Completed! eBPF Security Development and Attack-Defense

Completed! eBPF Security Development and Attack-Defense

eBPF stands for extended Berkeley Packet Filter, which means extended Berkeley Packet Filter in Chinese. Generally, to add new features to the kernel, one needs to modify the kernel source code or write kernel modules. However, eBPF allows programs to run without modifying the kernel source code or adding additional kernel modules. eBPF enhances the … Read more

Using CoreSight Technology to Debug the Linux Kernel (Day 5)

Using CoreSight Technology to Debug the Linux Kernel (Day 5)

1.PODS Conference Day 1 Agenda (August 15) 2. PODS Conference Day 2 Agenda (August 16) 20:00 Prospects of eBPF Security Observability Xu Qingwei from Sangfor Innovation Research Institute, Senior Kernel Technology Expert, mainly responsible for Linux kernel Security and Performance, Kernel and LLVM community Contributor. 20:40 Revealing Embedded System Performance Optimization Work Li Xiaohui, with … Read more

pwru – A Networking Debugger Based on Linux Kernel and BPF

pwru - A Networking Debugger Based on Linux Kernel and BPF

In nearly a decade of our involvement in cloud-native network development, we have deeply realized that troubleshooting network issues, even in small environments, can turn into a nightmare. Much of the complexity arises from the Linux kernel itself—sending a single packet can involve dozens of kernel functions from different subsystems. Traditional tools like tcpdump often … Read more

The eBPF Runtime in the Linux Kernel (5)

The eBPF Runtime in the Linux Kernel (5)

The eBPF Runtime in the Linux Kernel 5 Security of eBPF Programs The security of programs is a critical aspect of eBPF programs, ensuring that they execute correctly and safely without compromising the stability and security of the Linux kernel. In the context of eBPF programs, program security refers to a set of properties that … Read more

Qtap: An Open-Source Tool for Monitoring Encrypted Traffic in Linux Systems

Qtap: An Open-Source Tool for Monitoring Encrypted Traffic in Linux Systems

Qpoint recently released Qtap, an open-source network traffic monitoring tool based on eBPF technology, specifically designed for Linux systems. This tool hooks into TLS/SSL encryption functions, allowing it to capture traffic information before and after data encryption, and presents detailed network data in plaintext, including processes, containers, hosts, users, and protocols. Qtap operates in an … Read more

Summary of Common Linux Hooking Techniques

Summary of Common Linux Hooking Techniques

01Hook FunctionsHook functions are predefined hooks in a program that allow you to attach or register a hook function when needed, making it available for the target.If there are no hooks, you can also obtain function pointers to encapsulate functions, but this can only be attached before or after the function runs, not during its … Read more

Getting Started! Running Your First eBPF Program on Linux with bcc

Getting Started! Running Your First eBPF Program on Linux with bcc

This article will guide you step by step in creating and running your first eBPF program on a Linux system, which outputs “Hello World!” when the execve system call occurs. The following content includes environment setup (mainly for MacOS; for Windows, you can install a Linux virtual machine using VMware and skip the environment setup … Read more

Python 3.14: A Significant Leap in the Python Ecosystem

Python 3.14: A Significant Leap in the Python Ecosystem

Python 3.14 has established many of its key features, and in my opinion, it is a core version that will last for many years to come. This version sets the benchmark for the Python debugging ecosystem of the era. This article will discuss the epic improvements within the Python world. Content When debugging Python code … Read more

New Discovery: Linux Rootkit Curing Can Bypass Modern Security Tools, Hiding Within the io_uring Interface

New Discovery: Linux Rootkit Curing Can Bypass Modern Security Tools, Hiding Within the io_uring Interface

Recently, researchers have discovered a brand new Linux rootkit—Curing—that can successfully bypass existing security tools through the io_uring interface in the Linux kernel, rendering it invisible in the system and even evading detection by modern enterprise-level security software. The io_uring interface was introduced in the Linux 5.1 version to enhance I/O operation performance, aiming to … Read more

LWN: Progress on GCC BPF Support!

LWN: Progress on GCC BPF Support!

Follow us to see more great articles like this! An update on GCC BPF support By Daroc AldenApril 2, 2025LSFMM+BPFGemini-1.5-flash translationhttps://lwn.net/Articles/1015747/ José Marchesi and David Faust opened a session on BPF (Berkeley Packet Filter) at the 2025 Linux Storage, Filesystems, Memory Management, and BPF Summit, where they presented a lengthy discussion on their work to … Read more