Migrate `CloneTracer` to CO-RE

hitsz-ids / duetector

duetector🔍: Data Usage Extensible Detector for data usage observability.

https://dataucon.idslab.io/

Apache License 2.0

10 stars 8 forks source link

Migrate `CloneTracer` to CO-RE #80

Open wunder957 opened 1 year ago

wunder957 commented 1 year ago

We currently use bcc as our BPF framework, which creates some shortcomings: https://github.com/hitsz-ids/duetector/blob/main/docs/design/CO-RE.md#12-status-quo

This issue will migrate the current CloneTracer to CO-RE form to validate our draft and provide a case for CO-RE!

wunder957 commented 1 year ago

@149189 Implement the CloneTracer functionality using libbpf or aya frameworks and make the user-space program conform to our protocols

Refer:

libbpf docs: https://libbpf.readthedocs.io/en/latest/libbpf_overview.html
aya: https://github.com/aya-rs/aya
Our protocols: https://github.com/hitsz-ids/duetector/blob/main/docs/design/CO-RE.md
Example of protocol: https://github.com/hitsz-ids/duetector/blob/main/tests/bin/dummy_process.py

If you're not familiar with what BPF is and BPF CO-RE, it's best to read this: https://facebookmicrosites.github.io/bpf/blog/2020/02/19/bpf-portability-and-co-re.html

149189 commented 1 year ago

@wunder957 I will Start implementing if got any doubts i will let you know

wunder957 commented 1 year ago

@149189 Great! I've assigned this issue to you, personally I'd recommend using the libbpf framework, as rust-aya still needs to use a lot of unsafe in the kernel side, which is not advantageous for our scenario

wunder957 commented 1 year ago

We recently created the slack channel and welcome to join our slack: https://join.slack.com/t/hitsz-ids/shared_invite/zt-2395mt6x2-dwf0j_423QkAgGvlNA5E1g