BPFd: Powerful Linux Tracing for Remote targets using eBPF


eBPF has gained popularity in low overhead tracing and data aggregation used to understand inner workings of the Linux kernel. The bcc tools based on eBPF work only on x86 machines where they are running locally (host and target are the same). This requires llvm libraries, Python and the kernel sources all installed on the local machine, before eBPF can even work. This installation is easy and readily available as packages on x86 however it is painful to do for arm64 where the tools need to be cross compiled - never mind the fact that kernel sources could take up judicious space on often space constrained arm64 systems. Joel has developed a solution to this problem where one can run bcc tools on a remote machine which has all the dependencies already installed (such as an x86 machine), with the target that needs to be traced remotely connected (such as an arm64 machine). Using this solution, no preparation of the remote target is needed (such as installation of kernel sources, ebpf and python) and debugging of the remote target is possible effortlessly. Joel will show a demo of an android phone connected to an x86 laptop with bcc tools running and will demo various tools such as snooping of various system calls, file I/o activity, etc.

Room 104
Thursday, March 8, 2018 - 10:00 to 11:00