rhysre
commented
2 years ago Catalog all the string related (and adjacent) bpf helpers along with the kernel versions when they became available. Identify what use-cases these bpf helpers enable, which otherwise would be impossible using a custom written algorithm or code block.
I'll just drop this here. Google already provides a really comprehensive list of BPF features (including string helpers) and minimum kernel versions they correspond to.
https://android.googlesource.com/platform/external/bcc/+/master/docs/kernel-versions.md
mmat11
norrietaylor
To succeed as a viable security enabler, eBPF and eBPF LSM programs need to perform significant amount and variations of string comparisons on datasets unknown at compile time. Since we quickly start hitting the instruction (or other) limits at any kind of meaningful scale, it might help to deep dive into all the helpers at our disposal.
Outcome:
Motivation: https://github.com/elastic/security-team/issues/5114