Question regarding func directives

Question

Question regarding func directives

simar7 opened this issue 4 years ago · comments

Hi! - bpfbox looks really nice. Thanks for documenting your work via the research paper.

I just had a question regarding func directives. As mentioned in the paper, policies can include func names like check_password().

Does the func name here imply the name of the function within the source of the application that will be contained via bpfbox? If so, how would a func directive work with binaries that don't expose such information (e.g. are distributed as closed source software).

William Findlay · Answer 1 · Fri Jan 22 2021 21:40:09 GMT+0800 (China Standard Time)

The func directives would indeed require that the symbol is present in the corresponding ELF file. In principle, if you know the address of the function you are targeting you could also just supply that directly.

I'd also like to point out that this repository is currently using a WIP Toml-based policy language that is a bit different than the paper, so your mileage may vary.

I'm currently working on a re-implementation in Rust that I'm planning on releasing in the next few weeks. The plan is to archive this repository when that happens.

simar7 · Answer 2 · Fri Jan 22 2021 23:56:39 GMT+0800 (China Standard Time)

Makes sense, thanks! Glad to hear about the new implementation. Will your Rust implementation use the libbpf crate?

William Findlay · Answer 3 · Sat Jan 23 2021 00:36:46 GMT+0800 (China Standard Time)

Makes sense, thanks! Glad to hear about the new implementation. Will your Rust implementation use the libbpf crate?

It does indeed! And takes advantage of BPF CO-RE as well.