Berkeley Packet Filter
Developer(s) | Steven McCanne, Van Jacobson |
---|---|
Initial release | December 19, 1992 |
Operating system | Multiple |
The Berkeley Packet Filter (BPF; also BSD Packet Filter, classic BPF or cBPF) is a
BPF is used by programs that need to, among other things, analyze network traffic. If the driver for the network interface supports promiscuous mode, it allows the interface to be put into that mode so that all packets on the network can be received, even those destined to other hosts.
The BPF filtering mechanism is available on most Unix-like operating systems. BPF is sometimes used to refer to just the filtering mechanism, rather than to the entire interface. Some systems, such as Linux and Tru64 UNIX, provide a raw interface to the data link layer other than the BPF raw interface but use the BPF filtering mechanisms for that raw interface.
The Linux kernel provides an extended version of the BPF filtering mechanism, called eBPF, which uses a JIT mechanism, and which is used for packet filtering, as well as for other purposes in the kernel. eBPF is also available for Microsoft Windows.[2]
History
The original paper was written by
Raw data-link interface
BPF provides
In 2007, Robert Watson and Christian Peron added zero-copy buffer extensions to the BPF implementation in the FreeBSD operating system,[4] allowing kernel packet capture in the device driver interrupt handler to write directly to user process memory in order to avoid the requirement for two copies for all packet data received via the BPF device. While one copy remains in the receipt path for user processes, this preserves the independence of different BPF device consumers, as well as allowing the packing of headers into the BPF buffer rather than copying complete packet data.[5]
Filtering
BPF's filtering capabilities are implemented as an interpreter for a
BPF is often extended by "overloading" the load (ld) and store (str) instructions.
Traditional Unix-like BPF implementations can be used in userspace, despite being written for kernel-space. This is accomplished using preprocessor conditions.
Extensions and optimizations
Some projects use BPF instruction sets or execution techniques different from the originals.
Some platforms, including
Kernel-mode interpreters for that same virtual machine language are used in raw data link layer mechanisms in other operating systems, such as
Implementations
A user-mode interpreter for BPF is provided with the libpcap/WinPcap/Npcap implementation of the
Another user-mode interpreter is uBPF, which supports JIT and eBPF (without cBPF). Its code has been reused to provide eBPF support in non-Linux systems.[6] Microsoft's eBPF on Windows builds on uBPF and the PREVAIL formal verifier.[7] rBPF, a Rust rewrite of uBPF, is used by the Solana blockchain platform as the execution engine.[8]
Programming
Classic BPF is generally emitted by a program from some very high-level textual rule describing the pattern to match. One such representation is found in
bpf_asm
tool (cBPF), bpfc
(cBPF), and the ubpf
assembler (eBPF). The bpftool
command can also act as a disassembler for both flavors of BPF. The assembly languages are not necessarily compatible with each other.
eBPF bytecode has recently become a target of higher-level languages. LLVM added eBPF support in 2014, and GCC followed in 2019. Both toolkits allow compiling C and other supported languages to eBPF. A subset of P4 can also be compiled into eBPF using BCC, an LLVM-based compiler kit.[10]
Security
The Spectre attack could leverage the Linux kernel's eBPF interpreter or JIT compiler to extract data from other kernel processes.[11] A JIT hardening feature in the kernel mitigates this vulnerability.[12]
Chinese computer security group Pangu Lab said the NSA used BPF to conceal network communications as part of a complex Linux backdoor.[13]
eBPF
Since version 3.18, the Linux kernel includes an extended BPF virtual machine with ten 64-bit registers, termed
See also
References
- ^ a b McCanne, Steven; Jacobson, Van (1992-12-19). "The BSD Packet Filter: A New Architecture for User-level Packet Capture" (PDF).
- ^ "Microsoft embraces Linux kernel's eBPF super-tool, extends it for Windows". The Register. 2021-05-11. Archived from the original on 2021-05-11.
- ^ McCanne, Steven; Jacobson, Van (January 1993). "The BSD Packet Filter: A New Architecture for User-level Packet Capture". USENIX.
- ^ "bpf(4) Berkeley Packet Filter". FreeBSD. 2010-06-15.
- ^ Watson, Robert N. M.; Peron, Christian S. J. (2007-03-09). "Zero-Copy BPF" (PDF).
- ^ "generic-ebpf/generic-ebpf". GitHub. 28 April 2022.
- ^ "microsoft/ebpf-for-windows: eBPF implementation that runs on top of Windows". GitHub. Microsoft. 11 May 2021.
- ^ "Overview | Solana Docs".
- ^ "BPF syntax". biot.com.
- ^ "Dive into BPF: a list of reading material". qmonnet.github.io.
- ^ "Reading privileged memory with a side-channel". Project Zero team at Google. January 3, 2018. Retrieved January 20, 2018.
- ^ "bpf: introduce BPF_JIT_ALWAYS_ON config". git.kernel.org. Archived from the original on 2020-10-19. Retrieved 2021-09-20.
- ^ "Anatomy of suspected top-tier decade-hidden NSA backdoor". The Register. February 23, 2022. Retrieved February 24, 2022.
- ^ "Linux kernel 3.18, Section 1.3. bpf() syscall for eBFP virtual machine programs". kernelnewbies.org. December 7, 2014. Retrieved September 6, 2019.
- ^ Jonathan Corbet (September 24, 2014). "The BPF system call API, version 14". LWN.net. Retrieved January 19, 2015.
- ^ Jonathan Corbet (July 2, 2014). "Extending extended BPF". LWN.net. Retrieved January 19, 2015.
- ^ "Linux kernel 3.19, Section 11. Networking". kernelnewbies.org. February 8, 2015. Retrieved February 13, 2015.
- ^ Jonathan Corbet (December 10, 2014). "Attaching eBPF programs to sockets". LWN.net. Retrieved February 13, 2015.
- ^ "Linux kernel 4.1, Section 11. Networking". kernelnewbies.org. June 21, 2015. Retrieved October 17, 2015.
- ^ "BPF and XDP Reference Guide". cilium.readthedocs.io. April 24, 2017. Retrieved April 23, 2018.
- ^ "BPF and XDP Reference Guide — Cilium 1.6.5 documentation". docs.cilium.io. Retrieved 2019-12-18.
- ^ "bpf: introduce bounded loops". git.kernel.org. June 19, 2019. Retrieved August 19, 2022.
Further reading
- McCanne, Steven; Jacobson, Van (1992-12-19). "The BSD Packet Filter: A New Architecture for User-level Packet Capture" (PDF).
External links
- FreeBSD Kernel Interfaces Manual – an example of conventional BPF –
- bpfc, a Berkeley Packet Filter compiler, Linux BPF JIT disassembler (part of netsniff-ng)
- BPF Documentation, for Linux kernel
- Linux filter documentation, for both cBPF and eBPF bytecode formats