Kernel Tracing With EBPF

Explore the powerful capabilities of eBPF (extended Berkeley Packet Filter) for kernel tracing in Linux systems through this comprehensive 54-minute conference talk. Dive into the world of dynamic kernel instrumentation and learn how to gain deep insights into both kernel and userspace code across a running system. Discover practical applications of eBPF beyond code profiling, including defensive and offensive security techniques. Understand the internals of eBPF implementation in the Linux kernel, its features, and integration with various components. Learn about pragmatic approaches to using eBPF, non-idiomatic coding styles required for its sandbox, and potential vulnerabilities. Explore how eBPF can be used to trace kernel functions, inspect code and data flow, and even perform privilege escalation in certain container configurations. Gain valuable knowledge on using eBPF to monitor system actions performantly and uncover process secrets, ultimately unlocking a new level of system insight and control.

Introduction
What is eBPF
Why eBPF
Tracing
eBPF Code
STrace Output
UPF Validator
Kernel Mod
Security Monitoring
Limitations
eBPF