Ebpf

🧭 Where we left off Welcome back to our ongoing series on measuring test coverage for binary programs! In part 1 we used Go’s built-in -cover flag — clean and accurate, but only works if you own the source and can recompile. In part 2 we used valgrind and gdb to trace gzip without touching its source. In part 3 we explored Intel PIN, a proper dynamic binary instrumentation framework — powerful, but it came with a ~100MB proprietary C++ SDK and was limited to x86_64. ...

In the last post we introduced the BCC framework to interface Python code with eBPF facility. Now we are ready to make one step further! #!/usr/bin/python3 import bcc bpf = bcc.BPF(text=""" #include <uapi/linux/ptrace.h> int trace_malloc(struct pt_regs *ctx, size_t size) { bpf_trace_printk("size=%d\\n",size); return 0; };""") bpf.attach_uprobe(name="c",sym="malloc",fn_name="trace_malloc") while 1: (task, pid, cpu, flags, ts, msg) = bpf.trace_fields() print(f"task={task}\tmsg={msg}") This code is a little more complex, but still quite easy: first of all we use bcc to attach an “user space probe” instead of a kernel probe, and the function being observed will be libc’s malloc. ...

eBPF is a revolutionary technology that can run sandboxed programs in the Linux kernel without changing kernel source code or loading kernel modules. Basically any user can write code for a virtual machine that can interact with the kernel data structure and functions. bcc is an high-level helper interface to eBPF (another is bpftrace). To use it, start by following installation guide , but if you have a recent Debian system, it’s just a matter of installing some packages: ...