Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Writing an experimental eBPF disassembler

Sponsored · SiteGround - Reliable hosting with speed, security, and support you can count on.
Avatar for Drumato Drumato
July 24, 2021
Programming
380
0

Writing an experimental eBPF disassembler

適当にLTネタになるかな,と思って作った話.
https://github.com/Drumato/ebpf-disasm

Avatar for Drumato

Drumato

July 24, 2021

More Decks by Drumato

See All by Drumato
Compotable Platform Shift ~AWS全面移設におけるプラットフォームエンジニアリングの実践~
Avatar for Drumato drumato
0
90
仕様と実装で学ぶOpenTelemetry
Avatar for Drumato drumato
2
2.9k
Activities about Kubernetes operation improvements as an SRE
Avatar for Drumato drumato
3
700
DEMO Apps recently implemented
Avatar for Drumato drumato
0
120
An incremental approach to implement an admission controller
Avatar for Drumato drumato
0
280
Components of Kubernetes Cluster
Avatar for Drumato drumato
0
390
cybozu-labs-youth-10th
Avatar for Drumato drumato
1
1.2k

Other Decks in Programming

See All in Programming
JOAI2026 1st solution - heron0519 -
Avatar for heron0519 heron0519
0
140
ローカルで稼働する AI エージェントを超えて / beyond-local-ai-agents
Avatar for geeawa gawa
3
280
ついに来た!本格的なマルチクラウド時代の Google Cloud
Avatar for maroon1st maroon1st
0
120
forteeの改修から振り返るPHPerKaigi 2026
Avatar for muno92 muno92
PRO
3
290
The Monolith Strikes Back: Why AI Agents ❤️ Rails Monoliths
Avatar for Rodrigo Serradura serradura
0
340
Claude Code × Gemini × Ebitengine ゲーム制作素人WebエンジニアがGoでゲームを作った話
Avatar for webzawa webzawa
0
140
GNU Makeの使い方 / How to use GNU Make
Avatar for kaityo256 kaityo256
PRO
16
5.6k
TiDBのアーキテクチャから学ぶ分散システム入門 〜MySQL互換のNewSQLは何を解決するのか〜 / tidb-architecture-study
Avatar for DPon dznbk
1
180
ルールルルルルRubyの中身の予備知識 ── RubyKaigiの前に予習しなイカ?
Avatar for ydah ydah
1
190
検索設計から
推論設計への重心移動と
Recall-First Retrieval
Avatar for po3rin po3rin
1
360
Swift Concurrency Type System
Avatar for Yasuhiro Inami inamiy
0
530
Xdebug と IDE による デバッグ実行の仕組みを見る / Exploring-How-Debugging-Works-with-Xdebug-and-an-IDE
Avatar for shin1x1 shin1x1
0
380

Featured

See All Featured
Unlocking the hidden potential of vector embeddings in international SEO
Avatar for Frank van Dijk frankvandijk
0
770
Measuring & Analyzing Core Web Vitals
Avatar for Philip Tellis bluesmoon
9
810
Navigating the Design Leadership Dip - Product Design Week Design Leaders+ Conference 2024
Avatar for Andy Polaine apolaine
0
270
No one is an island. Learnings from fostering a developers community.
Avatar for Antonio thoeni
21
3.7k
Building a A Zero-Code AI SEO Workflow
Avatar for Ian Lurie portentint
PRO
0
450
Become a Pro
Avatar for Speaker Deck speakerdeck
PRO
31
5.9k
Abbi's Birthday
Avatar for Violet Bock coloredviolet
2
7.1k
Ten Tips & Tricks for a 🌱 transition
Avatar for Manu Carrasco Molina stuffmc
0
99
It's Worth the Effort
Avatar for 3n 3n
188
29k
The World Runs on Bad Software
Avatar for Brandon Keepers bkeepers
PRO
72
12k
Jess Joyce - The Pitfalls of Following Frameworks
Avatar for Tech SEO Connect techseoconnect
PRO
1
140
Information Architects: The Missing Link in Design Systems
Avatar for Michelle Chin soysaucechin
0
890

Transcript

  1. eBPF disassemblerを作る Drumato

  2. Attention! • 完全準拠ではない • torvalds/linux/samples/bpfのkernel side sourceがそれっぽくなればOKまで をやった

  3. 背景

  4. なんとなくeBPFについての記事を読んでた

  5. "基本的に命令長は64bit固定" という記述を見る

  6. 素敵! disasm書きたい! (x64を想いつつ)

  7. 書く

  8. 身につける必要があった知識 • Object file上でeBPF functionがどのように表現されているか • Opcode encoding/immediateの形式を知る

  9. あとは頑張って書く

  10. これはassembler自作と大して変わらない

  11. ELF Header

  12. eBPF object file#ELF Header

  13. eBPF object file#ELF Header

  14. E_machine以外は普通のrelocに見える

  15. Section Header Table

  16. eBPF object file#SHT

  17. eBPF object file#SHT .textはあるけど 中身は空

  18. eBPF object file#SHT SEC("socket1")のように 書いたsymbolが sectionに

  19. eBPF object file#SHT eBPF mapsもsectionに Entry sizeは Programで決まっていて, Shdr.sh_entsizeを読んでも わからない

    Key + valueのどちらも可変なので entsizeは使えないか(linkとinfoは?)

  20. eBPF object file#SHT これは単に"GPL\0"という文字列が 入っているだけ

  21. Symbol table

  22. eBPF object file#symtab

  23. ぱっと見特に気になる点はなし

  24. eBPF object file#summary • なんとなく以下を満たすsectionをdisasすれば良さそう ◦ Shdr.sh_type == SHT_PROGBITS ◦

    Shdr.sh_flags & (SHF_ALLOC | SHF_EXECINSTR) != 0 ◦ Shdr.sh_size > 0

  25. eBPF instruction architecture

  26. eBPF instruction architecture#overview

  27. eBPF instruction architecture#overview OpcodeEncoding head byteをどう解釈するか

  28. eBPF instruction architecture#overview InstructionClass Opcodeをどう解釈するか Ex1. ic=0x04ならopcode=0x00はAdd ic=0x05ならopcode=0x00はJA

  29. eBPF instruction format ArithOrJump Memory

  30. eBPF instruction format ArithOrJump Memory ADD/SUB/MUL/DIV/MOD/LSH etc.. JA/JEQ/JGT/JSLT/ etc...

  31. eBPF instruction format ArithOrJump Memory Use src field as register

    If S bit is up

  32. eBPF instruction format ArithOrJump Memory ALU/ALU64/JMP/JMP64

  33. eBPF instruction format ArithOrJump Memory IMM/MEM/IND/ABS etc

  34. eBPF instruction format ArithOrJump Memory Byte/Half word/Word/Double Word

  35. eBPF instruction format ArithOrJump Memory LD/LDX/ST/STX

  36. わかったら書く!書く!

  37. 機械語programmingは手動かす!

  38. disasm#tips • Building block的に作ると良い ◦ Opcode type/InstClass typeを作ってEncoding typeを作る ▪

    それぞれのdecoderを書く ◦ それら(とsrc/dst/offset/imm)をまとめてInstruction typeを作る ▪ decoderを次々呼ぶだけ • srcは ooooxxxx のようになっているけど,4bit rshすると使いやすい ◦ Register numberに変換する感覚

  39. disasm#summary

  40. disasm#summary

  41. このくらいのしょぼ完成度なら サクッと数時間で作れる

  42. references • Linux Socket Filtering aka Berkeley Packet Filter (BPF)

    - www.kernel.org • Drumato/ebpf-disasm … 実装 ◦ 完全じゃないよ(Memory InstClassは適当)

  43. Thanks!