Rust (user-space) virtual machine for eBPF
- Description
- Link to the crate
- API
- Example uses
- Building eBPF programs
- Build Features
- Feedback welcome!
- Questions / Answers
- Caveats
- To dolist
- License
- Inspired by
- Other resources
This crate contains a virtual machine for eBPF program execution. BPF, as in Berkeley Packet Filter,is an assembly-like language initially developed for BSD systems, in order to filter packets in the kernel with tools such as tcpdump so as to avoid useless copies to user-space. It was ported to Linux, where it evolved into eBPF (extendedBPF), a faster version with more features. While BPF programs are originally intended to run in the kernel, the virtual machine of this crate enables running it in user-space applications; it contains an interpreter, an x86_64 JIT-compiler for eBPF programs, as well as a disassembler.
It is based on Rich Lane'suBPF software, which does nearly the same, but is written in C.
The crate is supposed to compile and run on Linux, MacOS X, and Windows, although the JIT-compiler does not work with Windows at this time.
This crate is available fromcrates.io,so it
should work out of the box by adding it as a dependency in yourCargo.toml
file:
[dependencies]
rbpf="0.3.0"You can also use the development version from this GitHub repository. This
should be as simple as putting this inside yourCargo.toml:
[dependencies]
rbpf= {git="https://github /qmonnet/rbpf"}Of course, if you prefer, you can clone it locally, possibly hack the crate,
and then indicate the path of your local version inCargo.toml:
[dependencies]
rbpf= {path="path/to/rbpf"}Then indicate in your source code that you want to use the crate:
externcraterbpf;The API is pretty well documented inside the source code. You should also be able to accessan online version of the documentation from here,automatically generated from the crates.ioversion (may not be up-to-date with the main branch).Examplesandunit testsshould also prove helpful. Here is a summary of how to use the crate.
Here are the steps to follow to run an eBPF program with rbpf:
- Create a virtual machine. There are several kinds of machines, we will come back on this later. When creating the VM, pass the eBPF program as an argument to the constructor.
- If you want to use some helper functions, register them into the virtual machine.
- If you want a JIT-compiled program, compile it.
- Execute your program: either run the interpreter or call the JIT-compiled function.
eBPF has been initially designed to filter packets (now it has some other hooks
in the Linux kernel, such as kprobes, but this is not covered by rbpf). As a
consequence, most of the load and store instructions of the program are
performed on a memory area representing the packet data. However, in the Linux
kernel, the eBPF program does not immediately access this data area: initially,
it has access to a Cstruct sk_buffinstead, which is a buffer containing
metadata about the packet—including memory addresses of the beginning and of
the end of the packet data area. So the program first loads those pointers from
thesk_buff,and then can access the packet data.
This behavior can be replicated with rbpf, but it is not mandatory. For this reason, we have several structs representing different kinds of virtual machines:
-
struct EbpfVmMbuffermimics the kernel. When the program is run, the address provided to its first eBPF register will be the address of a metadata buffer provided by the user, and that is expected to contain pointers to the start and the end of the packet data memory area. -
struct EbpfVmFixedMbuffhas one purpose: enabling the execution of programs created to be compatible with the kernel, while saving the effort to manually handle the metadata buffer for the user. In fact, this struct has a static internal buffer that is passed to the program. The user has to indicate the offset values at which the eBPF program expects to find the start and the end of packet data in the buffer. On calling the function that runs the program (JITted or not), the struct automatically updates the addresses in this static buffer, at the appointed offsets, for the start and the end of the packet data the program is called upon. -
struct EbpfVmRawis for programs that want to run directly on packet data. No metadata buffer is involved, the eBPF program directly receives the address of the packet data in its first register. This is the behavior of uBPF. -
struct EbpfVmNoDatadoes not take any data. The eBPF program takes no argument whatsoever and its return value is deterministic. Not so sure there is a valid use case for that, but if nothing else, this is very useful for unit tests.
All these structs implement the same public functions:
// called with EbpfVmMbuff:: prefix
pubfnnew(prog:&'a[u8])->Result<EbpfVmMbuff<'a>,Error>
// called with EbpfVmFixedMbuff:: prefix
pubfnnew(prog:&'a[u8],
data_offset:usize,
data_end_offset:usize)->Result<EbpfVmFixedMbuff<'a>,Error>
// called with EbpfVmRaw:: prefix
pubfnnew(prog:&'a[u8])->Result<EbpfVmRaw<'a>,Error>
// called with EbpfVmNoData:: prefix
pubfnnew(prog:&'a[u8])->Result<EbpfVmNoData<'a>,Error>This is used to create a new instance of a VM. The return type is dependent of
the struct from which the function is called. For instance,
rbpf::EbpfVmRaw::new(Some(my_program))would return an instance ofstruct rbpf::EbpfVmRaw(wrapped in aResult). When a program is loaded, it is
checked with a very simple verifier (nothing close to the one for Linux
kernel). Users are also able to replace it with a custom verifier.
Forstruct EbpfVmFixedMbuff,two additional arguments must be passed to the
constructor:data_offsetanddata_end_offset.They are the offset (byte
number) at which the pointers to the beginning and to the end, respectively, of
the memory area of packet data are to be stored in the internal metadata buffer
each time the program is executed. Other structs do not use this mechanism and
do not need those offsets.
// for struct EbpfVmMbuff, struct EbpfVmRaw and struct EbpfVmRawData
pubfnset_program(&mutself,prog:&'a[u8])->Result<(),Error>
// for struct EbpfVmFixedMbuff
pubfnset_program(&mutself,prog:&'a[u8],
data_offset:usize,
data_end_offset:usize)->Result<(),Error>You can use for examplemy_vm.set_program(my_program);to change the loaded
program after the VM instance creation. This program is checked with the
verifier attached to the VM. The verifying function of the VM can be changed at
any moment.
pubtypeVerifier=fn(prog:&[u8])->Result<(),Error>;
pubfnset_verifier(&mutself,
verifier:Verifier)->Result<(),Error>Note that if a program has already been loaded into the VM, setting a new
verifier also immediately runs it on the loaded program. However, the verifier
is not run if no program has been loaded (ifNonewas passed to thenew()
method when creating the VM).
pubtypeHelper=fn(u64,u64,u64,u64,u64)->u64;
pubfnregister_helper(&mutself,
key:u32,
function:Helper)->Result<(),Error>This function is used to register a helper function. The VM stores its
registers in a hashmap, so the key can be anyu32value you want. It may be
useful for programs that should be compatible with the Linux kernel and
therefore must use specific helper numbers.
pubfnregister_allowed_memory(&mutself,,addr:&[u64])->()This function adds a list of memory addresses that the eBPF program is allowed to load and store. Multiple calls to this function will append the addresses to an internal HashSet. At the moment rbpf only validates memory accesses when using the interpreter. This function is useful when using kernel helpers which return pointers to objects stored in eBPF maps.
// for struct EbpfVmMbuff
pubfnexecute_program(&self,
mem:&'amut[u8],
mbuff:&'amut[u8])->Result<(u64),Error>
// for struct EbpfVmFixedMbuff and struct EbpfVmRaw
pubfnexecute_program(&self,
mem:&'amut[u8])->Result<(u64),Error>
// for struct EbpfVmNoData
pubfnexecute_program(&self)->Result<(u64),Error>Interprets the loaded program. The function takes a reference to the packet data and the metadata buffer, or only to the packet data, or nothing at all, depending on the kind of the VM used. The value returned is the result of the eBPF program.
pubfnjit_compile(&mutself)->Result<(),Error>JIT-compile the loaded program, for x86_64 architecture. If the program is to use helper functions, they must be registered into the VM before this function is called. The generated assembly function is internally stored in the VM.
// for struct EbpfVmMbuff
pubunsafefnexecute_program_jit(&self,mem:&'amut[u8],
mbuff:&'amut[u8])->Result<(u64),Error>
// for struct EbpfVmFixedMbuff and struct EbpfVmRaw
pubunsafefnexecute_program_jit(&self,mem:&'amut[u8])->Result<(u64),Error>
// for struct EbpfVmNoData
pubunsafefnexecute_program_jit(&self)->Result<(u64),Error>Calls the JIT-compiled program. The arguments to provide are the same as for
execute_program(),again depending on the kind of VM that is used. The result of
the JIT-compiled program should be the same as with the interpreter, but it
should run faster. Note that if errors occur during the program execution, the
JIT-compiled version does not handle it as well as the interpreter, and the
program may crash. For this reason, the functions are marked asunsafe.
This comes from the unit testtest_vm_add.
externcraterbpf;
fnmain(){
// This is the eBPF program, in the form of bytecode instructions.
letprog =&[
0xb4,0x00,0x00,0x00,0x00,0x00,0x00,0x00,// mov32 r0, 0
0xb4,0x01,0x00,0x00,0x02,0x00,0x00,0x00,// mov32 r1, 2
0x04,0x00,0x00,0x00,0x01,0x00,0x00,0x00,// add32 r0, 1
0x0c,0x10,0x00,0x00,0x00,0x00,0x00,0x00,// add32 r0, r1
0x95,0x00,0x00,0x00,0x00,0x00,0x00,0x00// exit
];
// Instantiate a struct EbpfVmNoData. This is an eBPF VM for programs that
// takes no packet data in argument.
// The eBPF program is passed to the constructor.
letvm = rbpf::EbpfVmNoData::new(Some(prog)).unwrap();
// Execute (interpret) the program. No argument required for this VM.
assert_eq!(vm.execute_program().unwrap(),0x3);
}This comes from the unit testtest_jit_ldxh.
externcraterbpf;
fnmain(){
letprog =&[
0x71,0x10,0x02,0x00,0x00,0x00,0x00,0x00,// ldxh r0, [r1+2]
0x95,0x00,0x00,0x00,0x00,0x00,0x00,0x00// exit
];
// Let's use some data.
letmem =&mut[
0xaa,0xbb,0x11,0xcc,0xdd
];
// This is an eBPF VM for programs reading from a given memory area (it
// directly reads from packet data)
letmutvm = rbpf::EbpfVmRaw::new(Some(prog)).unwrap();
#[cfg(any(windows,not(feature ="std")))]{
assert_eq!(vm.execute_program(mem).unwrap(),0x11);
}
#[cfg(all(not(windows),feature ="std"))]{
// This time we JIT-compile the program.
vm.jit_compile().unwrap();
// Then we execute it. For this kind of VM, a reference to the packet
// data must be passed to the function that executes the program.
unsafe{assert_eq!(vm.execute_program_jit(mem).unwrap(),0x11);}
}
}This comes from the unit testtest_jit_mbuffand derives from the unit test
test_jit_ldxh.
externcraterbpf;
fnmain(){
letprog =&[
// Load mem from mbuff at offset 8 into R1
0x79,0x11,0x08,0x00,0x00,0x00,0x00,0x00,
// ldhx r1[2], r0
0x69,0x10,0x02,0x00,0x00,0x00,0x00,0x00,
0x95,0x00,0x00,0x00,0x00,0x00,0x00,0x00
];
letmem =&mut[
0xaa,0xbb,0x11,0x22,0xcc,0xdd
];
// Just for the example we create our metadata buffer from scratch, and
// we store the pointers to packet data start and end in it.
letmutmbuff =&mut[0u8;32];
unsafe{
letmutdata = mbuff.as_ptr().offset(8)as*mutu64;
letmutdata_end = mbuff.as_ptr().offset(24)as*mutu64;
*data = mem.as_ptr()asu64;
*data_end = mem.as_ptr()asu64+ mem.len()asu64;
}
// This eBPF VM is for program that use a metadata buffer.
letmutvm = rbpf::EbpfVmMbuff::new(Some(prog)).unwrap();
#[cfg(any(windows,not(feature ="std")))]{
assert_eq!(vm.execute_program(mem, mbuff).unwrap(),0x2211);
}
#[cfg(all(not(windows),feature ="std"))]{
// Here again we JIT-compile the program.
vm.jit_compile().unwrap();
// Here we must provide both a reference to the packet data, and to the
// metadata buffer we use.
unsafe{
assert_eq!(vm.execute_program_jit(mem, mbuff).unwrap(),0x2211);
}
}
}This comes from unit testtest_vm_block_port.
This example requires the following additional crates, you may have to add them
to yourCargo.tomlfile.
[dependencies]
rbpf="0.3.0"
elf="0.0.10"It also uses a kind of VM that uses an internal buffer used to simulate the
sk_buffused by eBPF programs in the kernel, without having to manually
create a new buffer for each packet. It may be useful for programs compiled for
the kernel and that assumes the data they receive is ask_buffpointing to
the packet data start and end addresses. So here we just provide the offsets at
which the eBPF program expects to find those pointers, and the VM handles the
buffer update so that we only have to provide a reference to the packet data
for each run of the program.
externcrateelf;
usestd::path::PathBuf;
externcraterbpf;
userbpf::helpers;
fnmain(){
// Load a program from an ELF file, e.g. compiled from C to eBPF with
// clang/LLVM. Some minor modification to the bytecode may be required.
letfilename ="examples/load_elf__block_a_port.o";
letpath =PathBuf::from(filename);
letfile =matchelf::File::open_path(&path){
Ok(f)=> f,
Err(e)=>panic!("Error: {:?}",e),
};
// Here we assume the eBPF program is in the ELF section called
// ".classifier".
lettext_scn =matchfile.get_section(".classifier"){
Some(s)=> s,
None=>panic!("Failed to look up.classifier section"),
};
letprog =&text_scn.data;
// This is our data: a real packet, starting with Ethernet header
letpacket =&mut[
0x01,0x23,0x45,0x67,0x89,0xab,
0xfe,0xdc,0xba,0x98,0x76,0x54,
0x08,0x00,// ethertype
0x45,0x00,0x00,0x3b,// start ip_hdr
0xa6,0xab,0x40,0x00,
0x40,0x06,0x96,0x0f,
0x7f,0x00,0x00,0x01,
0x7f,0x00,0x00,0x01,
0x99,0x99,0xc6,0xcc,// start tcp_hdr
0xd1,0xe5,0xc4,0x9d,
0xd4,0x30,0xb5,0xd2,
0x80,0x18,0x01,0x56,
0xfe,0x2f,0x00,0x00,
0x01,0x01,0x08,0x0a,// start data
0x00,0x23,0x75,0x89,
0x00,0x23,0x63,0x2d,
0x71,0x64,0x66,0x73,
0x64,0x66,0x0a
];
// This is an eBPF VM for programs using a virtual metadata buffer, similar
// to the sk_buff that eBPF programs use with tc and in Linux kernel.
// We must provide the offsets at which the pointers to packet data start
// and end must be stored: these are the offsets at which the program will
// load the packet data from the metadata buffer.
letmutvm = rbpf::EbpfVmFixedMbuff::new(Some(prog),0x40,0x50).unwrap();
// We register a helper function, that can be called by the program, into
// the VM. The `bpf_trace_printf` is only available when we have access to
// the standard library.
#[cfg(feature ="std")]{
vm.register_helper(helpers::BPF_TRACE_PRINTK_IDX,
helpers::bpf_trace_printf).unwrap();
}
// This kind of VM takes a reference to the packet data, but does not need
// any reference to the metadata buffer: a fixed buffer is handled
// internally by the VM.
letres = vm.execute_program(packet).unwrap();
println!("Program returned: {:?} ({:#x})",res, res);
}Besides passing the raw hexadecimal codes for building eBPF programs, two other methods are available.
The first method consists in using the assembler provided by the crate.
externcraterbpf;
userbpf::assembler::assemble;
letprog =assemble("add64 r1, 0x605
mov64 r2, 0x32
mov64 r1, r0
be16 r0
neg64 r2
exit ").unwrap();
#[cfg(feature ="std")]{
println!("{:?}",prog);
}The above snippet will produce:
Ok([0x07,0x01,0x00,0x00,0x05,0x06,0x00,0x00,
0xb7,0x02,0x00,0x00,0x32,0x00,0x00,0x00,
0xbf,0x01,0x00,0x00,0x00,0x00,0x00,0x00,
0xdc,0x00,0x00,0x00,0x10,0x00,0x00,0x00,
0x87,0x02,0x00,0x00,0x00,0x00,0x00,0x00,
0x95,0x00,0x00,0x00,0x00,0x00,0x00,0x00])Conversely, a disassembler is also available to dump instruction names from bytecode in a human-friendly format.
externcraterbpf;
userbpf::disassembler::disassemble;
letprog =&[
0x07,0x01,0x00,0x00,0x05,0x06,0x00,0x00,
0xb7,0x02,0x00,0x00,0x32,0x00,0x00,0x00,
0xbf,0x01,0x00,0x00,0x00,0x00,0x00,0x00,
0xdc,0x00,0x00,0x00,0x10,0x00,0x00,0x00,
0x87,0x02,0x00,0x00,0x00,0x00,0x00,0x00,
0x95,0x00,0x00,0x00,0x00,0x00,0x00,0x00
];
disassemble(prog);This will produce the following output:
add64 r1, 0x605
mov64 r2, 0x32
mov64 r1, r0
be16 r0
neg64 r2
exitPlease refer tosource codeandtests for the syntax and the list of instruction names.
The other way to build programs is to chain commands from the instruction builder API. It looks less like assembly, maybe more like high-level functions. What's sure is that the result is more verbose, but if you prefer to build programs this way, it works just as well. If we take again the same sample as above, it would be constructed as follows.
externcraterbpf;
userbpf::insn_builder::*;
letmutprogram =BpfCode::new();
program.add(Source::Imm,Arch::X64).set_dst(1).set_imm(0x605).push()
.mov(Source::Imm,Arch::X64).set_dst(2).set_imm(0x32).push()
.mov(Source::Reg,Arch::X64).set_src(0).set_dst(1).push()
.swap_bytes(Endian::Big).set_dst(0).set_imm(0x10).push()
.negate(Arch::X64).set_dst(2).push()
.exit().push();Again, please refer tothe source and related teststo get more information and examples on how to use it.
Therbpfcrate has a Cargo feature named "std" that is enabled by default. To
userbpfinno_stdenvironments this feature needs to be disabled. To do
this, you need to modify your dependency onrbpfin Cargo.toml to disable the
enabled-by-default features.
[dependencies]
rbpf= {version="0.3.0",default-features=false}Note that when using this crate inno_stdenvironments, thejitmodule
isn't available. This is because it depends on functions provided bylibc
(libc::posix_memalign(),libc::mprotect()) which aren't available on
no_std.
Theassemblermodule is available, albeit with reduced debugging features. It
depends on thecombinecrate providing parser combinators. Underno_std
this crate only provides simple parsers which generate less descriptive error
messages.
This is the author's first try at writing Rust code. He learned a lot in the process, but there remains a feeling that this crate has a kind of C-ish style in some places instead of the Rusty look the author would like it to have. So feedback (or PRs) are welcome, including about ways you might see to take better advantage of Rust features.
Note that the project expects new commits to be covered by the Developer's Certificate of Origin. When contributing Pull Requests, please sign off your commits accordingly.
As of this writing, there is no particular use case for this crate at the best of the author's knowledge. The author happens to work with BPF on Linux and to know how uBPF works, and he wanted to learn and experiment with Rust—no more than that.
Other than the language, obviously? Well, there are some differences:
-
Some constants, such as the maximum length for programs or the length for the stack, differs between uBPF and rbpf. The latter uses the same values as the Linux kernel, while uBPF has its own values.
-
When an error occurs while a program is run by uBPF, the function running the program silently returns the maximum value as an error code, while rbpf returns Rust type
Error. -
The registration of helper functions, that can be called from within an eBPF program, is not handled in the same way.
-
The distinct structs permitting to run program either on packet data, or with a metadata buffer (simulated or not) is a specificity of rbpf.
-
As for performance: theoretically the JITted programs are expected to run at the same speed, while the C interpreter of uBPF should go slightly faster than rbpf. But this has not been asserted yet. Benchmarking both programs would be an interesting thing to do.
No. This crate only works with extended BPF (eBPF) programs. For cBPF programs, such as used by tcpdump (as of this writing) for example, you may be interested in thebpfjit cratewritten by Alexander Polakov instead.
Running and JIT-compiling eBPF programs work. There is also a mechanism to register user-defined helper functions. The eBPF implementation of the Linux kernel comes withsome additional features: a high number of helpers, several kinds of maps, tail calls.
-
Additional helpers should be easy to add, but very few of the existing Linux helpers have been replicated in rbpf so far.
-
Tail calls ( “long jumps” from an eBPF program into another) are not implemented. This is probably not trivial to design and implement.
-
The interaction with maps is done through the use of specific helpers, so this should not be difficult to add. The maps themselves can reuse the maps in the kernel (if on Linux), to communicate with in-kernel eBPF programs for instance; or they can be handled in user space. Rust has arrays and hashmaps, so their implementation should be pretty straightforward (and may be added to rbpf in the future).
The” verifier” of this crate is very short and has nothing to do with the kernel verifier, which means that it accepts programs that may not be safe. On the other hand, you probably do not run this in a kernel here, so it will not crash your system. Implementing a verifier similar to the one in the kernel is not trivial, and we cannot “copy” it since it is under GPL license.
Rust has a strong emphasis on safety. Yet to have the eBPF VM work, some
unsafeblocks of code are used. The VM, taken as an eBPF interpreter, can
return an error but should not crash. Please file an issue otherwise.
As for the JIT-compiler, it is a different story, since runtime memory checks are more complicated to implement in assembly. Itwillcrash if your JIT-compiled program tries to perform unauthorized memory accesses. Usually, it could be a good idea to test your program with the interpreter first.
Oh, and if your program has infinite loops, even with the interpreter, you're on your own.
-
This crate isunder developmentand the API may be subject to change.
-
The JIT compiler produces an unsafe program: memory access are not tested at runtime (yet). Use with caution.
-
A small number of eBPF instructions have not been implemented yet. This should not be a problem for the majority of eBPF programs.
-
Beware of turnips. Turnips are disgusting.
- Implement some traits (
Clone,Drop,Debugare good candidates). - Provide built-in support for user-space array and hash BPF maps.
- Improve safety of JIT-compiled programs with runtime memory checks.
- Add helpers (some of those supported in the kernel, such as checksum update, could be helpful).
- Improve verifier. Could we find a way to directly support programs compiled with clang?
- Maybe one day, tail calls?
- JIT-compilers for other architectures?
- …
Following the effort of the Rust language project itself in order to ease integration with other projects, the rbpf crate is distributed under the terms of both the MIT license and the Apache License (Version 2.0).
See LICENSE-APACHE andLICENSE-MITfor details.
-
uBPF,a C user-space implementation of an eBPF virtual machine, with a JIT-compiler and disassembler (and also including the assembler from the human-readable form of the instructions, such as in
mov r0, 0x1337), by Rich Lane for Big Switch Networks (2015) -
Building a simple JIT in Rust, by Sophia Turner (2015)
-
bpfjit(alsoon crates.io), a Rust crate exporting the cBPF JIT compiler from FreeBSD 10 tree to Rust, by Alexander Polakov (2016)
-
Cilium project documentation about BPF:BPF and XDP Reference Guide
-
Dive into BPF: a list of reading material, a blog article listing documentation for BPF and related technologies (2016)