduardo P. M. Câmara Júnior, and Racyus D. G. Pacífico

Subjects

Networks middle boxes / network appliances, General Computer Science, Berkeley Packet Filter, Network packet, Computer science, Packet processing, 020206 networking & telecommunications, Linux kernel, 02 engineering and technology, Network monitoring, Load balancing (computing), computer.software_genre, Theoretical Computer Science, Instruction set, Networks programming interfaces, Kernel (image processing), 0202 electrical engineering, electronic engineering, information engineering, Operating system, 020201 artificial intelligence & image processing, computer, Networks end nodes

Abstract

Extended Berkeley Packet Filter (eBPF) is an instruction set and an execution environment inside the Linux kernel. It enables modification, interaction and kernel programmability at runtime. eBPF can be used to program the eXpress Data Path (XDP), a kernel network layer that processes packets closer to the NIC for fast packet processing. Developers can write programs in C or P4 languages and then compile to eBPF instructions, which can be processed by the kernel or by programmable devices (e.g. SmartNICs). Since its introduction in 2014, eBPF has been rapidly adopted by major companies such as Facebook, Cloudflare, and Netronome. Use cases include network monitoring, network traffic manipulation, load balancing, and system profiling. This work aims to present eBPF to an inexpert audience, covering the main theoretical and fundamental aspects of eBPF and XDP, as well as introducing the reader to simple examples to give insight into the general operation and use of both technologies., All code in this paper was tested using kernel version 5.0. GitHub with step-by-step instructions on how to compile, load and run each example shown throughout this text, including a VM with all tools and dependencies necessary to develop eBPF programs are available on https://github.com/racyusdelanoo/bpf-tutorial.

Published

2020

7. AnyCall: Fast and Flexible System-Call Aggregation

Author

Benedict Herzog, Wolfgang Schröder-Preikschat, Stefan Reif, Timo Hönig, and Luis Gerhorst

Subjects

FOS: Computer and information sciences, Computer Science - Cryptography and Security, Computer Science - Programming Languages, Berkeley Packet Filter, Computer science, Operating Systems (cs.OS), Linux kernel, computer.software_genre, Bytecode, Computer Science - Operating Systems, Mode (computer interface), System call, Kernel (statistics), Operating system, Overhead (computing), Compiler, computer, Cryptography and Security (cs.CR), Programming Languages (cs.PL)

Abstract

Operating systems rely on system calls to allow the controlled communication of isolated processes with the kernel and other processes. Every system call includes a processor mode switch from the unprivileged user mode to the privileged kernel mode. Although processor mode switches are the essential isolation mechanism to guarantee the system's integrity, they induce direct and indirect performance costs as they invalidate parts of the processor state. In recent years, high-performance networks and storage hardware has made the user/kernel transition overhead the bottleneck for IO-heavy applications. To make matters worse, security vulnerabilities in modern processors (e.g., Meltdown) have prompted kernel mitigations that further increase the transition overhead. To decouple system calls from user/kernel transitions we propose AnyCall, which uses an in-kernel compiler to execute safety-checked user bytecode in kernel mode. This allows for very fast system calls interleaved with error checking and processing logic using only a single user/kernel transition. We have implemented AnyCall based on the Linux kernel's extended Berkeley Packet Filter (eBPF) subsystem. Our evaluation demonstrates that system call bursts are up to 55 times faster using AnyCall and that real-world applications can be sped up by 24 % even if only a minimal part of their code is run by AnyCall.

Published

2022

8. Implementing a Batch Filter Using the eBPF System in Linux

Subjects

Transmission Controll Protocol, eXpress Data Path, iptables, Internet Protocol version 6, Internet Protocol version 4, BPF maps, internet packet, Berkeley Packet Filter, протокол управления передачей, протокол Ð¿Ð¾Ð»ÑŒÐ·Ð¾Ð²Ð°Ñ‚ÐµÐ»ÑŒÑÐºÐ¸Ñ Ð´ÐµÐ¹Ñ‚Ð°Ð³Ñ€Ð°Ð¼Ð¼, интернет-пакет, BPF карты, интернет-протокол версии 4, интернет-протокол версии 6, User Datagram Protocol

Abstract

Данная работа посвящена разработке пакетного фильтра, использующего средства системы eBPF в Linux. Задачи, которые решались в Ñ Ð¾Ð´Ðµ работы: Изучение предметной области Разработка фильтра Тестирование работы фильтра Обзор аналогов Работа проводилась в системе Linux дистрибутива Debian 11. В Ñ Ð¾Ð´Ðµ работы была изучена литература, описывающая такие Ñ‚ÐµÑ Ð½Ð¾Ð»Ð¾Ð³Ð¸Ð¸ как eBPF и XDP. При разработке фильтра было создано две программы, одна непосредственно пропускает или сбрасывает интернет-пакеты, а вторая загружает первую и позволяет пользователю управлять BPF картами, в ÐºÐ¾Ñ‚Ð¾Ñ€Ñ‹Ñ Ð½Ð°Ñ Ð¾Ð´ÑÑ‚ÑÑ списки Ð·Ð°Ð±Ð»Ð¾ÐºÐ¸Ñ€Ð¾Ð²Ð°Ð½Ð½Ñ‹Ñ Ð¸Ð½Ñ‚ÐµÑ€Ð½ÐµÑ‚-протокол адресов или портов. За счёт использования средств XDP, задержка значительно уменьшается, а производительность фильтрации улучшается. В дальнейшем планируется доработка созданного фильтра., This work is dedicated to the development of a batch filter using the tools of the eBPF system in Linux. The tasks that were solved in the course of the work:Study of the subject area Designing filter Testing filter Reviewing analogues The work was done on the Linux distribution Debian 11. In the course of the work the literature describing technologies such as eBPF and XDP was studied. When developing the filter, two programs were created, one directly drops or let Internet packets pass, while the second loads the first one and allows the user to manage BPF maps, which contain different lists of blocked Internet protocol addresses or ports. By using XDP tools, latency is significantly reduced, and filtering performance is improved. In the future it is planned to refine the created filter.

Published

2022

9. RAPLET: Demystifying Publish/Subscribe Latency for ROS Applications

Author

Keisuke Nishimura, Takahiro Ishikawa, Shinpei Kato, and Hiroshi Sasaki

Subjects

Scheme (programming language), Computer science, Berkeley Packet Filter, business.industry, Bandwidth (signal processing), Directed acyclic graph, Scheduling (computing), Task (project management), Task analysis, Latency (engineering), business, computer, Computer network, computer.programming_language

Abstract

The problem of real-time scheduling based on the Directed Acyclic Graph (DAG) task model has been extensively studied in the literature. Most of the studies are aimed at the development of efficient scheduling algorithms to reduce deadline misses and/or improve schedulability bounds on the given task system. In order to guarantee real-time performance of the DAG task model in practice, the latency imposed on the communication between the DAG nodes must be systematically taken into account. This paper aims at demystifying the latency of the Robot Operating System (ROS) as a practical DAG task model, which leverages the publish/subscribe mechanism to send and receive data between the nodes. To this end we present the ROS-Aware Publish/Subscribe Latency Evaluation Tool (RAPLET) which is designed to measure and visualize the details of the publish/subscribe latency in ROS. RAPLET consists of (i) the LD PRELOAD scheme that inserts function hooks in user-land and (ii) the extended Berkeley Packet Filter (eBPF) scheme that monitors the run-queue level and the network states in kernel-land. The performance analysis on ROS applications, including a real-world autonomous driving software, is performed using RAPLET to demonstrate that the publish/subscribe latency imposed on inter-node communication can be demystified and reasoned with respect to system issues including the message size and network bandwidth consumption.

Published

2021

10. Code Augmentation for Detecting Covert Channels Targeting the IPv6 Flow Label

Author

Marco Zuppelli, Luca Caviglione, Matteo Repetto, Andreas Schaffhauser, and Wojciech Mazurczyk

Subjects

Berkeley Packet Filter, Network packet, Computer science, business.industry, Covert channel, security, covert channels, computer.software_genre, information hiding, Traffic flow (computer networking), code augmentation, code augmentation, stegomalware, network covert channels, IPv6, detection, Scalability, Memory footprint, network security, Malware, business, computer, Communication channel, Computer network

Abstract

Information hiding is at the basis of a new-wave of malware able to elude common detection mechanisms or remain unnoticed for long periods. To this aim, a key approach exploits network covert channels, i.e., abusive communication paths nested within a legitimate traffic flow. The increasing diffusion of IPv6 makes it attractive for an attacker, especially for the presence of the Flow Label field, which can be manipulated to contain up to 20 secret bits per packet. Unfortunately, gathering data to implement a standalone detection mechanism or to support third-party security tools is a poorly generalizable process and often leads to scalability issues. This paper showcases how to take advantage of code augmentation features (i.e., the extended Berkeley Packet Filter) to detect covert channels targeting the IPv6 Flow Label. To prove its effectiveness, the proposed approach has been tested against Internet-wide traffic traces collected in the wild. Results indicate that it is possible to spot the channel while mitigating the memory footprint and the computational burden (e.g., the processed traffic only experience an additional delay of a few nanoseconds).

Published

2021

11. Kmon: An In-kernel Transparent Monitoring System for Microservice Systems with eBPF

Author

Pengfei Chen, Guangba Yu, Chuanfu Zhang, Wanqi Yang, Tianjun Weng, and Jieqi Cui

Subjects

Kernel (linear algebra), Memory management, business.industry, Computer science, Berkeley Packet Filter, Distributed computing, Cloud computing, Software system, Microservices, Tracing, Architecture, business

Abstract

Currently, the architecture of software systems is shifting from “monolith” to “microservice” which is an important enabling technology of cloud native systems. Since the advantages of microservice in agility, efficiency, and scaling, it has become the most popular architecture in the industry. However, as the increase of microservice complexity and scale, it becomes challenging to monitor such a large number of microservices. Traditional monitoring techniques such as end-to-end tracing cannot well fit microservice environment, because they need code instrumentation with great effort. Moreover, they cannot explore the fine-grained internal states of microservice instances. To tackle this problem, we propose Kmon, which is an In-kernel transparent monitoring system for microservice systems with extended Berkeley Packet Filter (eBPF). Kmon can provide multiple kinds of run-time information of micrservices such as latency, topology, performance metrics with a low overhead.

Published

2021

12. Synthesizing Safe and Efficient Kernel Extensions for Packet Processing

Author

Anirudh Sivaraman, Michael D. Wong, Qiongwen Xu, Tanvi Wagle, and Srinivas Narayana

Subjects

Networking and Internet Architecture (cs.NI), FOS: Computer and information sciences, Berkeley Packet Filter, Computer science, Packet processing, Context (language use), Linux kernel, computer.software_genre, Computer Science - Networking and Internet Architecture, Bytecode, Kernel (statistics), Operating system, Compiler, computer, Rust (programming language), computer.programming_language

Abstract

Extended Berkeley Packet Filter (BPF) has emerged as a powerful method to extend packet-processing functionality in the Linux operating system. BPF allows users to write code in high-level languages (like C or Rust) and execute them at specific hooks in the kernel, such as the network device driver. To ensure safe execution of a user-developed BPF program in kernel context, Linux uses an in-kernel static checker. The checker allows a program to execute only if it can prove that the program is crash-free, always accesses memory within safe bounds, and avoids leaking kernel data. BPF programming is not easy. One, even modest-sized BPF programs are deemed too large to analyze and rejected by the kernel checker. Two, the kernel checker may incorrectly determine that a BPF program exhibits unsafe behaviors. Three, even small performance optimizations to BPF code (e.g., 5% gains) must be meticulously hand-crafted by expert developers. Traditional optimizing compilers for BPF are often inadequate since the kernel checker's safety constraints are incompatible with rule-based optimizations. We present K2, a program-synthesis-based compiler that automatically optimizes BPF bytecode with formal correctness and safety guarantees. K2 produces code with 6--26% reduced size, 1.36%--55.03% lower average packet-processing latency, and 0--4.75% higher throughput (packets per second per core) relative to the best clang-compiled program, across benchmarks drawn from Cilium, Facebook, and the Linux kernel. K2 incorporates several domain-specific techniques to make synthesis practical by accelerating equivalence-checking of BPF programs by 6 orders of magnitude.

Published

2021

13. Measuring End-to-end Packet Processing Time in Service Function Chaining

Author

Nguyen Van Tu, Jae-Hyoung Yoo, and James Won-Ki Hong

Subjects

business.industry, Berkeley Packet Filter, Computer science, Network packet, 05 social sciences, Packet processing, 050801 communication & media studies, 020206 networking & telecommunications, 02 engineering and technology, Network operations center, 0508 media and communications, End-to-end principle, Chaining, 0202 electrical engineering, electronic engineering, information engineering, Timestamp, business, Virtual network, Computer network

Abstract

Network Function Virtualization (NFV) is the key to enable rapid development and deployment of network services as well as simplicity and flexibility in network operations and management. To achieve the maximum benefit of NFV, monitoring the performance characteristics of Virtual Network Functions (VNFs) is crucial. Packet processing time is one of the most important performance metrics when it comes to VNF monitoring. In this paper, we present Packet Processing Time Monitoring (PPTMon) - a real-time, end-to-end solution for VNF packet processing time monitoring. PPTMon can provide per-hop monitoring for a single VNF as well as end-to-end monitoring for multiple VNFs in service function chains. PPTMon works by embedding timestamp information directly into the packets. PPTMon is implemented on top of extended Berkeley Packet Filter (eBPF) - a new Linux framework that allows high-speed packet processing. Our experiment results showed that PPTMon can monitor VNF packet processing time with high accuracy and negligible performance impact.

Published

2020

14. Real-time Monitoring of Packet Processing Time for Virtual Network Functions

Author

Nguyen Van Tu, Jae-Hyoung Yoo, and James Won-Ki Hong

Subjects

business.industry, Network packet, Berkeley Packet Filter, Computer science, Packet processing, 020206 networking & telecommunications, 020302 automobile design & engineering, 02 engineering and technology, Network operations center, 0203 mechanical engineering, Server, 0202 electrical engineering, electronic engineering, information engineering, Overhead (computing), Timestamp, business, Virtual network, Computer network

Abstract

By enabling the deployment of softwarelized network functions on commodity servers, Network Function Virtualization (NFV) brings many benefits such as rapid development and deployment, simplicity and flexibility in network operations and management. Monitoring the performance characteristics of Virtual Network Functions (VNFs), such as packet processing time, is crucial to achieving maximum benefit from NFV. In this paper, we present Packer Processing Time Monitoring (PPTMon) - a solution for real-time and lightweight VNF packet processing time monitoring. PPTMon embeds timestamp information directly into the packets. PPTMon is implemented using extended Berkeley Packet Filter (eBPF) - a new Linux framework that allows high-speed packet processing. Our experiments showed that PPTMon can monitor VNFs with high accuracy and low performance overhead.

Published

2020

15. Real-time Monitoring System for Container Networks in the Era of Microservices

Author

Takashi Shiraishi, Masaaki Noro, Naoki Oguchi, Reiko Kondo, and Yosuke Takano

Subjects

Service quality, Computer science, Berkeley Packet Filter, business.industry, Microservices, computer.software_genre, Virtual machine, Software deployment, Container (abstract data type), Key (cryptography), Web service, business, computer, Computer network

Abstract

Large-scale web services are increasingly adopting the microservice architecture that mainly utilizes container technologies. Microservices are operated on complex configured infrastructures, such as containers, virtual machines, and physical machines. To ensure service quality of microservices, it is important to monitor not only the quality of services but also the quality of the infrastructures utilized by the services. Therefore, the metrics of the infrastructure related with the services should be traced. An extended Berkeley Packet Filter (eBPF) is a relatively new Linux's function, which is effectively used as a sensor of container-network metrics. There are two key challenges in realizing the service-linked monitoring system. One challenge is making the full-stack topology between microservices, containers, and machines visible to set the sensor related with the services. Another challenge is dynamic sensor management that can relocate the sensor quickly after the topology's change. In this paper, we propose a real-time monitoring system that creates a full-stack topology and relocates the sensor in conjunction with events from a container orchestrator. The system enables a dynamic deployment of the sensors related with the monitored services.

Published

2020

16. Leveraging eBPF to preserve user privacy for DNS, DoT, and DoH queries

Author

Sean Rivera, Radu State, Antonio Ken Iannillo, Vijay K. Gurbani, and Sofiane Lagraa

Subjects

Computer science [C05] [Engineering, computing & technology], 021110 strategic, defence & security studies, Computer science, business.industry, Berkeley Packet Filter, DNS, Domain Name System, ComputerSystemsOrganization_COMPUTER-COMMUNICATIONNETWORKS, 0211 other engineering and technologies, 02 engineering and technology, Computer security, computer.software_genre, Sciences informatiques [C05] [Ingénierie, informatique & technologie], Field (computer science), User privacy, Privacy, 020204 information systems, Server, Threat model, 0202 electrical engineering, electronic engineering, information engineering, The Internet, business, eBPF, computer, Protocol (object-oriented programming)

Abstract

The Domain Name System (DNS), a fundamental protocol that controls how users interact with the Internet, inadequately provides protection for user privacy. Recently, there have been advancements in the field of DNS privacy and security in the form of the DNS over TLS (DoT) and DNS over HTTPS (DoH) protocols. The advent of these protocols and recent advancements in large-scale data processing have drastically altered the threat model for DNS privacy. Users can no longer rely on traditional methods, and must instead take active steps to ensure their privacy. In this paper, we demonstrate how the extended Berkeley Packet Filter (eBPF) can assist users in maintaining their privacy by leveraging eBPF to provide privacy across standard DNS, DoH, and DoT communications. Further, we develop a method that allows users to enforce application-specific DNS servers. Our method provides users with control over their DNS network traffic and privacy without requiring changes to their applications while adding low overhead.

Published

2020

17. GAPP: A Fast Profiler for Detecting Serialization Bottlenecks in Parallel Linux Applications

Author

Reena Nair and Tony Field

Subjects

FOS: Computer and information sciences, Computer Science - Performance, Berkeley Packet Filter, Computer science, Serialization, 020207 software engineering, 02 engineering and technology, computer.software_genre, Performance (cs.PF), Computer Science - Distributed, Parallel, and Cluster Computing, 020204 information systems, Synchronization (computer science), 0202 electrical engineering, electronic engineering, information engineering, Benchmark (computing), Operating system, GapP, Overhead (computing), Instrumentation (computer programming), Distributed, Parallel, and Cluster Computing (cs.DC), computer, Context switch

Abstract

We present a parallel profiling tool, GAPP, that identifies serialization bottlenecks in parallel Linux applications arising from load imbalance or contention for shared resources . It works by tracing kernel context switch events using kernel probes managed by the extended Berkeley Packet Filter (eBPF) framework. The overhead is thus extremely low (an average 4% run time overhead for the applications explored), the tool requires no program instrumentation and works for a variety of serialization bottlenecks. We evaluate GAPP using the Parsec3.0 benchmark suite and two large open-source projects: MySQL and Nektar++ (a spectral/hp element framework). We show that GAPP is able to reveal a wide range of bottleneck-related performance issues, for example arising from synchronization primitives, busy-wait loops, memory operations, thread imbalance and resource contention., 8 pages

Published

2020

18. The rise of eBPF for non-intrusive performance monitoring

Author

Cyril Cassagnes, Lucian Andrei Trestioreanu, Radu State, Clement Joly, RIPPLE University Blockchain Research Initiative (UBRI) [sponsor], Fonds National de la Recherche – FnR [sponsor], and Interdisciplinary Centre for Security, Reliability and Trust (SnT) > Services and Data management research group (SEDAN) [research center]

Subjects

Computer science [C05] [Engineering, computing & technology], Profiling (computer programming), Berkeley Packet Filter, business.industry, Computer science, 020206 networking & telecommunications, Cloud computing, 02 engineering and technology, Tracing, Sciences informatiques [C05] [Ingénierie, informatique & technologie], monitoring, 020204 information systems, Embedded system, 0202 electrical engineering, electronic engineering, information engineering, Interledger, Performance monitoring, Ripple, eBPF, business, Implementation, performance

Abstract

In this paper, we explain that container engines are strengthening their isolation mechanisms. Therefore, non-intrusive monitoring becomes a must-have for the performance analysis of containerized user-space application in production environments. After a literature review and background of Linux subsystems and container isolation concepts, we present our lessons learned of using the extended Berkeley packet filter to monitor and profile performance. We carry out the profiling and tracing of several Interledger connectors using two full-fledged implementations of the Interledger protocol specifications.

Published

2020

19. Programmable Data Gathering for Detecting Stegomalware

Author

Matteo Repetto, Alessandro Carrega, Marco Zuppelli, and Luca Caviglione

Subjects

Data collection, Steganography, Computer science, Berkeley Packet Filter, Process (computing), detection, Covert channel, 02 engineering and technology, security, computer.software_genre, Computer security, virtualization, EBPF, Stegomalware, 020204 information systems, Information hiding, Scalability, 0202 electrical engineering, electronic engineering, information engineering, Covert channels, Detection, Syscall tracing, Malware, 020201 artificial intelligence & image processing, steganography, computer

Abstract

The “arm race” against malware developers requires to collect a wide variety of performance measurements, for instance to face threats leveraging information hiding and steganography. Unfortunately, this process could be time-consuming, lack of scalability and cause performance degradations within computing and network nodes. Moreover, since the detection of steganographic threats is poorly generalizable, being able to collect attack-independent indicators is of prime importance. To this aim, the paper proposes to take advantage of the extended Berkeley Packet Filter to gather data for detecting stegomalware. To prove the effectiveness of the approach, it also reports some preliminary experimental results obtained as the joint outcome of two H2020 Projects, namely ASTRID and SIMARGL.

Published

2020

20. Beyond socket options: Towards fully extensible Linux transport stacks

Author

Viet-Hoang Tran, Olivier Bonaventure, and UCL - SST/ICTM/INGI - Pôle en ingénierie informatique

Subjects

Computer Networks and Communications, business.industry, Computer science, Transmission Control Protocol, Berkeley Packet Filter, extensible, ComputerSystemsOrganization_COMPUTER-COMMUNICATIONNETWORKS, 020206 networking & telecommunications, Linux kernel, 02 engineering and technology, Multipath TCP, Multipath, kernel, Server, 0202 electrical engineering, electronic engineering, information engineering, 020201 artificial intelligence & image processing, The Internet, Transport layer, business, TCP, eBPF, Computer network

Abstract

The Transmission Control Protocol (TCP) is one of the most important protocols in today’s Internet. It was designed to be extensible for various use cases. A client can propose to use an extension over a given TCP connection by sending a TCP option that identifies this extension. In practice, deploying a TCP extension is difficult as the maintainers of client stacks often wait until servers implement a given extension and server maintainers look at clients in the same manner. It often takes several years if not a decade to actually deploy a TCP option widely. Our goal is to support experimenting and deploying new TCP options in a quick, simple, and efficient way. This includes inserting new TCP options at the sender side and parsing them at the receiver side. The implementation and the interface should be simple, generic, and introduce as few changes to the kernel code as possible. In this paper, we focus on the Linux TCP stack since it is one of the most widely used TCP stacks, given its utilization on many servers and Android devices. For this purpose, we leverage the extended Berkeley Packet Filter (eBPF), which is a recently developed in-kernel infrastructure to enable high performance and safe programmability to the Linux kernel space. Multipath TCP (MPTCP) is a major TCP extension that enables more capabilities and has richer semantics than regular TCP. We implemented a similar methodology in the Linux MPTCP stack to support new use-cases through custom MPTCP options. Moreover, an eBPF-based framework for user-defined path managers is also proposed, given that subflow management is an important task in Multipath TCP.

Published

2020

21. Building an Extensible Open vSwitch Datapath

Author

Cheng-Chun Tu, Justin Pettit, and Joe Stringer

Subjects

Network packet, Berkeley Packet Filter, business.industry, Computer science, Maintainability, 020206 networking & telecommunications, Linux kernel, 02 engineering and technology, computer.software_genre, Porting, Extensibility, Virtual machine, 020204 information systems, Embedded system, Datapath, 0202 electrical engineering, electronic engineering, information engineering, Operating system, General Earth and Planetary Sciences, business, computer, General Environmental Science

Abstract

The virtual switch is the cornerstone of the today's virtualized data center. As all traffic to and from virtual machines or containers must pass through a vSwitch, it is the ideal location for network configuration and policy enforcement. The bulk of Open vSwitch functionality is platform-agnostic and portable. However the datapath, which touches every packet, is unique to each supported platform. Maintaining each datapath requires duplicated effort and the result has been inconsistent support of features across platforms. Even on a single platform, the features supported by a particular kernel version can vary. Further, datapath functionality must be broadly useful which prevents having application-specific features in the fast path. eBPF, extended Berkeley Packet Filter, enables userspace applications to customize and extend the Linux kernel's functionality. It provides flexible platform abstractions for network functions, and is being ported to a variety of platforms. This paper describes the design, implementation, and evaluation of an eBPF-based extensible OVS datapath. The eBPF OVS datapath delivers the equivalent functionality of the existing OVS kernel datapath, while significantly reducing development pain points around maintainability and extensibility. We demonstrate that these benefits don't necessarily have a trade off in regards to performance, with the eBPFbased datapath showing negligible overhead compared to the existing kernel datapath.

Published

2017

22. Downright: A Framework and Toolchain for Privilege Handling

Author

Stephan Neuhaus and Remo Schweizer

Subjects

Web server, Computer science, Berkeley Packet Filter, Linux, Reverse proxy, ComputingMilieux_LEGALASPECTSOFCOMPUTING, Linux kernel, 005: Computerprogrammierung, Programme und Daten, Privilege (computing), Unix, computer.software_genre, Toolchain, System call, Security, Operating system, Privileges, Instrumentation (computer programming), computer

Abstract

© 2019 IEEE. Personal use of this material is permitted. Permission from IEEE must be obtained for all other uses, in any current or future media, including reprinting/republishing this material for advertising or promotional purposes, creating new collective works, for resale or redistribution to servers or lists, or reuse of any copyrighted component of this work in other works., We propose Downright, a novel framework based on Seccomp, Berkeley Packet Filter, and PTrace, that makes it possible to equip new and existing C applications with a request broker architecture. An extensive configuration language allows AppArmor-like configuration that supports programmers in building rules for system call parameter validation and result sanitization. Access to these privileged function calls can be restricted both within Linux kernel and user spaces. Downright's main strength compared to related approaches is that it implements a complete mediation request broker architecture, in which all system calls are vetted before execution, either by the kernel or by a request broker, which runs as another process. This isolates the main program from many failures due to programming bugs and attacks, which would have to pass not only the attacked program, but the request broker also. We argue that this makes acquiring and releasing elevated privileges easier and safer. Downright eliminates the need to write Seccomp programs, instead allowing policies to be expressed declaratively through a rich policy language. We demonstrate the viability of this approach by instrumenting nginx, an industrial-strength web server and reverse proxy. While this instrumentation takes only a single line of code, we argue that even this effort can be avoided by suitable C runtime code. We show that Downright's overhead is substantial, halving nginx's perfomance, but propose measures for optimisation.

Published

2019

23. Creating Complex Network Services with eBPF: Experience and Lessons Learned

Author

Mauricio Vasquez Bernal, Sebastiano Miano, Fulvio Risso, Matteo Bertrone, and Massimo Tumolo

Subjects

Source code, Page fault, Berkeley Packet Filter, Computer science, Distributed computing, media_common.quotation_subject, 020206 networking & telecommunications, Linux kernel, 02 engineering and technology, Complex network, eBPF, XDP, Linux, network functions, NFV, dataplane, 020204 information systems, 0202 electrical engineering, electronic engineering, information engineering, Forwarding plane, Data in transit, media_common, Dynamic recompilation

Abstract

The extended Berkeley Packet Filter (eBPF) is a recent technology available in the Linux kernel that enables flexible data processing. However, so far the eBPF was mainly used for monitoring tasks such as memory, CPU, page faults, traffic, and more, with a few examples of traditional network services, e.g., that modify the data in transit. In fact, the creation of complex network functions that go beyond simple proof-ofconcept data plane applications has proven to be challenging due to the several limitations of this technology, but at the same time very promising due to some characteristics (e.g., dynamic recompilation of the source code) that are not available elsewhere. Based on our experience, this paper presents the most promising characteristics of this technology and the main encountered limitations, and we envision some solutions that can mitigate the latter. We also summarize the most important lessons learned while exploiting eBPF to create complex network functions and, finally, we provide a quantitative characterization of the most significant aspects of this technology.

Published

2019

24. Simple and precise static analysis of untrusted Linux kernel extensions

Author

Nadav Amit, Leonid Ryzhyk, Nina Narodytska, Noam Rinetzky, Mooly Sagiv, Jorge A. Navas, Elazar Gershuni, and Arie Gurfinkel

Subjects

Class (computer programming), Berkeley Packet Filter, Computer science, Distributed computing, 020207 software engineering, Linux kernel, 02 engineering and technology, Static analysis, Abstract interpretation, Domain (software engineering), Kernel (image processing), Scalability, 0202 electrical engineering, electronic engineering, information engineering, 020201 artificial intelligence & image processing

Abstract

Extended Berkeley Packet Filter (eBPF) is a Linux subsystem that allows safely executing untrusted user-defined extensions inside the kernel. It relies on static analysis to protect the kernel against buggy and malicious extensions. As the eBPF ecosystem evolves to support more complex and diverse extensions, the limitations of its current verifier, including high rate of false positives, poor scalability, and lack of support for loops, have become a major barrier for developers. We design a static analyzer for eBPF within the framework of abstract interpretation. Our choice of abstraction is based on common patterns found in many eBPF programs. We observed that eBPF programs manipulate memory in a rather disciplined way which permits analyzing them successfully with a scalable mixture of very-precise abstraction of certain bounded regions with coarser abstractions of other parts of the memory. We use the Zone domain, a simple domain that tracks differences between pairs of registers and offsets, to achieve precise and scalable analysis. We demonstrate that this abstraction is as precise in practice as more costly abstract domains like Octagon and Polyhedra. Furthermore, our evaluation, based on hundreds of real-world eBPF programs, shows that the new tool generates no more false alarms than the existing Linux verifier, while it supports a wider class of programs (including programs with loops) and has better asymptotic complexity.

Published

2019

25. eZTrust

Author

Jacobus Van der Merwe, Hyunseok Chang, Zirak Zaheer, and Sarit Mukherjee

Subjects

business.industry, Berkeley Packet Filter, Network packet, Computer science, Distributed computing, 020207 software engineering, Access control, Workload, 02 engineering and technology, Microservices, Scalability, 0202 electrical engineering, electronic engineering, information engineering, Data center, Granularity, business

Abstract

Emerging microservices-based workloads introduce new security risks in today's data centers as attacks can propagate laterally within the data center relatively easily by exploiting cross-service dependencies. As countermeasures for such attacks, traditional perimeterization approaches, such as network-endpoint-based access control, do not fare well in highly dynamic microservices environments (especially considering the management complexity, scalability and policy granularity of these earlier approaches). In this paper, we propose eZTrust, a network-independent perimeterization approach for microservices. eZTrust allows data center tenants to express access control policies based on fine-grained workload identities, and enables data center operators to enforce such policies reliably and efficiently in a purely network-independent fashion. To this end, we leverage eBPF, the extended Berkeley Packet Filter, to trace authentic workload identities and apply per-packet tagging and verification. We demonstrate the feasibility of our approach through extensive evaluation of our proof-of-concept prototype implementation. We find that, when comparable policies are enforced, eZTrust incurs 2--5 times lower packet latency and 1.5--2.5 times lower CPU overhead than traditional perimeterization schemes.

Published

2019

26. Performance Monitoring with Hˆ2: Hybrid Kernel/eBPF data plane for SRv6 based Hybrid SDN

Author

Lorenzo Bracciale, Paolo Lungaroni, Stefano Salsano, Pierpaolo Loreti, Clarence Filsfils, and Andrea Mayer

Subjects

Computer Networks and Communications, Computer science, Berkeley Packet Filter, business.industry, Packet forwarding, 020206 networking & telecommunications, Throughput, Linux kernel, 02 engineering and technology, IP forwarding algorithm, IPv6, Kernel (statistics), Embedded system, 0202 electrical engineering, electronic engineering, information engineering, Forwarding plane, 020201 artificial intelligence & image processing, Hybrid kernel, Routing (electronic design automation), Routing control plane, business

Abstract

Segment Routing with IPv6 (SRv6) is a leading Hybrid SDN (HSDN) architecture, as it fully exploits standard IP routing and forwarding both in the control plane and in the data plane. In this paper we design, implement and evaluate a programmable data plane solution for Linux routers called HIKE (HybrId Kernel/eBPF forwarding), integrated in an HSDN/SRv6 architecture. HIKE integrates the conventional Linux kernel packet forwarding with custom designed eBPF/XDP (extended Berkeley Packet Filter/eXtreme Data Path) bypass to speed up performance of SRv6 software routers. Thus, in addition to the hybrid IP/SDN forwarding, we foster an additional hybrid approach inside a Linux forwarding engine combining eBPF/XDP and kernel based forwarding, taking the best from both worlds. Therefore, considering the two different conceptual levels of hybridization, we call our overall solution Hybrid squared or H ˆ 2 . We have applied the H ˆ 2 solution to Performance Monitoring (PM) in Hybrid SDNs, and we show how our HIKE data plane architecture supports SRv6 networking and Performance Monitoring (in particular Loss Monitoring) allowing a significant increase in performance: our implementation results show a remarkable throughput improvement (5x) with respect to a conventional Linux based solution.

Published

2021

27. Performance Implications of Packet Filtering with Linux eBPF

Author

Alexander Kurtz, Dominik Scholz, Georg Carle, Krzysztof Lesiak, Paul Emmerich, and Daniel Raumer

Subjects

Computer science, Berkeley Packet Filter, 020206 networking & telecommunications, 02 engineering and technology, computer.software_genre, Data structure, Extensibility, Firewall (construction), Kernel (image processing), Virtual machine, 0202 electrical engineering, electronic engineering, information engineering, User space, Operating system, 020201 artificial intelligence & image processing, Compiler, computer

Abstract

Firewall capabilities of operating systems are traditionally provided by inflexible filter routines or hooks in the kernel. These require privileged access to be configured and are not easily extensible for custom low-level actions. Since Linux 3.0, the Berkeley Packet Filter (BPF) allows user-written extensions in the kernel processing path. The successor, extended BPF (eBPF), improves flexibility and is realized via a virtual machine featuring both a just-in-time (JIT) compiler and an interpreter running in the kernel. It executes custom eBPF programs supplied by the user, effectively moving kernel functionality into user space. We present two case studies on the usage of Linux eBPF. First, we analyze the performance of the eXpress Data Path (XDP). XDP uses eBPF to process ingress traffic before the allocation of kernel data structures which comes along with performance benefits. In the second case study, eBPF is used to install application-specific packet filtering configurations acting on the socket level. Our case studies focus on performance aspects and discuss benefits and drawbacks.

Published

2018

28. Distributed Denial of Service Attack Prevention at Source Machines

Author

Juho Hwang, Masanori Misono, Kaito Yoshida, and Takahiro Shinagawa

Subjects

Exploit, Network packet, business.industry, Computer science, Berkeley Packet Filter, ComputerSystemsOrganization_COMPUTER-COMMUNICATIONNETWORKS, Hypervisor, Denial-of-service attack, 02 engineering and technology, computer.file_format, Virtualization, computer.software_genre, Networking hardware, 020204 information systems, 0202 electrical engineering, electronic engineering, information engineering, 020201 artificial intelligence & image processing, Executable, business, computer, Computer network

Abstract

Distributed denial of service (DDoS) attacks is a serious cyberattack that exhausts target machine's processing capacity by sending a huge number of packets from hijacked machines. To minimize resource consumption caused by DDoS attacks, filtering attack packets at source machines is the best approach. Although many studies have explored the detection of DDoS attacks, few studies have proposed DDoS attack prevention schemes that work at source machines. We propose a reliable, lightweight, transparent, and flexible DDoS attack prevention scheme that works at source machines. In this scheme, we employ a hypervisor with a packet filtering mechanism on each managed machine to allow the administrator to easily and reliably suppress packet transmissions. To make the proposed scheme lightweight and transparent, we exploit a thin hypervisor that allows pass-through access to hardware (except for network devices) from the operating system, thereby reducing virtualization overhead and avoiding compromising user experience. To make the proposed scheme flexible, we exploit a configurable packet filtering mechanism with a guaranteed safe code execution mechanism that allows the administrator to provide a filtering policy as executable code. In this study, we implemented the proposed scheme using BitVisor and the Berkeley Packet Filter. Experimental results show that the proposed scheme can suppress arbitrary packet transmissions with negligible latency and throughput overhead compared to a bare metal system without filtering mechanisms.

Published

2018

29. Demo/poster abstract: Efficient and flexible packet tracing for virtualized networks using eBPF

Author

Kun Suo, Jia Rao, Wei Chen, and Yong Zhao

Subjects

Berkeley Packet Filter, Network packet, Computer science, business.industry, Reliability (computer networking), Distributed computing, Cloud computing, Tracing, computer.software_genre, Abstraction layer, Scripting language, Server, business, computer

Abstract

As the scale of cloud systems continues to grow, virtualized networks are becoming increasingly important to the performance and reliability of the cloud. Despite many advantages, virtualized networks introduce additional layers of abstraction and are more difficult to monitor and diagnose performance issues compared to traditional networks. Furthermore, it is challenging to reason about the dynamic performance of virtualized networks. Therefore, there is a great need for fine-grained, user customizable, and reconfigurable network tracing. To address the above challenges, we propose vNetTracer, an efficient and programmable packet profiler for virtualized networks. vNetTracer relies on the extended Berkeley Packet Filter (eBPF) to dynamically attach user-defined tracing scripts into a live virtualized network without any changes to user programs nor restarting the monitored network. Through case studies, we demonstrate the effectiveness of vNetTracer in diagnosing various virtualized networking problems.

Published

2018

30. Realization of handover management in SDNized 3GPP architecture with protocol independent forwarding

Author

Manzoor Ahmed Khan, Sebastian Peters, Xuan-Thuy Dang, and Tobias Dorsch

Subjects

OpenFlow, Handover, business.industry, Berkeley Packet Filter, Computer science, Scalability, Forwarding plane, Wireless, business, Mobility management, Software versioning, Computer network

Abstract

The advent of SDN in mobile networks enables mobility management solutions with a flow-centric perspective. Based on SDN/NFV paradigms the softwarized data plane encourages new architectures for flexible mobile networks with autonomous adaptation and self-optimization capabilities. However, the inherent challenges of the SDN control plane such as scalability or protocol versioning issues are often neglected in those designs. In this work we demonstrate a possible transformation from the rather monolithic 3GPP architecture to a more flexible SDNized network by means of a vertical mobility management solution. We analyze restrictions of the current OpenFlow protocol and propose various extensions as enablers for an SDNized 3GPP architecture that addresses said control plane issues. Using the kernel Berkeley Packet Filter, we show a feasible realization of the extensions, which supports faster integration of novel flexible mobility management approaches.

Published

2018

31. eBPF-based content and computation-aware communication for real-time edge computing

Author

Sabur Baidya, Marco Levorato, and Yan Chen

Subjects

Networking and Internet Architecture (cs.NI), FOS: Computer and information sciences, Data stream, Computer science, Berkeley Packet Filter, Network packet, Distributed computing, 020206 networking & telecommunications, 02 engineering and technology, Replication (computing), Computer Science - Networking and Internet Architecture, Traffic flow (computer networking), 0202 electrical engineering, electronic engineering, information engineering, Enhanced Data Rates for GSM Evolution, Software-defined networking, Edge computing

Abstract

By placing computation resources within a one-hop wireless topology, the recent edge computing paradigm is a key enabler of real-time Internet of Things (IoT) applications. In the context of IoT scenarios where the same information from a sensor is used by multiple applications at different locations, the data stream needs to be replicated. However, the transportation of parallel streams might not be feasible due to limitations in the capacity of the network transporting the data. To address this issue, a content and computation-aware communication control framework is proposed based on the Software Defined Network (SDN) paradigm. The framework supports multi-streaming using the extended Berkeley Packet Filter (eBPF), where the traffic flow and packet replication for each specific computation process is controlled by a program running inside an in-kernel Virtual Ma- chine (VM). The proposed framework is instantiated to address a case-study scenario where video streams from multiple cameras are transmitted to the edge processor for real-time analysis. Numerical results demonstrate the advantage of the proposed framework in terms of programmability, network bandwidth and system resource savings., This article has been accepted for publication in the IEEE International Conference on Computer Communications (INFOCOM Workshops), 2018

Published

2018

32. Oko

Author

Kahina Lazri, Jerome Francois, Paul Chaignon, Olivier Festor, Thibault Delmas, Orange Labs [Issy les Moulineaux], France Télécom, Resilience and Elasticity for Security and ScalabiliTy of dynamic networked systems (RESIST), Inria Nancy - Grand Est, Institut National de Recherche en Informatique et en Automatique (Inria)-Institut National de Recherche en Informatique et en Automatique (Inria)-Department of Networks, Systems and Services (LORIA - NSS), Laboratoire Lorrain de Recherche en Informatique et ses Applications (LORIA), Institut National de Recherche en Informatique et en Automatique (Inria)-Université de Lorraine (UL)-Centre National de la Recherche Scientifique (CNRS)-Institut National de Recherche en Informatique et en Automatique (Inria)-Université de Lorraine (UL)-Centre National de la Recherche Scientifique (CNRS)-Laboratoire Lorrain de Recherche en Informatique et ses Applications (LORIA), Institut National de Recherche en Informatique et en Automatique (Inria)-Université de Lorraine (UL)-Centre National de la Recherche Scientifique (CNRS)-Université de Lorraine (UL)-Centre National de la Recherche Scientifique (CNRS), TELECOM Nancy, Université de Lorraine (UL), Centre National de la Recherche Scientifique (CNRS)-Université de Lorraine (UL)-Institut National de Recherche en Informatique et en Automatique (Inria)-Centre National de la Recherche Scientifique (CNRS)-Université de Lorraine (UL)-Institut National de Recherche en Informatique et en Automatique (Inria)-Laboratoire Lorrain de Recherche en Informatique et ses Applications (LORIA), and Centre National de la Recherche Scientifique (CNRS)-Université de Lorraine (UL)-Institut National de Recherche en Informatique et en Automatique (Inria)-Centre National de la Recherche Scientifique (CNRS)-Université de Lorraine (UL)

Subjects

021110 strategic, defence & security studies, OpenFlow, Berkeley Packet Filter, Network security, business.industry, Computer science, Network packet, 0211 other engineering and technologies, 020206 networking & telecommunications, 02 engineering and technology, Pipeline (software), Software-Defined Networking, Datacenter Networks, Programmable Networks, [INFO.INFO-NI]Computer Science [cs]/Networking and Internet Architecture [cs.NI], Network management, Stateful firewall, 0202 electrical engineering, electronic engineering, information engineering, business, Software-defined networking, Computer network

Abstract

International audience; With the Software-Defined Networking paradigm, softwareswitches emerged as the new edge of datacenter networks.The widely adopted Open vSwitch implements the OpenFlowforwarding model; its simple match-action abstractioneases network management, while providing enough flexibilityto define complex forwarding pipelines. OpenFlow,however, cannot express the many packets processing algorithmsrequired for traffic measurement, network security, orcongestion diagnosis, as it lacks a persistent state and basicarithmetic and logic operations.This paper presents Oko, an extension of Open vSwitchthat enables runtime integration of stateful filtering andmonitoring functionalities based on Berkeley Packet Filter(BPF) programs into the OpenFlow pipeline. BPF programsattached to OpenFlow rules act as intelligent filters over packets,while leaving the packets unmodified. This approachenables the transparent extension of Open vSwitch’s flowcaching architecture, retaining its high-performance benefits.Furthermore, the use of BPF allows for safe runtimeextension and prevention of switch failures due to faultyprograms.We compare our implementation based on Open vSwitchDPDKto existing approaches with comparable fault isolationproperties and measure a near 2x improvement of performance.

Published

2018

33. Architecture for building hybrid kernel-user space virtual network functions

Author

Kyungchan Ko, James Won-Ki Hong, and Nguyen Van Tu

Subjects

Network architecture, Berkeley Packet Filter, Computer science, Distributed computing, 020206 networking & telecommunications, 020302 automobile design & engineering, Linux kernel, Deep packet inspection, 02 engineering and technology, 0203 mechanical engineering, Kernel (statistics), 0202 electrical engineering, electronic engineering, information engineering, User space, Hybrid kernel, Virtual network

Abstract

Network Function Virtualization (NFV) is one of the important aspects of modern network architecture. NFV decouples Network Functions (NFs) from hardware, therefore produces Virtual Network Functions (VNFs) that can run on standard, commodity servers, which in turn mostly run Linux kernel. In this paper, we propose a general architecture for building hybrid kernel-user space VNFs which leverages extended Berkeley Packet Filter (eBPF). eBPF is a framework in Linux kernel that enables network programmability inside kernel for optimal performance. However, the programmability of eBPF is limited due to safety and security of the kernel. Our proposed architecture applies hybrid approach: leave the simple work inside the kernel with eBPF and let complex work be processed in the user space. This architecture allows building complex VNFs to have both speed and flexibility. To demonstrate, we use the proposed architecture to build two VNFs: Dynamic Load Balancer and Deep Packet Inspection with Dynamic Sniffing. The evaluation results show that both VNFs significantly outperform the widely used solutions.

Published

2017

34. Randomization Can’t Stop BPF JIT Spray

Author

Nadarajah Asokan, Filippo Bonazzi, and Elena Reshetova

Subjects

0301 basic medicine, Software_OPERATINGSYSTEMS, Network security, business.industry, Computer science, Berkeley Packet Filter, 020206 networking & telecommunications, Linux kernel, 02 engineering and technology, computer.software_genre, Networking hardware, 03 medical and health sciences, 030104 developmental biology, Just-in-time compilation, Statistics, 0202 electrical engineering, electronic engineering, information engineering, Operating system, Compiler, Software_PROGRAMMINGLANGUAGES, business, computer

Abstract

The Linux kernel Berkeley Packet Filter (BPF) and its Just-In-Time (JIT) compiler are actively used in various pieces of networking equipment where filtering speed is especially important. In 2012, the Linux BPF/JIT compiler was shown to be vulnerable to a JIT spray attack; fixes were quickly merged into the Linux kernel in order to stop the attack. In this paper we show two modifications of the original attack which still succeed on a modern 4.4 Linux kernel, and demonstrate that JIT spray is still a major problem for the Linux BPF/JIT compiler. This work helped to make the case for further and proper countermeasures to the attack, which have then been merged into the 4.7 Linux kernel.

Published

2017

35. Randomization can’t stop BPF JIT spray

Subjects

ta113, Berkeley Packet Filter, JIT spray, Network security

Published

2017

36. Packet Analysis

Author

Chris Sanders and Jason Smith

Subjects

Computer science, Network packet, Network security, business.industry, Berkeley Packet Filter, Packet generator, Computer security, computer.software_genre, Data science, Internet Control Message Protocol, Packet analyzer, Data analysis, business, computer, Processing delay

Abstract

The analysis phase of Network Security Monitoring is predicated on the analysis of data in order to determine if an incident has occurred. Since most of the data that is collected by NSM tools is related to network activity, it should come as no surprise that the ability to analyze and interpret packet data is one of the most important skills an analyst can have. In this first chapter of the analysis section of this book, we will dive into the world of packet analysis from the perspective of the NSM analyst. The main goal of this chapter is to equip you with the knowledge you need to understand packets at a fundamental level, while providing a framework for understanding the protocols that aren’t covered here. This chapter will use tcpdump and Wireshark to teach these concepts. At the end of the chapter, we will also look at a capture and display filters for packet analysis.

Published

2014

37. HPAP: High precision active probe for path round-trip delay measurement

Author

Zhou Xu, Wang Jun-feng, Qin Yi-fang, and Chen Shi-qiang

Subjects

Berkeley Packet Filter, Computer science, computer.internet_protocol, Network packet, ComputerSystemsOrganization_COMPUTER-COMMUNICATIONNETWORKS, Real-time computing, Overlay network, ComputerApplications_COMPUTERSINOTHERSYSTEMS, Round-trip delay time, Internet protocol suite, Network interface controller, Path (graph theory), Network performance, computer, Data link layer

Abstract

Path round-trip delay, i.e., path round-trip time (RTT), is one of the key metrics for evaluating network performance, also plays a crucial role in several overlay network construction protocols, peer-to-peer (P2P) applications, etc. In this paper, we present HPAP, a high precision active probe for path RTT measurement, which is based on Berkeley Packet Filter (BPF) technology. When the measuring probe packets arrive at or depart from the Network Interface Card (NIC), the BPF can capture them quickly, and can mark the timestamps immediately. The HPAP can calculate the path RTT value according to these timestamps. By this method, the time-stamp position can be removed from application program to data link layer of TCP/IP stack. The experimental results show that the new scheme can nearly eliminate the location error, and can practically improve the path RTT measuring accuracy. This scheme has low-cost in the investment, so it can be applied widely.

Published

2012

38. Network Traffic Analysis and Intrusion Detection Using Packet Sniffer

Author

Misbahur Rahman Siddiqui, Mohammed Abdul Qadeer, Mohammad Zahid, and Arshad Iqbal

Subjects

Berkeley Packet Filter, Computer science, Network packet, business.industry, Network security, Network monitoring, Intrusion detection system, computer.software_genre, Network interface controller, Packet analyzer, Operating system, business, computer, Computer network, Promiscuous mode

Abstract

Computer software that can intercept and log traffic passing over a digital network or part of a network is better known as packet sniffer. The sniffer captures these packets by setting the NIC card in the promiscuous mode and eventually decodes them. The decoded information can be used in any way depending upon the intention of the person concerned who decodes the data (i.e. malicious or beneficial purpose). Depending on the network structure one can sniff all or just parts of the traffic from a single machine within the network. However, there are some methods to avoid traffic narrowing by switches to gain access to traffic from other systems on the network. This paper focuses on the basics of packet sniffer and its working, development of the tool on Linux platform and its use for Intrusion Detection. It also discusses ways to detect the presence of such software on the network and to handle them in an efficient way. Focus has also been laid to analyze the bottleneck scenario arising in the network, using this self developed packet sniffer. Before the development of this indigenous software, minute observation has been made on the working behavior of already existing sniffer software such as wireshark (formerly known as ethereal), tcpdump, and snort, which serve as the base for the development of our sniffer software. For the capture of the packets, a library known as libpcap has been used. The development of such software gives a chance to the developer to incorporate the additional features that are not in the existing one.

Published

2010

39. Using the IEEE 802.11 Frame Check Sequence as a pseudo random number for packet sampling in wireless networks

Author

Scott Raynel, Murray A. Jorgensen, and Anthony McGregor

Subjects

Link state packet, business.industry, Computer science, Network packet, Berkeley Packet Filter, ComputerSystemsOrganization_COMPUTER-COMMUNICATIONNETWORKS, Frame (networking), Real-time computing, Frame check sequence, IEEE 802.11, Packet analyzer, Fast packet switching, business, Computer network

Abstract

Low power devices such as common wireless router platforms are not capable of performing reliable full packet capture due to resource constraints. In order for such devices to be used to perform link-level measurement on IEEE 802.11 networks, a packet sampling technique is required in order to reliably capture a representative sample of frames. The traditional Berkeley Packet Filter mechanism found in UNIX-like operating systems does not directly support packet sampling as it provides no way of generating pseudo-random numbers and does not allow a filter program to keep state between invocations. This paper explores the use of the IEEE 802.11 Frame Check Sequence as a source of pseudo-random numbers for use when deciding whether to sample a packet. This theory is tested by analysing the distribution of Frame Check Sequences from a large, real world capture. Finally, a BPF program fragment is presented which can be used to efficiently select packets for sampling.

Published

2009

40. Enhancing Network Intrusion Detection with Integrated Sampling and Filtering

Author

Vern Paxson and Jose M. Gonzalez

Subjects

Transmission Control Protocol, Network packet, Computer science, business.industry, Berkeley Packet Filter, ComputerSystemsOrganization_COMPUTER-COMMUNICATIONNETWORKS, Path (graph theory), User Datagram Protocol, Filter (signal processing), Intrusion detection system, business, Computer network, Backdoor

Abstract

The structure of many standalone network intrusion detection systems (NIDSs) centers around a chain of analysis that begins with packets captured by a packet filter, where the filter describes the protocols (TCP/UDP port numbers) and sometimes hosts or subnets to include or exclude from the analysis. In this work we argue for augmenting such analysis with an additional, separately filtered stream of packets. This “Secondary Path” supplements the “Main Path” by integrating sampling and richer forms of filtering into a NIDS's analysis. We discuss an implementation of a secondary path for the Bro intrusion detection system and enhancements we developed to the Berkeley Packet Filter to work in concert with the secondary path. Such an additional packet stream provides benefits in terms of both efficiency and ease of expression, which we illustrate by applying it to three forms of NIDS analysis: tracking very large individual connections, finding “heavy hitter” traffic streams, and implementing backdoor detectors (developed in previous work) with particular ease.

Published

2006

41. The netnice packet filter bridging the structural mismatches in end-host network control

Author

Daniel Mosse and T. Okumura

Subjects

Unix, Bridging (networking), Network packet, business.industry, Network security, Computer science, Berkeley Packet Filter, Quality of service, Network interface, Virtual network interface, business, Host (network), Computer network

Abstract

There have been increasing demands for proper monitoring and control in end-host systems, mainly for security and QoS purposes. Nevertheless, existing technologies are insufficient as primitives for end-host security. For example, Berkeley packet filter (BPF), the most popular monitoring infrastructure for many Unix systems, is intended for packet capturing at physical interfaces, and thus, not appropriate for monitoring of applications, which is sometimes critical for system security. This paper presents a simple solution to the problem, utilizing hierarchical virtual network interface (VIF) mechanism. VIF is a new OS abstraction that can be hierarchically structured and attached to OS entities to control their network I/O. We extend VIFs to allow filtering and monitoring of their traffic, and show that it has desirable properties for end-host monitoring and control of traffic. We present our prototype implementation on FreeBSD, and evaluate it qualitatively and quantitatively. Demonstrated advantages include: i) ability to monitor terminating entities at arbitrary granularity, ii) a single consistent framework for both network security and network quality of service, iii) OS independence, iv) efficiency as a control primitive, v) compatibility with BPF interface and its applications, and vi) flexibility for future functional expansion.

Published

2005

42. xPF: packet filtering for low-cost network monitoring

Author

Angelos D. Keromytis, Sotiris Ioannidis, Kostas G. Anagnostakis, and John Ioannidis

Subjects

Computer science, business.industry, Berkeley Packet Filter, Distributed computing, Network monitoring, Application software, computer.software_genre, Software, Packet switching, Kernel (image processing), Inefficiency, business, computer, Context switch, Computer network

Abstract

The ever-increasing complexity in network infrastructures is making critical the demand for network monitoring tools. While the majority of network operators rely on low-cost open-source tools based on commodity hardware and operating systems, the increasing link speeds and complexity of network monitoring applications have revealed inefficiencies in the existing software organization, which may prohibit the use of such tools in high-speed networks. Although several new architectures have been proposed to address these problems, they require significant effort in re-engineering the existing body of applications. We present an alternative approach that addresses the primary sources of inefficiency without significantly altering the software structure. Specifically, we enhance the computational model of the Berkeley packet filter (BPF) to move much of the processing associated with monitoring into the kernel, thereby removing the overhead associated with context switching between kernel and applications. The resulting packet filter, called xPF, allows new tools to be more efficiently implemented and existing tools to be easily optimized for high-speed networks. We present the design and implementation of xPF as well as several example applications that demonstrate the efficiency of our approach.

Published

2003

43. Systém pro ověření minimálních potřebných zdrojů pro běh aplikace

Author

Smrž, Pavel, Doležal, Jan, Žák, Jiří, Smrž, Pavel, Doležal, Jan, and Žák, Jiří

Abstract

Cílem této bakalářské práce je vytvořit systém pro ověření minimálních potřebných zdrojů pro běh aplikace. Teoretická část se věnuje tématu vyhodnocovacích metrik počítačového výkonu a principu fungování operačního systému Linux. V praktické části je popsáno, jak byl vytvořen návrh a implementace celého systému, který využívá technologii BPF (Berkeley Packet Filter). Práce je završena testováním a vyhodnocením celé práce. Systém byl úspěšně nasazen v partnerské firmě BringAuto. Ukázalo se, že daný operační systém je dostatečně výkonný pro běh aplikací., The main goal of this bachelor thesis is to create a system for the verifying minimum resources required to run an application. The theoretical part deals with the topic of computer performance evaluation metrics and the principle of operation of the Linux operating system. The practical part describes how the design and implementation of the entire system, which uses BPF (Berkeley Packet Filter) technology, was created. The end of the work is completed by testing and evaluation of the whole work. The system was successfully deployed in the partner company BringAuto. It turned out, that the operating system is powerful enough to run applications.

44. Systém pro ověření minimálních potřebných zdrojů pro běh aplikace

Author

Smrž, Pavel, Doležal, Jan, Žák, Jiří, Smrž, Pavel, Doležal, Jan, and Žák, Jiří

Abstract

Cílem této bakalářské práce je vytvořit systém pro ověření minimálních potřebných zdrojů pro běh aplikace. Teoretická část se věnuje tématu vyhodnocovacích metrik počítačového výkonu a principu fungování operačního systému Linux. V praktická části je popsáno, jak byl vytvořen návrh a implementace celého systému, který využívá technologii BPF (Berkeley Packet Filter). Konec práce je završený testováním a vyhodnocením celé práce. Systém byl úspěšně nasazen v partnerské firmě BringAuto. Ukázalo se, že daný operační systém je dostatečně výkonný pro běh aplikací., The main goal of this bachelor thesis is to create a system for the verifying minimum resources required to run an application. The theoretical part deals with the topic of computer performance evaluation metrics and the principle of operation of the Linux operating system. The practical part describes how the design and implementation of the entire system, which uses BPF (Berkeley Packet Filter) technology, was created.The end of the work is completed by testing and evaluation of the whole work. The system was successfully deployed in the partner company BringAuto. It turned out, that the operating system is powerful enough to run applications.

45. Systém pro ověření minimálních potřebných zdrojů pro běh aplikace

Author

Smrž, Pavel, Doležal, Jan, Žák, Jiří, Smrž, Pavel, Doležal, Jan, and Žák, Jiří

Abstract

Cílem této bakalářské práce je vytvořit systém pro ověření minimálních potřebných zdrojů pro běh aplikace. Teoretická část se věnuje tématu vyhodnocovacích metrik počítačového výkonu a principu fungování operačního systému Linux. V praktické části je popsáno, jak byl vytvořen návrh a implementace celého systému, který využívá technologii BPF (Berkeley Packet Filter). Práce je završena testováním a vyhodnocením celé práce. Systém byl úspěšně nasazen v partnerské firmě BringAuto. Ukázalo se, že daný operační systém je dostatečně výkonný pro běh aplikací., The main goal of this bachelor thesis is to create a system for the verifying minimum resources required to run an application. The theoretical part deals with the topic of computer performance evaluation metrics and the principle of operation of the Linux operating system. The practical part describes how the design and implementation of the entire system, which uses BPF (Berkeley Packet Filter) technology, was created. The end of the work is completed by testing and evaluation of the whole work. The system was successfully deployed in the partner company BringAuto. It turned out, that the operating system is powerful enough to run applications.

46. Systém pro ověření minimálních potřebných zdrojů pro běh aplikace

Author

Smrž, Pavel, Doležal, Jan, Žák, Jiří, Smrž, Pavel, Doležal, Jan, and Žák, Jiří

Abstract

Cílem této bakalářské práce je vytvořit systém pro ověření minimálních potřebných zdrojů pro běh aplikace. Teoretická část se věnuje tématu vyhodnocovacích metrik počítačového výkonu a principu fungování operačního systému Linux. V praktická části je popsáno, jak byl vytvořen návrh a implementace celého systému, který využívá technologii BPF (Berkeley Packet Filter). Konec práce je završený testováním a vyhodnocením celé práce. Systém byl úspěšně nasazen v partnerské firmě BringAuto. Ukázalo se, že daný operační systém je dostatečně výkonný pro běh aplikací., The main goal of this bachelor thesis is to create a system for the verifying minimum resources required to run an application. The theoretical part deals with the topic of computer performance evaluation metrics and the principle of operation of the Linux operating system. The practical part describes how the design and implementation of the entire system, which uses BPF (Berkeley Packet Filter) technology, was created.The end of the work is completed by testing and evaluation of the whole work. The system was successfully deployed in the partner company BringAuto. It turned out, that the operating system is powerful enough to run applications.

47. Systém pro ověření minimálních potřebných zdrojů pro běh aplikace

Author

Smrž, Pavel, Doležal, Jan, Smrž, Pavel, and Doležal, Jan

Abstract

Cílem této bakalářské práce je vytvořit systém pro ověření minimálních potřebných zdrojů pro běh aplikace. Teoretická část se věnuje tématu vyhodnocovacích metrik počítačového výkonu a principu fungování operačního systému Linux. V praktická části je popsáno, jak byl vytvořen návrh a implementace celého systému, který využívá technologii BPF (Berkeley Packet Filter). Konec práce je završený testováním a vyhodnocením celé práce. Systém byl úspěšně nasazen v partnerské firmě BringAuto. Ukázalo se, že daný operační systém je dostatečně výkonný pro běh aplikací., The main goal of this bachelor thesis is to create a system for the verifying minimum resources required to run an application. The theoretical part deals with the topic of computer performance evaluation metrics and the principle of operation of the Linux operating system. The practical part describes how the design and implementation of the entire system, which uses BPF (Berkeley Packet Filter) technology, was created.The end of the work is completed by testing and evaluation of the whole work. The system was successfully deployed in the partner company BringAuto. It turned out, that the operating system is powerful enough to run applications.

48. Systém pro ověření minimálních potřebných zdrojů pro běh aplikace

Author

Smrž, Pavel, Doležal, Jan, Smrž, Pavel, and Doležal, Jan

Abstract

Cílem této bakalářské práce je vytvořit systém pro ověření minimálních potřebných zdrojů pro běh aplikace. Teoretická část se věnuje tématu vyhodnocovacích metrik počítačového výkonu a principu fungování operačního systému Linux. V praktická části je popsáno, jak byl vytvořen návrh a implementace celého systému, který využívá technologii BPF (Berkeley Packet Filter). Konec práce je završený testováním a vyhodnocením celé práce. Systém byl úspěšně nasazen v partnerské firmě BringAuto. Ukázalo se, že daný operační systém je dostatečně výkonný pro běh aplikací., The main goal of this bachelor thesis is to create a system for the verifying minimum resources required to run an application. The theoretical part deals with the topic of computer performance evaluation metrics and the principle of operation of the Linux operating system. The practical part describes how the design and implementation of the entire system, which uses BPF (Berkeley Packet Filter) technology, was created.The end of the work is completed by testing and evaluation of the whole work. The system was successfully deployed in the partner company BringAuto. It turned out, that the operating system is powerful enough to run applications.

49. Systém pro ověření minimálních potřebných zdrojů pro běh aplikace

Author

Smrž, Pavel, Doležal, Jan, Smrž, Pavel, and Doležal, Jan

Abstract

Cílem této bakalářské práce je vytvořit systém pro ověření minimálních potřebných zdrojů pro běh aplikace. Teoretická část se věnuje tématu vyhodnocovacích metrik počítačového výkonu a principu fungování operačního systému Linux. V praktické části je popsáno, jak byl vytvořen návrh a implementace celého systému, který využívá technologii BPF (Berkeley Packet Filter). Práce je završena testováním a vyhodnocením celé práce. Systém byl úspěšně nasazen v partnerské firmě BringAuto. Ukázalo se, že daný operační systém je dostatečně výkonný pro běh aplikací., The main goal of this bachelor thesis is to create a system for the verifying minimum resources required to run an application. The theoretical part deals with the topic of computer performance evaluation metrics and the principle of operation of the Linux operating system. The practical part describes how the design and implementation of the entire system, which uses BPF (Berkeley Packet Filter) technology, was created. The end of the work is completed by testing and evaluation of the whole work. The system was successfully deployed in the partner company BringAuto. It turned out, that the operating system is powerful enough to run applications.

50. Systém pro ověření minimálních potřebných zdrojů pro běh aplikace

Author

Smrž, Pavel, Doležal, Jan, Smrž, Pavel, and Doležal, Jan

Abstract

Cílem této bakalářské práce je vytvořit systém pro ověření minimálních potřebných zdrojů pro běh aplikace. Teoretická část se věnuje tématu vyhodnocovacích metrik počítačového výkonu a principu fungování operačního systému Linux. V praktické části je popsáno, jak byl vytvořen návrh a implementace celého systému, který využívá technologii BPF (Berkeley Packet Filter). Práce je završena testováním a vyhodnocením celé práce. Systém byl úspěšně nasazen v partnerské firmě BringAuto. Ukázalo se, že daný operační systém je dostatečně výkonný pro běh aplikací., The main goal of this bachelor thesis is to create a system for the verifying minimum resources required to run an application. The theoretical part deals with the topic of computer performance evaluation metrics and the principle of operation of the Linux operating system. The practical part describes how the design and implementation of the entire system, which uses BPF (Berkeley Packet Filter) technology, was created. The end of the work is completed by testing and evaluation of the whole work. The system was successfully deployed in the partner company BringAuto. It turned out, that the operating system is powerful enough to run applications.