Migrate `CloneTracer` to CO-RE

hitsz-ids / duetector

duetector🔍: Data Usage Extensible Detector for data usage observability.

https://dataucon.idslab.io/

Apache License 2.0

10 stars 8 forks source link

Migrate `CloneTracer` to CO-RE #80

Open wunder957 opened 1 year ago

wunder957 commented 1 year ago

We currently use bcc as our BPF framework, which creates some shortcomings: https://github.com/hitsz-ids/duetector/blob/main/docs/design/CO-RE.md#12-status-quo

This issue will migrate the current CloneTracer to CO-RE form to validate our draft and provide a case for CO-RE!

wunder957 commented 1 year ago

@149189 Implement the CloneTracer functionality using libbpf or aya frameworks and make the user-space program conform to our protocols

Refer:

libbpf docs: https://libbpf.readthedocs.io/en/latest/libbpf_overview.html
aya: https://github.com/aya-rs/aya
Our protocols: https://github.com/hitsz-ids/duetector/blob/main/docs/design/CO-RE.md
Example of protocol: https://github.com/hitsz-ids/duetector/blob/main/tests/bin/dummy_process.py

If you're not familiar with what BPF is and BPF CO-RE, it's best to read this: https://facebookmicrosites.github.io/bpf/blog/2020/02/19/bpf-portability-and-co-re.html

149189 commented 1 year ago

@wunder957 I will Start implementing if got any doubts i will let you know

wunder957 commented 1 year ago

@149189 Great! I've assigned this issue to you, personally I'd recommend using the libbpf framework, as rust-aya still needs to use a lot of unsafe in the kernel side, which is not advantageous for our scenario

wunder957 commented 10 months ago

We recently created the slack channel and welcome to join our slack: https://join.slack.com/t/hitsz-ids/shared_invite/zt-2395mt6x2-dwf0j_423QkAgGvlNA5E1g