application level firewalling with ebpf
play

Application-level Firewalling with eBPF Alexander Kurtz September - PowerPoint PPT Presentation

Apr 10, 2024 •39 likes •139 views

Application-level Firewalling with eBPF Alexander Kurtz September 18, 2017 Problem statement Server applications generally bind(2) to the wildcard address Most dont actually need all packets from everywhere but Firewalling is a

  1. Application-level Firewalling with eBPF Alexander Kurtz September 18, 2017

  2. Problem statement ◮ Server applications generally bind(2) to the wildcard address ◮ Most don’t actually need all packets from everywhere but ◮ Firewalling is a system-wide and root-only operation ◮ No plugin-mechanism to install application-specific rules ◮ Even if there where, we would still need root priviledges

  3. Motivation What if we could install firewalling rules onto an application socket? ◮ Application developers could ship default rules with their program ◮ Users would have a generic way to control the network exposure of their applications ◮ Everything would be nicely isolated, no need for complex, system-wide rules

  4. Solution (1/3): eBPF ◮ eBPF is a general purpose VM in the Linux kernel ◮ eBPF bytecode can be attached to a socket to filter incoming packets ◮ communication with user-space and local state possible with eBPF maps ◮ arbitrary code execution in kernel-space, yet secure™ ◮ many other applications, e.g. tracing, load-balancing, . . .

  5. Solution (2/3): bcc ◮ eBPF is byte code (although very high level) ◮ eBPF maps are file descriptors ◮ byte code needs to embed the value of these file descriptors ◮ did I mention you’ll have to write assembly? bcc: ◮ LLVM/clang has a backend for eBPF ◮ bcc makes this available as an easy-to-use library

  6. Solution (3/3): systemd socket activation Old inetd-style socket activation: ◮ inetd calls bind() , listen() , and accept() ◮ the connection socket gets passed to the application as stdin/stdout ◮ nice and simple, but also not very fast New systemd-style socket activation ◮ systemd calls bind() and listen() ◮ the listening socket gets passed to the application as FD 3 ◮ still have dynamic server startup, but no performance penalty

  7. Summary 1. Write an eBPF filter in C 2. Create a server socket / (take server socket from systemd) 3. Load and attach filter to socket with bcc 4. Pass socket to application via systemd socket activation

  8. Overview H o s t A p p l i c a t i o n - l e v e l s y s t e m d A p p l i c a t i o n F i r e w a l l S o c k e t P a s s i n g I n t e r n e t T C S y s t e m - l e v e l P A p p l i c a t i o n - l e v e l P s y s t e m d o / A p p l i c a t i o n r U F i r e w a l l F i r e w a l l S o c k e t P a s s i n g t s D P N e t w o r k - l e v e l A p p l i c a t i o n - l e v e l s y s t e m d F i r e w a l l A p p l i c a t i o n F i r e w a l l S o c k e t P a s s i n g A p p l i c a t i o n - l e v e l F i r e w a l l F o r w a r d p a c k e t t o a p p l i c a t i o n A p p l i c a t i o n - s p e c i f i c A t t a c h A p p l i c a t i o n L L V M / B C C e B P F B y t e c o d e K e r n e l V M r u l e s w r i t t e n i n C a s f i l t e r S o c k e t D r o p p a c k e t Figure 1: Overview

  9. Demo A generic port-knocking filter

  10. Questions Questions?

Recommend

eBPF Offload to Hardware: cls_bpf and XDP Motivation - Avoiding Whack-a-mole Motivation - Why

eBPF Offload to Hardware: cls_bpf and XDP Motivation - Avoiding Whack-a-mole Motivation - Why

eBPF Offload to Hardware: cls_bpf and XDP Motivation - Avoiding Whack-a-mole Motivation - Why eBPF? Target architecture (NFP based NIC) RX Path Flow of eBPF Packet The Flow Processing Core (Fully Programmable) Mapping eBPF -> NFP

668 views • 24 slides
Endless Network Programming An Update from eBPF Land Quentin Monnet @qeole Outline Q.

Endless Network Programming An Update from eBPF Land Quentin Monnet @qeole Outline Q.

FOSDEM20 Brussels, 2020-02-01 Endless Network Programming An Update from eBPF Land Quentin Monnet @qeole Outline Q. Monnet eBPF Update 2/18 eBPF Basics New Features eBPF Universe eBPF Basics Q. Monnet

531 views • 18 slides
eBPF and XDP walkthrough and recent updates Daniel Borkmann <daniel@iogearbox.net> cilium

eBPF and XDP walkthrough and recent updates Daniel Borkmann <daniel@iogearbox.net> cilium

eBPF and XDP walkthrough and recent updates Daniel Borkmann <daniel@iogearbox.net> cilium project fosdem17, February 4, 2017 Daniel Borkmann eBPF in tcs cls bpf and XDP February 4, 2017 1 / 11 Big Picture: eBPF and Networking eBPF:

476 views • 11 slides
Beyond per-CPU atomics and rseq syscall: subset of eBPF bytecode for the do_on_cpu syscall

Beyond per-CPU atomics and rseq syscall: subset of eBPF bytecode for the do_on_cpu syscall

Linux Plumbers Conference 2019 eBPF conf Beyond per-CPU atomics and rseq syscall: subset of eBPF bytecode for the do_on_cpu syscall mathieu.desnoyers@efcios.com Restartable Sequences (RSEQ) in a nutshell System call registering

457 views • 9 slides
Bri Bring nging ng the the Power r of eB eBPF to to Open vSwitch ch Linux Plumber 2018

Bri Bring nging ng the the Power r of eB eBPF to to Open vSwitch ch Linux Plumber 2018

Bri Bring nging ng the the Power r of eB eBPF to to Open vSwitch ch Linux Plumber 2018 William Tu, Joe Stringer, Yifeng Sun, Yi-Hung Wei VMware Inc. and Cilium.io 1 Outline Introduction and Motivation OVS-eBPF Project

429 views • 39 slides
Bri Bring nging ng the the Power r of eB eBPF to to Open vSwitch ch Linux Plumber 2018

Bri Bring nging ng the the Power r of eB eBPF to to Open vSwitch ch Linux Plumber 2018

Bri Bring nging ng the the Power r of eB eBPF to to Open vSwitch ch Linux Plumber 2018 William Tu, Joe Stringer, Yifeng Sun, Yi-Hung Wei VMware Inc. and Cilium.io 1 Outline Introduction and Motivation OVS-eBPF Project

612 views • 45 slides
Replacing iptables with eBPF in Kubernetes with Cilium Cilium, eBPF, Envoy, Istio, Hubble Michal

Replacing iptables with eBPF in Kubernetes with Cilium Cilium, eBPF, Envoy, Istio, Hubble Michal

Replacing iptables with eBPF in Kubernetes with Cilium Cilium, eBPF, Envoy, Istio, Hubble Michal Rostecki Swaminathan Vasudevan Software Engineer Software Engineer mrostecki@suse.com svasudevan@suse.com mrostecki@opensuse.org Whats

2.06k views • 52 slides
Dropping in 80Gbits (sort of) of Stateful Firewalling with OpenBSD (PF, OpenOSPF) UKNOF 37,

Dropping in 80Gbits (sort of) of Stateful Firewalling with OpenBSD (PF, OpenOSPF) UKNOF 37,

Dropping in 80Gbits (sort of) of Stateful Firewalling with OpenBSD (PF, OpenOSPF) UKNOF 37, Manchester Caveats I am not pushing 80Gbits yet (sorry if you were expecting Netflix levels of awesome) See: Sort of Who am I? Gareth Llewellyn

424 views • 38 slides
MPI is too High-Level MPI is too Low-Level Marc Snir High-Level MPI MPI is an Application

MPI is too High-Level MPI is too Low-Level Marc Snir High-Level MPI MPI is an Application

MPI is too High-Level MPI is too Low-Level Marc Snir High-Level MPI MPI is an Application Programming Application Application Interface from MPI-1.0:``Design an application MPI programming interface (not necessarily for

561 views • 19 slides
Security Monitoring with eBPF ALEX MAESTRETTI - MANAGER, SIRT BRENDAN GREGG - Sr ARCHITECT,

Security Monitoring with eBPF ALEX MAESTRETTI - MANAGER, SIRT BRENDAN GREGG - Sr ARCHITECT,

Security Monitoring with eBPF ALEX MAESTRETTI - MANAGER, SIRT BRENDAN GREGG - Sr ARCHITECT, PERFORMANCE The Brief. Extended Berkley Packet Filter (eBPF) is a new Linux feature which allows safe and efficient monitoring of kernel functions.

593 views • 27 slides
Fortify your MySQL data security in AWS using ProxySQL and Firewalling Marco Tusa Percona About

Fortify your MySQL data security in AWS using ProxySQL and Firewalling Marco Tusa Percona About

Fortify your MySQL data security in AWS using ProxySQL and Firewalling Marco Tusa Percona About Me Open source enthusiast Principal Consultant Working in DB world over 25 years Open source developer and community contributor

979 views • 48 slides
New (and Exciting!) Developments in Linux Tracing Elena Zannoni (elena.zannoni@oracle.com) Linux

New (and Exciting!) Developments in Linux Tracing Elena Zannoni (elena.zannoni@oracle.com) Linux

<Insert Picture Here> New (and Exciting!) Developments in Linux Tracing Elena Zannoni (elena.zannoni@oracle.com) Linux Engineering, Oracle America Linuxcon Japan 2015 Overview BPF eBPF eBPF main concepts and elements eBPF

601 views • 42 slides
Objectives An ASIC application MSDAP Analyze the application requirement System

Objectives An ASIC application MSDAP Analyze the application requirement System

Objectives An ASIC application MSDAP Analyze the application requirement System level setting of an application Define operation mode Define signals and pins Top level model Write a specification When addressing

681 views • 53 slides
Fault tolerant stateful firewalling with GNU/Linux Pablo Neira Ayuso <pablo@netfilter.org>

Fault tolerant stateful firewalling with GNU/Linux Pablo Neira Ayuso <pablo@netfilter.org>

Fault tolerant stateful firewalling with GNU/Linux Pablo Neira Ayuso <pablo@netfilter.org> Proyecto Netfilter <pneira@us.es> University of Sevilla Outline Introduction: Stateless and stateful firewalls Fault-Tolerance

442 views • 21 slides
Low-Overhead System Tracing With eBPF Akshay Kapoor DevOps Engineer @ SAP Labs May 2018

Low-Overhead System Tracing With eBPF Akshay Kapoor DevOps Engineer @ SAP Labs May 2018

Low-Overhead System Tracing With eBPF Akshay Kapoor DevOps Engineer @ SAP Labs May 2018 Low-Overhead System Tracing With eBPF Low-Overhead System Tracing With eBPF Low-Overhead System Tracing With eBPF You don't need to know how to operate

632 views • 26 slides
Application-Layer Protocols The World-Wide Web (HTTP) Reliable file transfer (FTP)

Application-Layer Protocols The World-Wide Web (HTTP) Reliable file transfer (FTP)

COMP 431 Application-Layer Protocols Internet Services & Protocols Outline application application transport Example client/server systems and network their application-level protocols: link physical Application-Layer Protocols

281 views • 13 slides
Application-Layer Protocols: The World-Wide Web (HTTP) Reliable file transfer (FTP) The

Application-Layer Protocols: The World-Wide Web (HTTP) Reliable file transfer (FTP) The

COMP 431 Application-Layer Protocols Internet Services & Protocols Outline application application transport network Example client/server systems and link their application-level protocols: physical Application-Layer Protocols:

432 views • 10 slides
eBPF Perf Tools 2019 ^C @usecs: [256, 512) 2 |

eBPF Perf Tools 2019 ^C @usecs: [256, 512) 2 |

# biolatency.bt Attaching 3 probes... Tracing block device I/O... Hit Ctrl-C to end. eBPF Perf Tools 2019 ^C @usecs: [256, 512) 2 | | [512, 1K) 10 |@

933 views • 39 slides
Application Level Undo & Recovery: Applied to the Pencil Application Presented by: Rafat

Application Level Undo & Recovery: Applied to the Pencil Application Presented by: Rafat

Application Level Undo & Recovery: Applied to the Pencil Application Presented by: Rafat Rashid, Bozhidar Lenchov, Kush Dua Motivation Loss of data detrimental to productivity and motivation Code/configuration/operator errors could

685 views • 14 slides
Th The Ne e Next L Linux S x Super erpower er: eBPF eBPF Prime mer Sasha Goldshtein CTO,

Th The Ne e Next L Linux S x Super erpower er: eBPF eBPF Prime mer Sasha Goldshtein CTO,

Europe 2016 @goldshtn h7ps://s.sashag.n Th The Ne e Next L Linux S x Super erpower er: eBPF eBPF Prime mer Sasha Goldshtein CTO, Sela Group @goldshtn Europe 2016 @goldshtn h7ps://s.sashag.n Europe 2016 @goldshtn h7ps://s.sashag.n

248 views • 24 slides
Linux tc and eBPF. Daniel Borkmann <daniel@iogearbox.net> Noiro Networks / Cisco Systems

Linux tc and eBPF. Daniel Borkmann <daniel@iogearbox.net> Noiro Networks / Cisco Systems

Linux tc and eBPF. Daniel Borkmann <daniel@iogearbox.net> Noiro Networks / Cisco Systems fosdem16, January 31, 2016 Daniel Borkmann tc and cls bpf with eBPF January 31, 2016 1 / 16 Background, history. BPF origins as a generic, fast

326 views • 16 slides
Stateful packet processing with eBPF: An implementation of OpenState interface Quentin Monnet

Stateful packet processing with eBPF: An implementation of OpenState interface Quentin Monnet

FOSDEM17 Brussels, 2017-02-04 Stateful packet processing with eBPF: An implementation of OpenState interface Quentin Monnet < quentin.monnet@6wind.com > @qeole Quentin Monnet (6WIND) | BEBA OpenState and eBPF Agenda 2/34 Ill

558 views • 34 slides
Calico Networking with eBPF Shaun Crampton, Core Developer for Project Calico Chris Hoge,

Calico Networking with eBPF Shaun Crampton, Core Developer for Project Calico Chris Hoge,

Calico Networking with eBPF Shaun Crampton, Core Developer for Project Calico Chris Hoge, Developer Advocate for Project Calico What prompted the team to add another dataplane to Calico? Calicos Pluggable Dataplane What is eBPF?

312 views • 20 slides
Assessing the Vulnerability of Coastal Wetlands to Sea-Level Rise Application of a Model Patty

Assessing the Vulnerability of Coastal Wetlands to Sea-Level Rise Application of a Model Patty

Assessing the Vulnerability of Coastal Wetlands to Sea-Level Rise Application of a Model Patty Glick Senior Climate Adaptation Specialist National Wildlife Federation Overview of Sea-Level Rise Subsidence, tectonic Ocean circulation

518 views • 21 slides

More recommend