fbpx
Wikipedia

Berkeley Packet Filter

November 23, 2023

The Berkeley Packet Filter (BPF) is a technology used in certain computer operating systems for programs that need to, among other things, analyze network traffic. It provides a raw interface to data link layers, permitting raw link-layer packets to be sent and received.[1] In addition, if the driver for the network interface supports promiscuous mode, it allows the interface to be put into that mode so that all packets on the network can be received, even those destined to other hosts.

Berkeley Packet Filter
Developer(s)Steven McCanne,
Van Jacobson
Initial releaseDecember 19, 1992; 30 years ago (1992-12-19)
Operating systemUnix-like (FreeBSD, OpenBSD, NetBSD, DragonFly BSD, macOS, Oracle Solaris 11 and later, AIX, Tru64, Linux, Orbis), Windows

BPF supports filtering packets, allowing a userspace process to supply a filter program that specifies which packets it wants to receive. For example, a tcpdump process may want to receive only packets that initiate a TCP connection. BPF returns only packets that pass the filter that the process supplies. This avoids copying unwanted packets from the operating system kernel to the process, greatly improving performance. The filter program is in the form of instructions for a virtual machine, which are interpreted, or compiled into machine code by a just-in-time (JIT) mechanism and executed, in the kernel.

BPF is sometimes used to refer to just the filtering mechanism, rather than to the entire interface. Some systems, such as Linux and Tru64 UNIX, provide a raw interface to the data link layer other than the BPF raw interface but use the BPF filtering mechanisms for that raw interface. The BPF filtering mechanism is available on most Unix-like operating systems.

The Linux kernel provides an extended version of the BPF filtering mechanism, called eBPF, which uses a JIT mechanism, and which is used for packet filtering, as well as for other purposes in the kernel. eBPF is also available for Microsoft Windows.[2]

Raw data-link interface edit

BPF provides pseudo-devices that can be bound to a network interface; reads from the device will read buffers full of packets received on the network interface, and writes to the device will inject packets on the network interface.

In 2007, Robert Watson and Christian Peron added zero-copy buffer extensions to the BPF implementation in the FreeBSD operating system,[3] allowing kernel packet capture in the device driver interrupt handler to write directly to user process memory in order to avoid the requirement for two copies for all packet data received via the BPF device. While one copy remains in the receipt path for user processes, this preserves the independence of different BPF device consumers, as well as allowing the packing of headers into the BPF buffer rather than copying complete packet data.[4]

Filtering edit

BPF's filtering capabilities are implemented as an interpreter for a machine language for the BPF virtual machine, a 32-bit machine with fixed-length instructions, one accumulator, and one index register. Programs in that language can fetch data from the packet, perform arithmetic operations on data from the packet, and compare the results against constants or against data in the packet or test bits in the results, accepting or rejecting the packet based on the results of those tests.

BPF is often extended by "overloading" the load (ld) and store (str) instructions.

Traditional Unix-like BPF implementations can be used in userspace, despite being written for kernel-space. This is accomplished using preprocessor conditions.

Extensions and optimizations edit

Some projects use BPF instruction sets or execution techniques different from the originals.

Some platforms, including FreeBSD, NetBSD, and WinPcap, use a just-in-time (JIT) compiler to convert BPF instructions into native code in order to improve performance. Linux includes a BPF JIT compiler which is disabled by default.

Kernel-mode interpreters for that same virtual machine language are used in raw data link layer mechanisms in other operating systems, such as Tru64 Unix, and for socket filters in the Linux kernel and in the WinPcap and Npcap packet capture mechanism.

Since version 3.18, the Linux kernel includes an extended BPF virtual machine with ten 64-bit registers, termed extended BPF (eBPF). It can be used for non-networking purposes, such as for attaching eBPF programs to various tracepoints.[5][6][7] Since kernel version 3.19, eBPF filters can be attached to sockets,[8][9] and, since kernel version 4.1, to traffic control classifiers for the ingress and egress networking data path.[10][11] The original and obsolete version has been retroactively renamed to classic BPF (cBPF). Nowadays, the Linux kernel runs eBPF only and loaded cBPF bytecode is transparently translated into an eBPF representation in the kernel before program execution.[12] All bytecode is verified before running to prevent denial-of-service attacks. Until Linux 5.3, the verifier prohibited the use of loops, to prevent potentially unbounded execution times; loops with bounded execution time are now permitted in more recent kernels.[13]

A user-mode interpreter for BPF is provided with the libpcap/WinPcap/Npcap implementation of the pcap API, so that, when capturing packets on systems without kernel-mode support for that filtering mechanism, packets can be filtered in user mode; code using the pcap API will work on both types of systems, although, on systems where the filtering is done in user mode, all packets, including those that will be filtered out, are copied from the kernel to user space. That interpreter can also be used when reading a file containing packets captured using pcap.

Another user-mode interpreter is uBPF, which supports JIT and eBPF (without cBPF). Its code has been reused to provide eBPF support in non-Linux systems.[14] Microsoft's eBPF on Windows builds on uBPF and the PREVAIL formal verifier.[15] rBPF, a Rust rewrite of uBPF, is used by the Solana blockchain platform as the execution engine.[16]

Programming edit

Classic BPF is generally emitted by a program from some very high-level textual rule describing the pattern to match. One such representation is found in libpcap.[17] Classic BPF and eBPF can also be written either directly as machine code, or using an assembly language for a textual representation. Notable assemblers include Linux kernel's bpf_asm tool (cBPF), bpfc (cBPF), and the ubpf assembler (eBPF). The bpftool command can also act as a disassembler for both flavors of BPF. The assembly languages are not necessarily compatible with each other.

eBPF bytecode has recently become a target of higher-level languages. LLVM added eBPF support in 2014, and GCC followed in 2019. Both toolkits allow compiling C and other supported languages to eBPF. A subset of P4 can also be compiled into eBPF using BCC, an LLVM-based compiler kit.[18]

History edit

The original paper was written by Steven McCanne and Van Jacobson in 1992 while at Lawrence Berkeley Laboratory.[1][19]

In August 2003, SCO Group publicly claimed that the Linux kernel was infringing Unix code which they owned.[20] Programmers quickly discovered that one example they gave was the Berkeley Packet Filter, which in fact SCO never owned.[21] SCO has not explained or acknowledged the mistake but the ongoing legal action may eventually force an answer.[22][needs update?]

Security concerns edit

The Spectre attack could leverage the Linux kernel's eBPF interpreter or JIT compiler to extract data from other kernel processes.[23] A JIT hardening feature in the kernel mitigates this vulnerability.[24]

Chinese computer security group Pangu Lab said the NSA used BPF to conceal network communications as part of a complex Linux backdoor.[25]

See also edit

References edit

  1. ^ a b McCanne, Steven; Jacobson, Van (1992-12-19). "The BSD Packet Filter: A New Architecture for User-level Packet Capture" (PDF).
  2. ^ "Microsoft embraces Linux kernel's eBPF super-tool, extends it for Windows". The Register. 2021-05-11. from the original on 2021-05-11.
  3. ^ "bpf(4) Berkeley Packet Filter". FreeBSD. 2010-06-15.
  4. ^ Watson, Robert N. M.; Peron, Christian S. J. (2007-03-09). "Zero-Copy BPF" (PDF).
  5. ^ "Linux kernel 3.18, Section 1.3. bpf() syscall for eBFP virtual machine programs". kernelnewbies.org. December 7, 2014. Retrieved September 6, 2019.
  6. ^ Jonathan Corbet (September 24, 2014). "The BPF system call API, version 14". LWN.net. Retrieved January 19, 2015.
  7. ^ Jonathan Corbet (July 2, 2014). "Extending extended BPF". LWN.net. Retrieved January 19, 2015.
  8. ^ "Linux kernel 3.19, Section 11. Networking". kernelnewbies.org. February 8, 2015. Retrieved February 13, 2015.
  9. ^ Jonathan Corbet (December 10, 2014). "Attaching eBPF programs to sockets". LWN.net. Retrieved February 13, 2015.
  10. ^ "Linux kernel 4.1, Section 11. Networking". kernelnewbies.org. June 21, 2015. Retrieved October 17, 2015.
  11. ^ "BPF and XDP Reference Guide". cilium.readthedocs.io. April 24, 2017. Retrieved April 23, 2018.
  12. ^ "BPF and XDP Reference Guide — Cilium 1.6.5 documentation". docs.cilium.io. Retrieved 2019-12-18.
  13. ^ "bpf: introduce bounded loops". git.kernel.org. June 19, 2019. Retrieved August 19, 2022.
  14. ^ "generic-ebpf/generic-ebpf". GitHub. 28 April 2022.
  15. ^ "microsoft/ebpf-for-windows: eBPF implementation that runs on top of Windows". GitHub. Microsoft. 11 May 2021.
  16. ^ "Overview | Solana Docs".
  17. ^ "BPF syntax". biot.com.
  18. ^ "Dive into BPF: a list of reading material". qmonnet.github.io.
  19. ^ McCanne, Steven; Jacobson, Van (January 1993). "The BSD Packet Filter: A New Architecture for User-level Packet Capture". USENIX.
  20. ^ . 15 Obfuscated Copying. Archived from the original on August 25, 2003. Retrieved September 5, 2019.
  21. ^ Bruce Perens. . Archived from the original on February 17, 2009.
  22. ^ Moglen, Eben (November 24, 2003). "SCO: Without Fear and Without Research". GNU Operating System. The Free Software Foundation. Retrieved September 5, 2019.
  23. ^ "Reading privileged memory with a side-channel". Project Zero team at Google. January 3, 2018. Retrieved January 20, 2018.
  24. ^ "bpf: introduce BPF_JIT_ALWAYS_ON config". git.kernel.org. from the original on 2020-10-19. Retrieved 2021-09-20.
  25. ^ "Anatomy of suspected top-tier decade-hidden NSA backdoor". The Register. February 23, 2022. Retrieved February 24, 2022.

Further reading edit

  • McCanne, Steven; Jacobson, Van (1992-12-19). "The BSD Packet Filter: A New Architecture for User-level Packet Capture" (PDF).

External links edit

  • bpf(4) – FreeBSD Kernel Interfaces Manual – an example of conventional BPF
  • eBPF.io - Introduction, Tutorials & Community Resources
  • bpfc, a Berkeley Packet Filter compiler, Linux BPF JIT disassembler (part of netsniff-ng)
  • BPF Documentation, for Linux kernel
  • Linux filter documentation, for both cBPF and eBPF bytecode formats
  • ebpf-for-windows on GitHub

November 23, 2023
berkeley, packet, filter, technology, used, certain, computer, operating, systems, programs, that, need, among, other, things, analyze, network, traffic, provides, interface, data, link, layers, permitting, link, layer, packets, sent, received, addition, drive. The Berkeley Packet Filter BPF is a technology used in certain computer operating systems for programs that need to among other things analyze network traffic It provides a raw interface to data link layers permitting raw link layer packets to be sent and received 1 In addition if the driver for the network interface supports promiscuous mode it allows the interface to be put into that mode so that all packets on the network can be received even those destined to other hosts Berkeley Packet FilterDeveloper s Steven McCanne Van JacobsonInitial releaseDecember 19 1992 30 years ago 1992 12 19 Operating systemUnix like FreeBSD OpenBSD NetBSD DragonFly BSD macOS Oracle Solaris 11 and later AIX Tru64 Linux Orbis WindowsBPF supports filtering packets allowing a userspace process to supply a filter program that specifies which packets it wants to receive For example a tcpdump process may want to receive only packets that initiate a TCP connection BPF returns only packets that pass the filter that the process supplies This avoids copying unwanted packets from the operating system kernel to the process greatly improving performance The filter program is in the form of instructions for a virtual machine which are interpreted or compiled into machine code by a just in time JIT mechanism and executed in the kernel BPF is sometimes used to refer to just the filtering mechanism rather than to the entire interface Some systems such as Linux and Tru64 UNIX provide a raw interface to the data link layer other than the BPF raw interface but use the BPF filtering mechanisms for that raw interface The BPF filtering mechanism is available on most Unix like operating systems The Linux kernel provides an extended version of the BPF filtering mechanism called eBPF which uses a JIT mechanism and which is used for packet filtering as well as for other purposes in the kernel eBPF is also available for Microsoft Windows 2 Contents 1 Raw data link interface 2 Filtering 2 1 Extensions and optimizations 3 Programming 4 History 5 Security concerns 6 See also 7 References 8 Further reading 9 External linksRaw data link interface editBPF provides pseudo devices that can be bound to a network interface reads from the device will read buffers full of packets received on the network interface and writes to the device will inject packets on the network interface In 2007 Robert Watson and Christian Peron added zero copy buffer extensions to the BPF implementation in the FreeBSD operating system 3 allowing kernel packet capture in the device driver interrupt handler to write directly to user process memory in order to avoid the requirement for two copies for all packet data received via the BPF device While one copy remains in the receipt path for user processes this preserves the independence of different BPF device consumers as well as allowing the packing of headers into the BPF buffer rather than copying complete packet data 4 Filtering editBPF s filtering capabilities are implemented as an interpreter for a machine language for the BPF virtual machine a 32 bit machine with fixed length instructions one accumulator and one index register Programs in that language can fetch data from the packet perform arithmetic operations on data from the packet and compare the results against constants or against data in the packet or test bits in the results accepting or rejecting the packet based on the results of those tests BPF is often extended by overloading the load ld and store str instructions Traditional Unix like BPF implementations can be used in userspace despite being written for kernel space This is accomplished using preprocessor conditions Extensions and optimizations edit Some projects use BPF instruction sets or execution techniques different from the originals Some platforms including FreeBSD NetBSD and WinPcap use a just in time JIT compiler to convert BPF instructions into native code in order to improve performance Linux includes a BPF JIT compiler which is disabled by default Kernel mode interpreters for that same virtual machine language are used in raw data link layer mechanisms in other operating systems such as Tru64 Unix and for socket filters in the Linux kernel and in the WinPcap and Npcap packet capture mechanism Since version 3 18 the Linux kernel includes an extended BPF virtual machine with ten 64 bit registers termed extended BPF eBPF It can be used for non networking purposes such as for attaching eBPF programs to various tracepoints 5 6 7 Since kernel version 3 19 eBPF filters can be attached to sockets 8 9 and since kernel version 4 1 to traffic control classifiers for the ingress and egress networking data path 10 11 The original and obsolete version has been retroactively renamed to classic BPF cBPF Nowadays the Linux kernel runs eBPF only and loaded cBPF bytecode is transparently translated into an eBPF representation in the kernel before program execution 12 All bytecode is verified before running to prevent denial of service attacks Until Linux 5 3 the verifier prohibited the use of loops to prevent potentially unbounded execution times loops with bounded execution time are now permitted in more recent kernels 13 A user mode interpreter for BPF is provided with the libpcap WinPcap Npcap implementation of the pcap API so that when capturing packets on systems without kernel mode support for that filtering mechanism packets can be filtered in user mode code using the pcap API will work on both types of systems although on systems where the filtering is done in user mode all packets including those that will be filtered out are copied from the kernel to user space That interpreter can also be used when reading a file containing packets captured using pcap Another user mode interpreter is uBPF which supports JIT and eBPF without cBPF Its code has been reused to provide eBPF support in non Linux systems 14 Microsoft s eBPF on Windows builds on uBPF and the PREVAIL formal verifier 15 rBPF a Rust rewrite of uBPF is used by the Solana blockchain platform as the execution engine 16 Programming editClassic BPF is generally emitted by a program from some very high level textual rule describing the pattern to match One such representation is found in libpcap 17 Classic BPF and eBPF can also be written either directly as machine code or using an assembly language for a textual representation Notable assemblers include Linux kernel s bpf asm tool cBPF bpfc cBPF and the ubpf assembler eBPF The bpftool command can also act as a disassembler for both flavors of BPF The assembly languages are not necessarily compatible with each other eBPF bytecode has recently become a target of higher level languages LLVM added eBPF support in 2014 and GCC followed in 2019 Both toolkits allow compiling C and other supported languages to eBPF A subset of P4 can also be compiled into eBPF using BCC an LLVM based compiler kit 18 History editThe original paper was written by Steven McCanne and Van Jacobson in 1992 while at Lawrence Berkeley Laboratory 1 19 In August 2003 SCO Group publicly claimed that the Linux kernel was infringing Unix code which they owned 20 Programmers quickly discovered that one example they gave was the Berkeley Packet Filter which in fact SCO never owned 21 SCO has not explained or acknowledged the mistake but the ongoing legal action may eventually force an answer 22 needs update Security concerns editThe Spectre attack could leverage the Linux kernel s eBPF interpreter or JIT compiler to extract data from other kernel processes 23 A JIT hardening feature in the kernel mitigates this vulnerability 24 Chinese computer security group Pangu Lab said the NSA used BPF to conceal network communications as part of a complex Linux backdoor 25 See also editeBPF Data link layer Proof carrying code Express Data PathReferences edit a b McCanne Steven Jacobson Van 1992 12 19 The BSD Packet Filter A New Architecture for User level Packet Capture PDF Microsoft embraces Linux kernel s eBPF super tool extends it for Windows The Register 2021 05 11 Archived from the original on 2021 05 11 bpf 4 Berkeley Packet Filter FreeBSD 2010 06 15 Watson Robert N M Peron Christian S J 2007 03 09 Zero Copy BPF PDF Linux kernel 3 18 Section 1 3 bpf syscall for eBFP virtual machine programs kernelnewbies org December 7 2014 Retrieved September 6 2019 Jonathan Corbet September 24 2014 The BPF system call API version 14 LWN net Retrieved January 19 2015 Jonathan Corbet July 2 2014 Extending extended BPF LWN net Retrieved January 19 2015 Linux kernel 3 19 Section 11 Networking kernelnewbies org February 8 2015 Retrieved February 13 2015 Jonathan Corbet December 10 2014 Attaching eBPF programs to sockets LWN net Retrieved February 13 2015 Linux kernel 4 1 Section 11 Networking kernelnewbies org June 21 2015 Retrieved October 17 2015 BPF and XDP Reference Guide cilium readthedocs io April 24 2017 Retrieved April 23 2018 BPF and XDP Reference Guide Cilium 1 6 5 documentation docs cilium io Retrieved 2019 12 18 bpf introduce bounded loops git kernel org June 19 2019 Retrieved August 19 2022 generic ebpf generic ebpf GitHub 28 April 2022 microsoft ebpf for windows eBPF implementation that runs on top of Windows GitHub Microsoft 11 May 2021 Overview Solana Docs BPF syntax biot com Dive into BPF a list of reading material qmonnet github io McCanne Steven Jacobson Van January 1993 The BSD Packet Filter A New Architecture for User level Packet Capture USENIX SCOsource update 15 Obfuscated Copying Archived from the original on August 25 2003 Retrieved September 5 2019 Bruce Perens Analysis of SCO s Las Vegas Slide Show Archived from the original on February 17 2009 Moglen Eben November 24 2003 SCO Without Fear and Without Research GNU Operating System The Free Software Foundation Retrieved September 5 2019 Reading privileged memory with a side channel Project Zero team at Google January 3 2018 Retrieved January 20 2018 bpf introduce BPF JIT ALWAYS ON config git kernel org Archived from the original on 2020 10 19 Retrieved 2021 09 20 Anatomy of suspected top tier decade hidden NSA backdoor The Register February 23 2022 Retrieved February 24 2022 Further reading editMcCanne Steven Jacobson Van 1992 12 19 The BSD Packet Filter A New Architecture for User level Packet Capture PDF External links editbpf 4 FreeBSD Kernel Interfaces Manual an example of conventional BPF eBPF io Introduction Tutorials amp Community Resources bpfc a Berkeley Packet Filter compiler Linux BPF JIT disassembler part of netsniff ng BPF Documentation for Linux kernel Linux filter documentation for both cBPF and eBPF bytecode formats ebpf for windows on GitHub Retrieved from https en wikipedia org w index php title Berkeley Packet Filter amp oldid 1131815251, wikipedia, wiki, book, books, library,

article

, read, download, free, free download, mp3, video, mp4, 3gp, jpg, jpeg, gif, png, picture, music, song, movie, book, game, games.