eBPF for Cybersecurity - Part 2
Aya is an eBPF library for the Rust programming language, built with a focus on developer experience and operability.
How are ebpf programs written?
You write an eBPF program. Mostly in restricted C.
Compile the program into bytecode using tools like clang
Use bpftool or another high-level program to load bytecode into the kernel
the verification evaluates the eBPF program and ensures its safe to run
the JIT compiler converts the bytecode to native assembly for faster execution
the program is then attached/linked to is hookpoints
Anytime the hookpoint is traversed, our attached middleware gets executed.
the ebpf program you write and run can inspect data in the memory of the processed they attach to. to achieve this you can use header file #include "vmlinux.h" .
basically vmlinux.h is generated code. Linux kernel that contains definitions and declarations for the virtual memory management subsystem. This file is used by the kernel to define the data structures and functions used to manage virtual memory, such as page tables, memory zones, and page flags. It also includes definitions for macros and constants used in the virtual memory management code, such as page sizes, page flags, and memory zones. Overall, vmlinux.h is an important part of the Linux kernel that helps the operating system manage the memory resources of the system.
one of the output artefacts is a file called vmlinux It's also typically packaged with major distribution distributions. this ELF binary contains the compiled bootable kernel inside it.
here is a little walkthrough on ELF101
bpftool that maintained within the Linux repository its has features to read the vmlinux object generate a vmlinux.h
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/tools/bpf/bpftool?h=v5.14
ubuntu $ ls
bin dev home lib32 libx32 media opt root sbin srv sys usr
boot etc lib lib64 lost+found mnt proc run snap swapfile tmp var
check sys/kernel folder
cd sys/kernel
ubuntu $ ls
boot_params config iommu_groups kexec_crash_size mm rcu_expedited slab uevent_helper
btf debug irq kexec_loaded notes rcu_normal software_nodes uevent_seqnum
cgroup fscaps kexec_crash_loaded livepatch profiling security tracing vmcoreinfo
ubuntu $
in the btf you find vimliux object
sudo apt install linux-tools-5.15.0-57-generic
note: Ubuntu 22.04.1 LTS (GNU/Linux 5.15.0-57-generic aarch64)
ubuntu@primary:~$ sudo bpftool prog show
62: cgroup_device tag ee0e253c78993a24 gpl
loaded_at 2023-01-21T11:00:09+0530 uid 0
xlated 416B jited 400B memlock 4096B
63: cgroup_device tag 384856681694f215 gpl
loaded_at 2023-01-21T11:00:09+0530 uid 0
xlated 744B jited 644B memlock 4096B
64: cgroup_skb tag 6deef7357e7b4530 gpl
loaded_at 2023-01-21T11:00:09+0530 uid 0
xlated 64B jited 96B memlock 4096B
65: cgroup_skb tag 6deef7357e7b4530 gpl
loaded_at 2023-01-21T11:00:09+0530 uid 0
xlated 64B jited 96B memlock 4096B
69: cgroup_device tag 134b8a301991f6b7 gpl
loaded_at 2023-01-21T11:00:09+0530 uid 0
xlated 504B jited 464B memlock 4096B
70: cgroup_skb tag 6deef7357e7b4530 gpl
loaded_at 2023-01-21T11:00:09+0530 uid 0
xlated 64B jited 96B memlock 4096B
71: cgroup_skb tag 6deef7357e7b4530 gpl
loaded_at 2023-01-21T11:00:09+0530 uid 0
xlated 64B jited 96B memlock 4096B
72: cgroup_device tag 4b9ba398cc75f876 gpl
loaded_at 2023-01-21T11:00:09+0530 uid 0
xlated 496B jited 460B memlock 4096B
73: cgroup_skb tag 6deef7357e7b4530 gpl
loaded_at 2023-01-21T11:00:09+0530 uid 0
xlated 64B jited 96B memlock 4096B
74: cgroup_skb tag 6deef7357e7b4530 gpl
loaded_at 2023-01-21T11:00:09+0530 uid 0
xlated 64B jited 96B memlock 4096B
75: cgroup_device tag 654d7024997e7811 gpl
loaded_at 2023-01-21T11:00:09+0530 uid 0
xlated 464B jited 436B memlock 4096B
76: cgroup_device tag 134b8a301991f6b7 gpl
loaded_at 2023-01-21T11:00:09+0530 uid 0
xlated 504B jited 464B memlock 4096B
"bpftool prog show" is used to list all BPF programs currently loaded on the system (loaded ⇏ attached).
cat my_bpf_program.c
int func()
{
return 0;
}
run using clang
clang -target bpf -Wall -O2 -c my_bpf_program.c -o my_bpf_objfile.o
clang -O2 -emit-llvm -c my_bpf_program.c -o - | llc -march=bpf -mcpu=probe -filetype=obj -o my_bpf_objfile.o
might need to pass the -mcpu option to llcand would use something closer to the following command instead
ubuntu@primary:~$ readelf -x .text my_bpf_objfile.o
Hex dump of section '.text':
0x00000000 b7000000 00000000 95000000 00000000 ................
It worked! We have two eBPF instructions here:
b7 0 0 0000 00000000 # r0 = 0
95 0 0 0000 00000000 # exit and return r0
ebpf assembly instruction:- github.com/iovisor/bpf-docs/blob/master/eBP..
Compiling from C to eBPF bytecode as an object file is really useful. The ELF file produced can directly attach the programs to the various hooks , TC, XDP,Kprobes etc
writing advanced programs as bytecode would be very time-consuming
Compile from C to an eBPF assembly language. Edit the assembly, then assemble it as bytecode in an object file.
Clang and LLVM now allow to do just that! Generating a human-readable version of the program on one side, then assembling it on the other side. Bonus: llvm-objdump can even be used to dump the program contained in an object-file.
Compiling from C to eBPF Assembly
$ cat bpf.c
int func()
{
return 0;
}
$ clang -target bpf -S -o bpf.s bpf.c
$ cat bpf.s
.text
.globl func # -- Begin function func
.p2align 3
func: # @func
# %bb.0:
r1 = 0
*(u32 *)(r10 - 4) = r1
r0 = r1
exit
# -- End function
Great, now let’s modify it and add our instructions at the bottom!
$ sed -i '$a \\tr0 = 3' bpf.s
$ cat bpf.s
.text
.globl func # -- Begin function func
.p2align 3
func: # @func
# %bb.0:
r1 = 0
*(u32 *)(r10 - 4) = r1
r0 = r1
exit
# -- End function
r0 = 3
Assembling to an ELF object file
we can assemble this file into an ELF object file containing bytcode
$ llvm-mc -triple bpf -filetype=obj -o bpf.o bpf.s
lets dump bytecode
$ readelf -x .text bpf.o
Hex dump of section '.text':
0x00000000 b7010000 00000000 631afcff 00000000 ........c.......
0x00000010 bf100000 00000000 95000000 00000000 ................
0x00000020 b7000000 03000000 b7000000 03000000 ................
object file in human-readable format
$ llvm-objdump -d bpf.o
bpf.o: file format ELF64-BPF
Disassembly of section .text:
func:
0: b7 01 00 00 00 00 00 00 r1 = 0
1: 63 1a fc ff 00 00 00 00 *(u32 *)(r10 - 4) = r1
2: bf 10 00 00 00 00 00 00 r0 = r1
3: 95 00 00 00 00 00 00 00 exit
4: b7 00 00 00 03 00 00 00 r0 = 3
you can see we edited r0 = 3
LLVM can embed debug symbols so they can be dumped inspection. we can give the c instruction at the same time as the bytecode . embedding instructions is done by compiling from C with the -g flag passed to clang
$ clang -target bpf -g -S -o bpf.s bpf.c
$ llvm-mc -triple bpf -filetype=obj -o bpf.o bpf.s
$ llvm-objdump -S bpf.o
bpf.o: file format ELF64-BPF
Disassembly of section .text:
func:
; int func() {
0: b7 01 00 00 00 00 00 00 r1 = 0
1: 63 1a fc ff 00 00 00 00 *(u32 *)(r10 - 4) = r1
; return 0;
2: bf 10 00 00 00 00 00 00 r0 = r1
3: 95 00 00 00 00 00 00 00 exit
another way is an inline assembly (https://docs.cilium.io/en/latest/bpf/#llvm)
In short, instead of compiling an eBPF program from C to an ELF object file, you can alternatively compile it to an assembly language, edit it according to your needs, and then assemble this version as the final object file. For this, you need clang and LLVM in version 6.0 and higher, and the commands are:
$ clang -target bpf -S -o bpf.s bpf.c
$ llvm-mc -triple bpf -filetype=obj -o bpf.o bpf.s
dump in human-readable format
$ llvm-objdump -d bpf.o
$ llvm-objdump -S bpf.o # add C code, if -g was passed to clang
In the whole series of ebpf we are going to use https://github.com/aya-rs/aya - Aya is an eBPF library for the Rust programming language, built with a focus on developer experience and operability.
So why Rust? C is fine
As you saw in the last article, BPF programs are typically programmed in C. But why couldn't we use Rust? It can be just as low level as C.
The biggest win in my mind is the ergonomics that could be achieved (which I will hopefully be able to improve across these next few posts) along with the crates ecosystem which has enormous potential when compared to the C BPF ecosystem. It could be argued that because of the verifier, the borrow checker is moot, but I don't see it in quite the same light. Sure the verifier will enforce specific checks and be arguably far more strict than the borrow checker but that
doesn't mean we can't get any use out of leaning on Rust's borrowing system.
Of course, there is the subjective benefit that I'm more productive in Rust, and far more proficient with Rust than with C. Plus if I'm writing the supporting applications/libraries in Rust it'd be nice to stay in a single language when possible.
Install rust on linux
sudo apt-get update
curl https://sh.rustup.rs -sSf | sh -s -- -y
source $HOME/.cargo/env
rustup --version
rustup install stable
rustup toolchain install nightly --component rust-src
sudo apt install build-essential
sudo apt-get update
sudo apt install build-essential
Before working with aya, you need to install bpf-linker crate. If you are running on a Linux x86_64 system, use the following command:
cargo install bpf-linker
If you are running Linux on any other architecture (e.g. arm64), you need to install LLVM 15 first (using https://apt.llvm.org/ or packages for your distribution) and then use the following command:
cargo install --no-default-features --features system-llvm bpf-linker
cargo-generate is a developer tool to help you get up and running quickly with a new Rust project by leveraging a pre-existing git repository as a template.
cargo install cargo-generate --locked cargo
use aya template to generate different type of ebpf program
cargo generate https://github.com/aya-rs/aya-template
⚠️ Favorite `https://github.com/aya-rs/aya-template` not found in config, using it as a git repository: https://github.com/aya-rs/aya-template
🤷 Project Name: aya-rust-sangam
🔧 Destination: /home/ubuntu/aya-rust-sangam ...
🔧 project-name: aya-rust-sangam ...
🔧 Generating template ...
✔ 🤷 Which type of eBPF program? · cgroup_sysctl
[ 1/35] Done: .cargo/config.toml [ 2/35] Done: .cargo [ 3/35] Done: .gitignore [ 4/35] Done: .vim/coc-settings.json [ 5/35] Done: .vim [ 6/35] Done: .vscode/settings.json [ 7/35] Done: .vscode [ 8/35] Done: Cargo.toml [ 9/35] Done: README.md [10/35] Ignored: pre-script.rhai [11/35] Done: xtask/Cargo.toml [12/35] Done: xtask/src/build_ebpf.rs [13/35] Done: xtask/src/main.rs [14/35] Done: xtask/src/run.rs [15/35] Done: xtask/src [16/35] Done: xtask [17/35] Done: aya-rust-sangam/Cargo.toml [18/35] Done: aya-rust-sangam/src/main.rs [19/35] Done: aya-rust-sangam/src [20/35] Done: aya-rust-sangam [21/35] Done: aya-rust-sangam-common/Cargo.toml [22/35] Done: aya-rust-sangam-common/src/lib.rs [23/35] Done: aya-rust-sangam-common/src [24/35] Done: aya-rust-sangam-common [25/35] Done: aya-rust-sangam-ebpf/.cargo/config.toml [26/35] Done: aya-rust-sangam-ebpf/.cargo [27/35] Done: aya-rust-sangam-ebpf/.vim/coc-settings.json [28/35] Done: aya-rust-sangam-ebpf/.vim [29/35] Done: aya-rust-sangam-ebpf/.vscode/settings.json [30/35] Done: aya-rust-sangam-ebpf/.vscode [31/35] Done: aya-rust-sangam-ebpf/Cargo.toml [32/35] Done: aya-rust-sangam-ebpf/rust-toolchain.toml [33/35] Done: aya-rust-sangam-ebpf/src/main.rs [34/35] Done: aya-rust-sangam-ebpf/src [35/35] Done: aya-rust-sangam-ebpf 🔧 Moving generated files into: `/home/ubuntu/aya-rust-sangam`...
💡 Initializing a fresh Git repository
✨ Done! New project created /home/ubuntu/aya-rust-sangam
ubuntu@ip-172-31-56-217:~$
here the structure of the program
└── aya-rust-sangam
├── Cargo.toml
├── README.md
├── aya-rust-sangam
│ ├── Cargo.toml
│ └── src
│ └── main.rs
├── aya-rust-sangam-common
│ ├── Cargo.toml
│ └── src
│ └── lib.rs
├── aya-rust-sangam-ebpf
│ ├── Cargo.toml
│ ├── rust-toolchain.toml
│ └── src
│ └── main.rs
└── xtask
├── Cargo.toml
└── src
├── build_ebpf.rs
├── main.rs
└── run.rs
CgroupSysctl programs can be attached to a cgroup and will be called every time a process inside that cgroup tries to read from or write to a sysctl knob in proc.
/aya-rust-sangam/aya-rust-sangam/src$ cat main.rs
use aya::programs::CgroupSysctl;
use aya::{include_bytes_aligned, Bpf};
use aya_log::BpfLogger;
use clap::Parser;
use log::{info, warn};
use tokio::signal;
#[derive(Debug, Parser)]
struct Opt {
#[clap(short, long, default_value = "/sys/fs/cgroup/unified")]
cgroup_path: String,
}
#[tokio::main]
async fn main() -> Result<(), anyhow::Error> {
let opt = Opt::parse();
env_logger::init();
// This will include your eBPF object file as raw bytes at compile-time and load it at
// runtime. This approach is recommended for most real-world use cases. If you would
// like to specify the eBPF program at runtime rather than at compile-time, you can
// reach for `Bpf::load_file` instead.
#[cfg(debug_assertions)]
let mut bpf = Bpf::load(include_bytes_aligned!(
"../../target/bpfel-unknown-none/debug/aya-rust-sangam"
))?;
#[cfg(not(debug_assertions))]
let mut bpf = Bpf::load(include_bytes_aligned!(
"../../target/bpfel-unknown-none/release/aya-rust-sangam"
))?;
if let Err(e) = BpfLogger::init(&mut bpf) {
// This can happen if you remove all log statements from your eBPF program.
warn!("failed to initialize eBPF logger: {}", e);
}
let program: &mut CgroupSysctl = bpf.program_mut("aya_rust_sangam").unwrap().try_into()?;
let cgroup = std::fs::File::open(opt.cgroup_path)?;
program.load()?;
program.attach(cgroup)?;
info!("Waiting for Ctrl-C...");
signal::ctrl_c().await?;
info!("Exiting...");
Ok(())
}
The main entry point into the library, used to work with eBPF programs and maps.
#![no_std]
#![no_main]
use aya_bpf::{
macros::cgroup_sysctl,
programs::SysctlContext,
};
use aya_log_ebpf::info;
#[cgroup_sysctl(name = "aya_rust_sangam")]
pub fn aya_rust_sangam(ctx: SysctlContext) -> i32 {
match try_aya_rust_sangam(ctx) {
Ok(ret) => ret,
Err(ret) => ret,
}
}
fn try_aya_rust_sangam(ctx: SysctlContext) -> Result<i32, i32> {
info!(&ctx, "sysctl operation called");
Ok(0)
}
#[panic_handler]
fn panic(_info: &core::panic::PanicInfo) -> ! {
unsafe { core::hint::unreachable_unchecked() }
}
cargo configurations
~/aya-rust-sangam/aya-rust-sangam-ebpf$ cat Cargo.toml
[package]
name = "aya-rust-sangam-ebpf"
version = "0.1.0"
edition = "2021"
[dependencies]
aya-bpf = { git = "https://github.com/aya-rs/aya", branch = "main" }
aya-log-ebpf = { git = "https://github.com/aya-rs/aya", branch = "main" }
aya-rust-sangam-common = { path = "../aya-rust-sangam-common" }
[[bin]]
name = "aya-rust-sangam"
path = "src/main.rs"
[profile.dev]
opt-level = 3
debug = false
debug-assertions = false
overflow-checks = false
lto = true
panic = "abort"
incremental = false
codegen-units = 1
rpath = false
[profile.release]
lto = true
panic = "abort"
codegen-units = 1
[workspace]
members = []
ubuntu@ip-172-31-56-217:~/aya-rust-sangam$ cargo xtask build-ebpf
Finished dev [unoptimized + debuginfo] target(s) in 0.28s
Running `target/debug/xtask build-ebpf`
Fresh unicode-ident v1.0.6
Fresh proc-macro2 v1.0.51
Fresh quote v1.0.23
Fresh syn v1.0.107
Fresh core v0.0.0 (/home/ubuntu/.rustup/toolchains/nightly-x86_64-unknown-linux-gnu/lib/rustlib/src/rust/library/core)
Fresh rustc-std-workspace-core v1.99.0 (/home/ubuntu/.rustup/toolchains/nightly-x86_64-unknown-linux-gnu/lib/rustlib/src/rust/library/rustc-std-workspace-core)
Fresh num_enum_derive v0.5.9
Fresh compiler_builtins v0.1.85
Fresh rustversion v1.0.11
Fresh aya-bpf-cty v0.2.1 (https://github.com/aya-rs/aya?branch=main#7868fffd)
Fresh aya-bpf-bindings v0.1.0 (https://github.com/aya-rs/aya?branch=main#7868fffd)
Fresh aya-log-parser v0.1.11-dev.0 (https://github.com/aya-rs/aya?branch=main#7868fffd)
Fresh num_enum v0.5.9
Fresh aya-bpf-macros v0.1.0 (https://github.com/aya-rs/aya?branch=main#7868fffd)
Fresh aya-log-ebpf-macros v0.1.0 (https://github.com/aya-rs/aya?branch=main#7868fffd)
Fresh aya-bpf v0.1.0 (https://github.com/aya-rs/aya?branch=main#7868fffd)
Fresh aya-log-common v0.1.13 (https://github.com/aya-rs/aya?branch=main#7868fffd)
Fresh aya-log-ebpf v0.1.0 (https://github.com/aya-rs/aya?branch=main#7868fffd)
Fresh aya-rust-sangam-common v0.1.0 (/home/ubuntu/aya-rust-sangam/aya-rust-sangam-common)
Fresh aya-rust-sangam-ebpf v0.1.0 (/home/ubuntu/aya-rust-sangam/aya-rust-sangam-ebpf)
Finished dev [optimized] target(s) in 0.30s
llvm-objdump -S target/bpfel-unknown-none/debug/aya-rust-sangam
target/bpfel-unknown-none/debug/aya-rust-sangam: file format ELF64-BPF
Disassembly of section .text:
0000000000000000 memset:
llvm-objdump: warning: 'target/bpfel-unknown-none/debug/aya-rust-sangam': failed to parse debug information for target/bpfel-unknown-none/debug/aya-rust-sangam
0: 15 03 06 00 00 00 00 00 if r3 == 0 goto +6 <LBB1_3>
1: b7 04 00 00 00 00 00 00 r4 = 0
0000000000000010 LBB1_2:
2: bf 15 00 00 00 00 00 00 r5 = r1
3: 0f 45 00 00 00 00 00 00 r5 += r4
4: 73 25 00 00 00 00 00 00 *(u8 *)(r5 + 0) = r2
5: 07 04 00 00 01 00 00 00 r4 += 1
6: 2d 43 fb ff 00 00 00 00 if r3 > r4 goto -5 <LBB1_2>
0000000000000038 LBB1_3:
7: 95 00 00 00 00 00 00 00 exit
0000000000000040 memcpy:
8: 15 03 09 00 00 00 00 00 if r3 == 0 goto +9 <LBB2_3>
9: b7 04 00 00 00 00 00 00 r4 = 0
0000000000000050 LBB2_2:
10: bf 15 00 00 00 00 00 00 r5 = r1
11: 0f 45 00 00 00 00 00 00 r5 += r4
12: bf 20 00 00 00 00 00 00 r0 = r2
13: 0f 40 00 00 00 00 00 00 r0 += r4
14: 71 00 00 00 00 00 00 00 r0 = *(u8 *)(r0 + 0)
15: 73 05 00 00 00 00 00 00 *(u8 *)(r5 + 0) = r0
16: 07 04 00 00 01 00 00 00 r4 += 1
17: 2d 43 f8 ff 00 00 00 00 if r3 > r4 goto -8 <LBB2_2>
0000000000000090 LBB2_3:
18: 95 00 00 00 00 00 00 00 exit
Disassembly of section cgroup/sysctl/aya_rust_sangam:
0000000000000000 aya_rust_sangam:
0: bf 16 00 00 00 00 00 00 r6 = r1
1: b7 07 00 00 00 00 00 00 r7 = 0
2: 63 7a fc ff 00 00 00 00 *(u32 *)(r10 - 4) = r7
3: bf a2 00 00 00 00 00 00 r2 = r10
4: 07 02 00 00 fc ff ff ff r2 += -4
5: 18 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 r1 = 0 ll
7: 85 00 00 00 01 00 00 00 call 1
8: 15 00 26 01 00 00 00 00 if r0 == 0 goto +294 <LBB0_2>
9: 73 70 0f 00 00 00 00 00 *(u8 *)(r0 + 15) = r7
10: 73 70 0e 00 00 00 00 00 *(u8 *)(r0 + 14) = r7
11: 73 70 0d 00 00 00 00 00 *(u8 *)(r0 + 13) = r7
12: 73 70 0c 00 00 00 00 00 *(u8 *)(r0 + 12) = r7
13: 73 70 0b 00 00 00 00 00 *(u8 *)(r0 + 11) = r7
14: 73 70 0a 00 00 00 00 00 *(u8 *)(r0 + 10) = r7
15: 73 70 09 00 00 00 00 00 *(u8 *)(r0 + 9) = r7
16: b7 03 00 00 0f 00 00 00 r3 = 15
17: 73 30 08 00 00 00 00 00 *(u8 *)(r0 + 8) = r3
18: 73 70 07 00 00 00 00 00 *(u8 *)(r0 + 7) = r7
19: 73 70 06 00 00 00 00 00 *(u8 *)(r0 + 6) = r7
20: 73 70 05 00 00 00 00 00 *(u8 *)(r0 + 5) = r7
21: 73 70 04 00 00 00 00 00 *(u8 *)(r0 + 4) = r7
22: 73 70 03 00 00 00 00 00 *(u8 *)(r0 + 3) = r7
23: 73 70 02 00 00 00 00 00 *(u8 *)(r0 + 2) = r7
24: 73 70 01 00 00 00 00 00 *(u8 *)(r0 + 1) = r7
25: b7 01 00 00 01 00 00 00 r1 = 1
26: 73 10 00 00 00 00 00 00 *(u8 *)(r0 + 0) = r1
27: bf 04 00 00 00 00 00 00 r4 = r0
28: 07 04 00 00 10 00 00 00 r4 += 16
29: 18 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 r2 = 0 ll
31: 71 25 00 00 00 00 00 00 r5 = *(u8 *)(r2 + 0)
32: 73 54 00 00 00 00 00 00 *(u8 *)(r4 + 0) = r5
33: 71 25 01 00 00 00 00 00 r5 = *(u8 *)(r2 + 1)
34: 73 54 01 00 00 00 00 00 *(u8 *)(r4 + 1) = r5
35: 71 25 02 00 00 00 00 00 r5 = *(u8 *)(r2 + 2)
36: 73 54 02 00 00 00 00 00 *(u8 *)(r4 + 2) = r5
37: 71 25 03 00 00 00 00 00 r5 = *(u8 *)(r2 + 3)
38: 73 54 03 00 00 00 00 00 *(u8 *)(r4 + 3) = r5
39: 71 25 04 00 00 00 00 00 r5 = *(u8 *)(r2 + 4)
40: 73 54 04 00 00 00 00 00 *(u8 *)(r4 + 4) = r5
41: 71 25 05 00 00 00 00 00 r5 = *(u8 *)(r2 + 5)
42: 73 54 05 00 00 00 00 00 *(u8 *)(r4 + 5) = r5
43: 71 25 06 00 00 00 00 00 r5 = *(u8 *)(r2 + 6)
44: 73 54 06 00 00 00 00 00 *(u8 *)(r4 + 6) = r5
45: 71 25 07 00 00 00 00 00 r5 = *(u8 *)(r2 + 7)
46: 73 54 07 00 00 00 00 00 *(u8 *)(r4 + 7) = r5
47: 71 25 08 00 00 00 00 00 r5 = *(u8 *)(r2 + 8)
48: 73 54 08 00 00 00 00 00 *(u8 *)(r4 + 8) = r5
49: 71 25 09 00 00 00 00 00 r5 = *(u8 *)(r2 + 9)
50: 73 54 09 00 00 00 00 00 *(u8 *)(r4 + 9) = r5
51: 71 25 0a 00 00 00 00 00 r5 = *(u8 *)(r2 + 10)
52: 73 54 0a 00 00 00 00 00 *(u8 *)(r4 + 10) = r5
53: 71 25 0b 00 00 00 00 00 r5 = *(u8 *)(r2 + 11)
54: 73 54 0b 00 00 00 00 00 *(u8 *)(r4 + 11) = r5
55: 71 25 0c 00 00 00 00 00 r5 = *(u8 *)(r2 + 12)
56: 73 54 0c 00 00 00 00 00 *(u8 *)(r4 + 12) = r5
57: 71 25 0d 00 00 00 00 00 r5 = *(u8 *)(r2 + 13)
58: 73 54 0d 00 00 00 00 00 *(u8 *)(r4 + 13) = r5
59: 71 25 0e 00 00 00 00 00 r5 = *(u8 *)(r2 + 14)
60: 73 54 0e 00 00 00 00 00 *(u8 *)(r4 + 14) = r5
61: 73 30 3f 00 00 00 00 00 *(u8 *)(r0 + 63) = r3
62: b7 03 00 00 03 00 00 00 r3 = 3
63: 73 30 37 00 00 00 00 00 *(u8 *)(r0 + 55) = r3
64: 73 30 2f 00 00 00 00 00 *(u8 *)(r0 + 47) = r3
65: b7 03 00 00 02 00 00 00 r3 = 2
66: 73 30 1f 00 00 00 00 00 *(u8 *)(r0 + 31) = r3
67: 73 70 46 00 00 00 00 00 *(u8 *)(r0 + 70) = r7
68: 73 70 45 00 00 00 00 00 *(u8 *)(r0 + 69) = r7
69: 73 70 44 00 00 00 00 00 *(u8 *)(r0 + 68) = r7
70: 73 70 43 00 00 00 00 00 *(u8 *)(r0 + 67) = r7
71: 73 70 42 00 00 00 00 00 *(u8 *)(r0 + 66) = r7
72: 73 70 41 00 00 00 00 00 *(u8 *)(r0 + 65) = r7
73: 73 70 40 00 00 00 00 00 *(u8 *)(r0 + 64) = r7
74: 73 70 3e 00 00 00 00 00 *(u8 *)(r0 + 62) = r7
75: 73 70 3d 00 00 00 00 00 *(u8 *)(r0 + 61) = r7
76: 73 70 3c 00 00 00 00 00 *(u8 *)(r0 + 60) = r7
77: 73 70 3b 00 00 00 00 00 *(u8 *)(r0 + 59) = r7
78: 73 70 3a 00 00 00 00 00 *(u8 *)(r0 + 58) = r7
79: 73 70 39 00 00 00 00 00 *(u8 *)(r0 + 57) = r7
80: 73 70 38 00 00 00 00 00 *(u8 *)(r0 + 56) = r7
81: 73 70 36 00 00 00 00 00 *(u8 *)(r0 + 54) = r7
82: 73 70 35 00 00 00 00 00 *(u8 *)(r0 + 53) = r7
83: 73 70 34 00 00 00 00 00 *(u8 *)(r0 + 52) = r7
84: 73 70 33 00 00 00 00 00 *(u8 *)(r0 + 51) = r7
85: 73 70 32 00 00 00 00 00 *(u8 *)(r0 + 50) = r7
86: 73 70 31 00 00 00 00 00 *(u8 *)(r0 + 49) = r7
87: 73 70 30 00 00 00 00 00 *(u8 *)(r0 + 48) = r7
88: 73 70 2e 00 00 00 00 00 *(u8 *)(r0 + 46) = r7
89: 73 70 2d 00 00 00 00 00 *(u8 *)(r0 + 45) = r7
90: 73 70 2c 00 00 00 00 00 *(u8 *)(r0 + 44) = r7
91: 73 70 2b 00 00 00 00 00 *(u8 *)(r0 + 43) = r7
92: 73 70 2a 00 00 00 00 00 *(u8 *)(r0 + 42) = r7
93: 73 70 29 00 00 00 00 00 *(u8 *)(r0 + 41) = r7
94: 73 70 28 00 00 00 00 00 *(u8 *)(r0 + 40) = r7
95: b7 03 00 00 08 00 00 00 r3 = 8
96: 73 30 27 00 00 00 00 00 *(u8 *)(r0 + 39) = r3
97: 73 70 26 00 00 00 00 00 *(u8 *)(r0 + 38) = r7
98: 73 70 25 00 00 00 00 00 *(u8 *)(r0 + 37) = r7
99: 73 70 24 00 00 00 00 00 *(u8 *)(r0 + 36) = r7
100: 73 70 23 00 00 00 00 00 *(u8 *)(r0 + 35) = r7
101: 73 70 22 00 00 00 00 00 *(u8 *)(r0 + 34) = r7
102: 73 70 21 00 00 00 00 00 *(u8 *)(r0 + 33) = r7
103: 73 70 20 00 00 00 00 00 *(u8 *)(r0 + 32) = r7
104: bf 04 00 00 00 00 00 00 r4 = r0
105: 07 04 00 00 47 00 00 00 r4 += 71
106: 71 25 00 00 00 00 00 00 r5 = *(u8 *)(r2 + 0)
107: 73 54 00 00 00 00 00 00 *(u8 *)(r4 + 0) = r5
108: 71 25 01 00 00 00 00 00 r5 = *(u8 *)(r2 + 1)
109: 73 54 01 00 00 00 00 00 *(u8 *)(r4 + 1) = r5
110: 71 25 02 00 00 00 00 00 r5 = *(u8 *)(r2 + 2)
111: 73 54 02 00 00 00 00 00 *(u8 *)(r4 + 2) = r5
112: 71 25 03 00 00 00 00 00 r5 = *(u8 *)(r2 + 3)
113: 73 54 03 00 00 00 00 00 *(u8 *)(r4 + 3) = r5
114: 71 25 04 00 00 00 00 00 r5 = *(u8 *)(r2 + 4)
115: 73 54 04 00 00 00 00 00 *(u8 *)(r4 + 4) = r5
116: 71 25 05 00 00 00 00 00 r5 = *(u8 *)(r2 + 5)
117: 73 54 05 00 00 00 00 00 *(u8 *)(r4 + 5) = r5
118: 71 25 06 00 00 00 00 00 r5 = *(u8 *)(r2 + 6)
119: 73 54 06 00 00 00 00 00 *(u8 *)(r4 + 6) = r5
120: 71 25 07 00 00 00 00 00 r5 = *(u8 *)(r2 + 7)
121: 73 54 07 00 00 00 00 00 *(u8 *)(r4 + 7) = r5
122: 71 25 08 00 00 00 00 00 r5 = *(u8 *)(r2 + 8)
123: 73 54 08 00 00 00 00 00 *(u8 *)(r4 + 8) = r5
124: 71 25 09 00 00 00 00 00 r5 = *(u8 *)(r2 + 9)
125: 73 54 09 00 00 00 00 00 *(u8 *)(r4 + 9) = r5
126: 71 25 0a 00 00 00 00 00 r5 = *(u8 *)(r2 + 10)
127: 73 54 0a 00 00 00 00 00 *(u8 *)(r4 + 10) = r5
128: 71 25 0b 00 00 00 00 00 r5 = *(u8 *)(r2 + 11)
129: 73 54 0b 00 00 00 00 00 *(u8 *)(r4 + 11) = r5
130: 71 25 0c 00 00 00 00 00 r5 = *(u8 *)(r2 + 12)
131: 73 54 0c 00 00 00 00 00 *(u8 *)(r4 + 12) = r5
132: 71 25 0d 00 00 00 00 00 r5 = *(u8 *)(r2 + 13)
133: 73 54 0d 00 00 00 00 00 *(u8 *)(r4 + 13) = r5
134: 71 25 0e 00 00 00 00 00 r5 = *(u8 *)(r2 + 14)
135: 73 54 0e 00 00 00 00 00 *(u8 *)(r4 + 14) = r5
136: b7 02 00 00 0b 00 00 00 r2 = 11
137: 73 20 5e 00 00 00 00 00 *(u8 *)(r0 + 94) = r2
138: 73 70 65 00 00 00 00 00 *(u8 *)(r0 + 101) = r7
139: 73 70 64 00 00 00 00 00 *(u8 *)(r0 + 100) = r7
140: 73 70 63 00 00 00 00 00 *(u8 *)(r0 + 99) = r7
141: 73 70 62 00 00 00 00 00 *(u8 *)(r0 + 98) = r7
142: 73 70 61 00 00 00 00 00 *(u8 *)(r0 + 97) = r7
143: 73 70 60 00 00 00 00 00 *(u8 *)(r0 + 96) = r7
144: 73 70 5f 00 00 00 00 00 *(u8 *)(r0 + 95) = r7
145: 73 70 5d 00 00 00 00 00 *(u8 *)(r0 + 93) = r7
146: 73 70 5c 00 00 00 00 00 *(u8 *)(r0 + 92) = r7
147: 73 70 5b 00 00 00 00 00 *(u8 *)(r0 + 91) = r7
148: 73 70 5a 00 00 00 00 00 *(u8 *)(r0 + 90) = r7
149: 73 70 59 00 00 00 00 00 *(u8 *)(r0 + 89) = r7
150: 73 70 58 00 00 00 00 00 *(u8 *)(r0 + 88) = r7
151: 73 70 57 00 00 00 00 00 *(u8 *)(r0 + 87) = r7
152: b7 02 00 00 04 00 00 00 r2 = 4
153: 73 20 56 00 00 00 00 00 *(u8 *)(r0 + 86) = r2
154: bf 04 00 00 00 00 00 00 r4 = r0
155: 07 04 00 00 66 00 00 00 r4 += 102
156: 18 05 00 00 0f 00 00 00 00 00 00 00 00 00 00 00 r5 = 15 ll
158: 71 58 00 00 00 00 00 00 r8 = *(u8 *)(r5 + 0)
159: 73 84 00 00 00 00 00 00 *(u8 *)(r4 + 0) = r8
160: 71 58 01 00 00 00 00 00 r8 = *(u8 *)(r5 + 1)
161: 73 84 01 00 00 00 00 00 *(u8 *)(r4 + 1) = r8
162: 71 58 02 00 00 00 00 00 r8 = *(u8 *)(r5 + 2)
163: 73 84 02 00 00 00 00 00 *(u8 *)(r4 + 2) = r8
164: 71 58 03 00 00 00 00 00 r8 = *(u8 *)(r5 + 3)
165: 73 84 03 00 00 00 00 00 *(u8 *)(r4 + 3) = r8
166: 71 58 04 00 00 00 00 00 r8 = *(u8 *)(r5 + 4)
167: 73 84 04 00 00 00 00 00 *(u8 *)(r4 + 4) = r8
168: 71 58 05 00 00 00 00 00 r8 = *(u8 *)(r5 + 5)
169: 73 84 05 00 00 00 00 00 *(u8 *)(r4 + 5) = r8
170: 71 58 06 00 00 00 00 00 r8 = *(u8 *)(r5 + 6)
171: 73 84 06 00 00 00 00 00 *(u8 *)(r4 + 6) = r8
172: 71 58 07 00 00 00 00 00 r8 = *(u8 *)(r5 + 7)
173: 73 84 07 00 00 00 00 00 *(u8 *)(r4 + 7) = r8
174: 71 58 08 00 00 00 00 00 r8 = *(u8 *)(r5 + 8)
175: 73 84 08 00 00 00 00 00 *(u8 *)(r4 + 8) = r8
176: 71 58 09 00 00 00 00 00 r8 = *(u8 *)(r5 + 9)
177: 73 84 09 00 00 00 00 00 *(u8 *)(r4 + 9) = r8
178: 71 58 0a 00 00 00 00 00 r8 = *(u8 *)(r5 + 10)
179: 73 84 0a 00 00 00 00 00 *(u8 *)(r4 + 10) = r8
180: b7 04 00 00 17 00 00 00 r4 = 23
181: 73 40 a5 00 00 00 00 00 *(u8 *)(r0 + 165) = r4
182: b7 04 00 00 10 00 00 00 r4 = 16
183: 73 40 9d 00 00 00 00 00 *(u8 *)(r0 + 157) = r4
184: 73 10 95 00 00 00 00 00 *(u8 *)(r0 + 149) = r1
185: 73 30 8d 00 00 00 00 00 *(u8 *)(r0 + 141) = r3
186: b7 01 00 00 06 00 00 00 r1 = 6
187: 73 10 85 00 00 00 00 00 *(u8 *)(r0 + 133) = r1
188: b7 01 00 00 13 00 00 00 r1 = 19
189: 73 10 81 00 00 00 00 00 *(u8 *)(r0 + 129) = r1
190: 73 20 79 00 00 00 00 00 *(u8 *)(r0 + 121) = r2
191: 73 70 ac 00 00 00 00 00 *(u8 *)(r0 + 172) = r7
192: 73 70 ab 00 00 00 00 00 *(u8 *)(r0 + 171) = r7
193: 73 70 aa 00 00 00 00 00 *(u8 *)(r0 + 170) = r7
194: 73 70 a9 00 00 00 00 00 *(u8 *)(r0 + 169) = r7
195: 73 70 a8 00 00 00 00 00 *(u8 *)(r0 + 168) = r7
196: 73 70 a7 00 00 00 00 00 *(u8 *)(r0 + 167) = r7
197: 73 70 a6 00 00 00 00 00 *(u8 *)(r0 + 166) = r7
198: 73 70 a4 00 00 00 00 00 *(u8 *)(r0 + 164) = r7
199: 73 70 a3 00 00 00 00 00 *(u8 *)(r0 + 163) = r7
200: 73 70 a2 00 00 00 00 00 *(u8 *)(r0 + 162) = r7
201: 73 70 a1 00 00 00 00 00 *(u8 *)(r0 + 161) = r7
202: 73 70 a0 00 00 00 00 00 *(u8 *)(r0 + 160) = r7
203: 73 70 9f 00 00 00 00 00 *(u8 *)(r0 + 159) = r7
204: 73 70 9e 00 00 00 00 00 *(u8 *)(r0 + 158) = r7
205: 73 70 9c 00 00 00 00 00 *(u8 *)(r0 + 156) = r7
206: 73 70 9b 00 00 00 00 00 *(u8 *)(r0 + 155) = r7
207: 73 70 9a 00 00 00 00 00 *(u8 *)(r0 + 154) = r7
208: 73 70 99 00 00 00 00 00 *(u8 *)(r0 + 153) = r7
209: 73 70 98 00 00 00 00 00 *(u8 *)(r0 + 152) = r7
210: 73 70 97 00 00 00 00 00 *(u8 *)(r0 + 151) = r7
211: 73 70 96 00 00 00 00 00 *(u8 *)(r0 + 150) = r7
212: 73 70 94 00 00 00 00 00 *(u8 *)(r0 + 148) = r7
213: 73 70 93 00 00 00 00 00 *(u8 *)(r0 + 147) = r7
214: 73 70 92 00 00 00 00 00 *(u8 *)(r0 + 146) = r7
215: 73 70 91 00 00 00 00 00 *(u8 *)(r0 + 145) = r7
216: 73 70 90 00 00 00 00 00 *(u8 *)(r0 + 144) = r7
217: 73 70 8f 00 00 00 00 00 *(u8 *)(r0 + 143) = r7
218: 73 70 8e 00 00 00 00 00 *(u8 *)(r0 + 142) = r7
219: 73 70 8c 00 00 00 00 00 *(u8 *)(r0 + 140) = r7
220: 73 70 8b 00 00 00 00 00 *(u8 *)(r0 + 139) = r7
221: 73 70 8a 00 00 00 00 00 *(u8 *)(r0 + 138) = r7
222: 73 70 89 00 00 00 00 00 *(u8 *)(r0 + 137) = r7
223: 73 70 88 00 00 00 00 00 *(u8 *)(r0 + 136) = r7
224: 73 70 87 00 00 00 00 00 *(u8 *)(r0 + 135) = r7
225: 73 70 86 00 00 00 00 00 *(u8 *)(r0 + 134) = r7
226: 73 70 84 00 00 00 00 00 *(u8 *)(r0 + 132) = r7
227: 73 70 83 00 00 00 00 00 *(u8 *)(r0 + 131) = r7
228: 73 70 82 00 00 00 00 00 *(u8 *)(r0 + 130) = r7
229: 73 70 80 00 00 00 00 00 *(u8 *)(r0 + 128) = r7
230: 73 70 7f 00 00 00 00 00 *(u8 *)(r0 + 127) = r7
231: 73 70 7e 00 00 00 00 00 *(u8 *)(r0 + 126) = r7
232: 73 70 7d 00 00 00 00 00 *(u8 *)(r0 + 125) = r7
233: 73 70 7c 00 00 00 00 00 *(u8 *)(r0 + 124) = r7
234: 73 70 7b 00 00 00 00 00 *(u8 *)(r0 + 123) = r7
235: 73 70 7a 00 00 00 00 00 *(u8 *)(r0 + 122) = r7
236: 73 70 78 00 00 00 00 00 *(u8 *)(r0 + 120) = r7
237: 73 70 77 00 00 00 00 00 *(u8 *)(r0 + 119) = r7
238: 73 70 76 00 00 00 00 00 *(u8 *)(r0 + 118) = r7
239: 73 70 75 00 00 00 00 00 *(u8 *)(r0 + 117) = r7
240: 73 70 74 00 00 00 00 00 *(u8 *)(r0 + 116) = r7
241: 73 70 73 00 00 00 00 00 *(u8 *)(r0 + 115) = r7
242: 73 70 72 00 00 00 00 00 *(u8 *)(r0 + 114) = r7
243: b7 01 00 00 05 00 00 00 r1 = 5
244: 73 10 71 00 00 00 00 00 *(u8 *)(r0 + 113) = r1
245: bf 01 00 00 00 00 00 00 r1 = r0
246: 07 01 00 00 ad 00 00 00 r1 += 173
247: 18 02 00 00 1a 00 00 00 00 00 00 00 00 00 00 00 r2 = 26 ll
249: 71 23 00 00 00 00 00 00 r3 = *(u8 *)(r2 + 0)
250: 73 31 00 00 00 00 00 00 *(u8 *)(r1 + 0) = r3
251: 71 23 01 00 00 00 00 00 r3 = *(u8 *)(r2 + 1)
252: 73 31 01 00 00 00 00 00 *(u8 *)(r1 + 1) = r3
253: 71 23 02 00 00 00 00 00 r3 = *(u8 *)(r2 + 2)
254: 73 31 02 00 00 00 00 00 *(u8 *)(r1 + 2) = r3
255: 71 23 03 00 00 00 00 00 r3 = *(u8 *)(r2 + 3)
256: 73 31 03 00 00 00 00 00 *(u8 *)(r1 + 3) = r3
257: 71 23 04 00 00 00 00 00 r3 = *(u8 *)(r2 + 4)
258: 73 31 04 00 00 00 00 00 *(u8 *)(r1 + 4) = r3
259: 71 23 05 00 00 00 00 00 r3 = *(u8 *)(r2 + 5)
260: 73 31 05 00 00 00 00 00 *(u8 *)(r1 + 5) = r3
261: 71 23 06 00 00 00 00 00 r3 = *(u8 *)(r2 + 6)
262: 73 31 06 00 00 00 00 00 *(u8 *)(r1 + 6) = r3
263: 71 23 07 00 00 00 00 00 r3 = *(u8 *)(r2 + 7)
264: 73 31 07 00 00 00 00 00 *(u8 *)(r1 + 7) = r3
265: 71 23 08 00 00 00 00 00 r3 = *(u8 *)(r2 + 8)
266: 73 31 08 00 00 00 00 00 *(u8 *)(r1 + 8) = r3
267: 71 23 09 00 00 00 00 00 r3 = *(u8 *)(r2 + 9)
268: 73 31 09 00 00 00 00 00 *(u8 *)(r1 + 9) = r3
269: 71 23 0a 00 00 00 00 00 r3 = *(u8 *)(r2 + 10)
270: 73 31 0a 00 00 00 00 00 *(u8 *)(r1 + 10) = r3
271: 71 23 0b 00 00 00 00 00 r3 = *(u8 *)(r2 + 11)
272: 73 31 0b 00 00 00 00 00 *(u8 *)(r1 + 11) = r3
273: 71 23 0c 00 00 00 00 00 r3 = *(u8 *)(r2 + 12)
274: 73 31 0c 00 00 00 00 00 *(u8 *)(r1 + 12) = r3
275: 71 23 0d 00 00 00 00 00 r3 = *(u8 *)(r2 + 13)
276: 73 31 0d 00 00 00 00 00 *(u8 *)(r1 + 13) = r3
277: 71 23 0e 00 00 00 00 00 r3 = *(u8 *)(r2 + 14)
278: 73 31 0e 00 00 00 00 00 *(u8 *)(r1 + 14) = r3
279: 71 23 0f 00 00 00 00 00 r3 = *(u8 *)(r2 + 15)
280: 73 31 0f 00 00 00 00 00 *(u8 *)(r1 + 15) = r3
281: 71 23 10 00 00 00 00 00 r3 = *(u8 *)(r2 + 16)
282: 73 31 10 00 00 00 00 00 *(u8 *)(r1 + 16) = r3
283: 71 23 11 00 00 00 00 00 r3 = *(u8 *)(r2 + 17)
284: 73 31 11 00 00 00 00 00 *(u8 *)(r1 + 17) = r3
285: 71 23 12 00 00 00 00 00 r3 = *(u8 *)(r2 + 18)
286: 73 31 12 00 00 00 00 00 *(u8 *)(r1 + 18) = r3
287: 71 23 13 00 00 00 00 00 r3 = *(u8 *)(r2 + 19)
288: 73 31 13 00 00 00 00 00 *(u8 *)(r1 + 19) = r3
289: 71 23 14 00 00 00 00 00 r3 = *(u8 *)(r2 + 20)
290: 73 31 14 00 00 00 00 00 *(u8 *)(r1 + 20) = r3
291: 71 23 15 00 00 00 00 00 r3 = *(u8 *)(r2 + 21)
292: 73 31 15 00 00 00 00 00 *(u8 *)(r1 + 21) = r3
293: 71 23 16 00 00 00 00 00 r3 = *(u8 *)(r2 + 22)
294: 73 31 16 00 00 00 00 00 *(u8 *)(r1 + 22) = r3
295: bf 61 00 00 00 00 00 00 r1 = r6
296: 18 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 r2 = 0 ll
298: 18 03 00 00 ff ff ff ff 00 00 00 00 00 00 00 00 r3 = 4294967295 ll
300: bf 04 00 00 00 00 00 00 r4 = r0
301: b7 05 00 00 c4 00 00 00 r5 = 196
302: 85 00 00 00 19 00 00 00 call 25
0000000000000978 LBB0_2:
303: b7 00 00 00 00 00 00 00 r0 = 0
304: 95 00 00 00 00 00 00 00 exit
Usage: aya-rust-sangam [OPTIONS]
Options:
-c, --cgroup-path <CGROUP_PATH> [default: /sys/fs/cgroup/unified]
-h, --help Print help
That's it for this part we will learn more around aya and ebpf .
the eBPF developer experience by allowing Rust programs to easily run within the kernel.
Aya is the first Rust-native eBPF library that is similar in nature to libbpf but entirely written in the Rust programming language, popular for its memory safety and concurrency features, among other reasons this programming language is becoming very popular for systems programming.