Left, original kernek with eBPF | Right: bpftime
Bpftime is a project that is positioned as a runtime and a VM that are designed to run eBPF drivers in user space.
Bpftime enables eBPF tracking and process intervention programs run entirely in user space, using functions such as uprobe and system call interception.
About bpftime
One of the notable features of bpftime is its ability to dramatically reduce overload by eliminating unnecessary context switches. Compared to the use of functions uprobe and uretprobe provided by the Linux kernel, bpftime can achieve up to ten times more overhead reduction which not only improves performance, but also greatly simplifies the debugging process.
It is mentioned that the Interception of system calls and integration of checks of uprobe implemented using the code rewriting technique executable (binary rewriting). This technique involves modifying the machine code of the running application, where calls to system calls, entry points, and local functions are replaced by a transition to debugging handlers.
Additionally, bpftime offers the advantage of being potentially usable on systems without a Linux kernel and does not require elevated privileges to load an eBPF application into the kernel. This makes it highly accessible and versatile in a variety of environments and system configurations.
Bpftime offers a wide range of operations to manipulate and control functions, attach handlers, filter system calls, and perform various actions, including:
- Replacement or modification of functions.
- Attach controllers (hooks) and filters.
- Redirect, block or replace system call parameters.
- Interception of entry and exit points of functions.
- Replacing a handler at an arbitrary offset in the code.
A notable feature of Bpftime is its ability to attach to any running process on the system without the need to restart or rebuild it. Replacing Bpftime in processes can be done to run processes through ptrace and upload them via LD_PRELOAD.
With bpftime, tracking systems such as BCC, bpftrace, and Deepflow can run in user space. For example, we demonstrated using the BCC framework's sslsniff script to analyze and save encrypted traffic in nginx. In tests, nginx performance drops by 58% when running sslsniff on the kernel side and by 12,3% when moving the driver to user space.
Additionally, as part of Bpftime, a runtime is being developed that allows eBPF programs to be attached to system calls and test tracking points. The eBPF virtual machine with JIT allows isolated execution of eBPF programs at the user process level, with support for AOT compilation. A background process facilitates interaction with the kernel and organizes collaboration with the subsystem upprobe of the kernel.
The virtual machine eGMP is packaged as a plugin library and provides an API similar to ubpf, which allows the eBPF functionality to be easily integrated into other projects. For summary aggregation of data from multiple processes, the creation of joint eBPF maps located in shared memory is supported.
Altogether, Bpftime not only offers a complete set of tools for manipulating and controlling functions at runtime, but also makes it easy to integrate eBPF functionality into other projects, thus providing a flexible and powerful solution for various applications and usage scenarios. Additionally, support for standard eBPF drivers written for use in the kernel and the use of standard clang- and libbpf-based tools for compilation ensure an efficient and consistent development experience.
For those interested in the project, you should know that the project code is written in C/C++ and is distributed under the MIT license, which ensures its accessibility and transparency for the community.
If you would like to learn more about it, you can check the details in the following link