Edb - An eBPF program debugger

Related tags

Network edb
Overview

EDB (eBPF debugger)

edb is a debugger(like gdb and dlv) for eBPF programs. Normally eBPF programs are loaded into the Linux kernel and then executed, this makes it difficult to understand what is happening or why things go wrong. For normal applications we can use gdb or dlv to inspect programs, but these don't work for the eBPF due to the way eBPF is loaded into the kernel.

edb uses userspace eBPF emulation to run eBPF programs instead of loading them into the kernel, this allows us to debug them like any other program. Altho this method is not perfect due to possible differences between the emulator and actual Linux machines, it is better than nothing.

Installation

Installation via go go install github.com/dylandreimerink/[email protected]

Usage

Starting a debug session:

edb [eBPF ELF file]

Commands

Commands:
  help (Alias: h) ------------------------- Show help text / available commands
  exit (Aliasses: q, quit) ---------------- Exits the debugger
  clear ----------------------------------- Clear the screen
  load ------------------------------------ Load an ELF file
  programs (Alias: progs) ----------------- Show programs
  registers (Aliasses: r, regs) ----------- Show registers
  step-instruction (Alias: si) ------------ Step through the program one instruction a time
  list-instructions (Alias: li) ----------- Lists the instructions of the program
  step (Alias: s) ------------------------- Step through the program one line a time
  list (Alias: ls) ------------------------ Lists the lines of the source code
  map (Alias: maps) ----------------------- Map related operations
  locals (Alias: lv) ---------------------- Lists the local variables
  memory (Alias: mem) --------------------- Show the contents of memory

Roadmap

TBD

Issues
  • `go install github.com/dylandreimerink/edb@latest` error

    `go install github.com/dylandreimerink/[email protected]` error

    Hi,

    Great to see the missing debug tool for ebpf has finally come~

    However, I can't install edb successfully, the error messages are listed below:

    > go install github.com/dylandreimerink/[email protected]
    go install: github.com/dylandreimerink/[email protected] (in github.com/dylandreimerink/[email protected]):
    The go.mod file for the module providing named packages contains one or
    more replace directives. It must not contain directives that would cause
    it to be interpreted differently than if it were the main module.
    

    Could u pls take a look?

    BTW, I just built the code manually and got the right binary.

    opened by nevermosby 2
  • string is not stack allocated: not supported

    string is not stack allocated: not supported

    ./edb graph ./hello-debug.o hello -o aa.txt
    Error: load collection: file ./hello-debug.o: section "tracepoint/syscalls/sys_enter_execve": string is not stack allocated: not supported
    Usage:
      edb graph {ELF} {program name} [flags]
    
    Flags:
      -f, --format string   The output format: dot, svg, pdf or png (default "svg")
      -h, --help            help for graph
      -o, --output string   output to given file path or - for stdout, instread of opening in browser
    
    load collection: file ./hello-debug.o: section "tracepoint/syscalls/sys_enter_execve": string is not stack allocated: not supported
    

    bpf code:

    cat ../hello_bpf/hello.c
    #include <linux/bpf.h>
    #define SEC(NAME) __attribute__((section(NAME), used))
    
    static int (*bpf_trace_printk)(const char *fmt, int fmt_size,
                                   ...) = (void *)BPF_FUNC_trace_printk;
    
    SEC("tracepoint/syscalls/sys_enter_execve")
    int bpf_prog(void *ctx) {
      const char *msg = "Hello, BPF World!";
      bpf_trace_printk(msg, sizeof(msg));
      return 0;
    }
    
    char _license[] SEC("license") = "GPL";
    

    Any idea? Error for bpf_trace_printk?

    opened by DavadDi 1
  • Local variable inspection

    Local variable inspection

    One handy feature other debuggers have is the ability to list and inspect variables of the current scope. This feature can be implemented in the following steps:

    1. Index DW_TAG_subprogram and DW_TAG_inlined_subroutine DWARF tags in reverse index so we can find the most specific function scope from at any given instruction(should we include other scopes like loops? Do those have seperate DWARF tags). (Only one at load time)
    2. Find the most specific scope for the current PC(Program counter) and get all DW_TAG_variable and DW_TAG_formal_parameter tags.
    3. variables or parameters without DW_AT_location attribute should be displayed but marked as inlined
    4. variables with the DW_AT_location class of loclistptr should pick a valid location expression from the referenced location-list. If non are valid of the current PC, we should still show the var/param but mark is as unavailable.
    5. If a valid location expression can be found, execute it using a stack machine and current memory/registers, get the pointer to the data.
    6. Copy the data from the register/memory as byte slice
    7. Use BTF to lookup the size of the param/variable type, which can be gotten from the DW_AT_type attribute of the tag.
    8. Use the BTF type plus the byte slice and attempt to 'inflate' the bytes into a C literal definition to show the user.

    DWARF spec for reference: https://dwarfstd.org/doc/DWARF4.pdf

    enhancement 
    opened by dylandreimerink 0
  • Add crash dumps

    Add crash dumps

    In the course of developing EDB so far I have encounters a number of bugs, these are often only reproducible after following a very specific set of steps and a specific ELF file. It would be very hard for users to communicate a clear list of steps to reproduce the issue, therefor I want to add a "crash dump" system which will record all information that might be necessary to reproduce bugs.

    The primary use case for such dumps would be to present them to the user when we recover from a panic with the request to upload them or send them privately. Additionally, calling the dump command should output the path to the dump file/folder to the user so they can send dumps of subtle bugs.

    With this addition, I would also like to add a logging framework like you would use on a server application, its output would be part of the crash dump so we can add debug messages and data which can be used to see if we hit certain code paths.

    These dumps should include the following elements:

    • A history of all commands (together with the output in ASCIIcast format?)
    • The output created by EDB
    • The contents of ELF and CTX files loaded
    • Source code referenced by the ELF file
    • The contents of the debug log
    • The version/commit information of the EDB version
    • Any error message / panic
    • ? Core dump (dump the processes memory so we can inspect it with delve)

    This would have some serious implications since we will be capturing potentially sensitive information, which in itself isn't an issue, but we have to communicate this very clearly before asking people for the dumps. We should clearly outline what is in them (for example by including a readme in the dump dir) so it is an informed decision to send source code publicly or privately.

    enhancement 
    opened by dylandreimerink 0
  • Add additional `list` parameters

    Add additional `list` parameters

    Currently, list shows us the source code at the current location. This issues proposes to extend its functionality by adding some optional parameters. It would, for example be handy to pick how many lines above and below the current line you want to see, so specifying a count like list 40 would show 20 lines above and 20 lines below the current point instead of the default.

    The second idea is to allow users to specify a start and end line number within the current or another file like: list 100-120 for the current file and list somefile.h:100-120 to specify some specific file.

    Thirdly, it would be handy to be able to list a function, for example by saying list @func123, or a function within a specific file like list [email protected]. Perhaps this can extends to symbols in general.

    enhancement 
    opened by dylandreimerink 0
  • Add scope/call stack awareness to `locals` / `list`

    Add scope/call stack awareness to `locals` / `list`

    Since #13 and 484f163 we have the tools to determine in which function/scope we are and where we came from. The locals command uses the current scope to look for variables, but there is no reason why we can't also inspect variables in functions to which we have yet to return. To would be nice if we could for example do locals -1 and it will show the locals of our parents scope.

    Another idea would be to assign indexes to each scope starting from 0 which is our main program and then increasing, this would require you to first execute callstack/cs to get a index.

    Yet another approach might be to be able to "switch" scope. We wouldn't be able to continue execution without going back to the actual scope of the current instruction, but it could be some temporary state to browse around the callstack to inspect the locals for example.

    enhancement 
    opened by dylandreimerink 0
  • Create a `step-over` and `step-out` command

    Create a `step-over` and `step-out` command

    The step command we currently have always steps into functions, this is fine if we want to follow execution in detail, but it is very frustrating at times to have to step through every sub-function call there is. So it would be a nice feature to have a step-over command which will step to the next line within the same scope. A very similar, yet good command to have would be the step-out which will go the the first line outside of the current scope, which can be used to correct if you used step instead of step-over, or if you just want to leave the current function.

    enhancement 
    opened by dylandreimerink 0
  • Memory and variable modification

    Memory and variable modification

    This issue proposes to add commands with which the contents of registers and memory can be updated. The purpose of this feature is to explore conditions which normally don't occur or are difficult to recreate while in a debugging session. For example if you want to explore an error case, you can break just before evaluating something and change the value of R1 to trigger an artificial error.

    The MVP version of the feature is to have it just work on registers, but being able to change local/global variables would be nice, completely or specific struct members. Additionally to also modify memory we don't have variables for like changing bytes as specific memory locations to change a packet for example.

    enhancement 
    opened by dylandreimerink 0
  • Add log points

    Add log points

    This issue proposes to add log points, which are a type of "breakpoint" that, instead of actually breaking the program will log a message and/or expression to some log buffer along with the location of the point. It is the fancy version of print statements in code, but in some situations it helps to be able to just see the order of logs instead of having to keep track of 30 times you were stopped by a breakpoint.

    These log points should come in the conditional and non-conditional variants.

    enhancement 
    opened by dylandreimerink 0
Releases(v0.1.0)
Trace Go program execution with uprobes and eBPF

Weaver PLEASE READ! - I am currently refactoring Weaver to use libbpf instead of bcc which would include various other major improvements. If you're c

grantseltzer 242 Jun 18, 2022
eBPF based TCP observability.

TCPDog is a total solution from exporting TCP statistics from Linux kernel by eBPF very efficiently to store them at your Elasticsearch or InfluxDB da

Mehrdad Arshad Rad 189 Jun 16, 2022
Library to work with eBPF programs from Go

Go eBPF A nice and convenient way to work with eBPF programs / perf events from Go. Requirements Go 1.10+ Linux Kernel 4.15+ Supported eBPF features e

Dropbox 933 Jun 28, 2022
eBPF library for Go based on Linux libbpf

libbpfgo libbpfgo is a Go library for working with Linux's eBPF. It was created for Tracee, our open source Runtime Security and eBPF tracing tools wr

Aqua Security 301 Jul 2, 2022
eBPF Library for Go

eBPF eBPF is a pure Go library that provides utilities for loading, compiling, and debugging eBPF programs. It has minimal external dependencies and i

Cilium 3k Jun 30, 2022
A tool based on eBPF, prometheus and grafana to monitor network connectivity.

Connectivity Monitor Tracks the connectivity of a kubernetes cluster to its api server and exposes meaningful connectivity metrics. Uses ebpf to obser

Gardener 20 Jun 2, 2022
A distributed Layer 2 Direct Server Return (L2DSR) load balancer for Linux using XDP/eBPF

VC5 A distributed Layer 2 Direct Server Return (L2DSR) load balancer for Linux using XDP/eBPF This is very much a proof of concept at this stage - mos

David Coles 29 Jun 21, 2022
eBPF-based EDR for Linux

ebpf-edr A proof-of-concept eBPF-based EDR for Linux Seems to be working fine with the 20 basic rules implemented. Logs the alerts to stdout at the mo

null 16 May 6, 2022
An ebpf's tool to watch traffic

watch-dog watch-dog利用ebpf的能力,监听指定网卡的流量来达到旁路检测流量的目的,并使用图数据库neo4j保存节点之间的流量关系。 Get go get github.com/TomatoMr/watch-dog Install make build Usage sudo ./w

null 0 Feb 5, 2022
SailFirewall - Linux firewall powered by eBPF and XDP

SailFirewall Linux firewall powered by eBPF and XDP Requirements Go 1.16+ Linux

Hevienz 0 May 4, 2022
rconn is a multiplatform program for creating generic reverse connections. Lets you consume services that are behind firewall or NAT without opening ports or port-forwarding.

rconn (r[everse] conn[ection]) is a multiplatform program for creating reverse connections. It lets you consume services that are behind NAT and/or fi

Hikmat Jafarli 230 Jun 20, 2022
Super simple tcp intranet penetration proxy program

A super easy to configure tcp intranet penetration proxy program that forwards intranet tcp ports to public network servers. Tested proxies for intranet HTTP services, windows remote desktop, ssh access and other scenarios.

null 13 Jun 6, 2022
Golang `net/rpc` over SSH using installed SSH program

Golang net/rpc over SSH using installed SSH program This package implements a helper functions to launch an RPC client and server. It uses the install

null 0 Nov 5, 2021
A simple go program to proxy http request through a server with caching

go-http-proxy A simple go program to proxy http requests through a server with caching Usage All cli options are optional, and have the default values

null 1 Nov 21, 2021
Aidos Kuneen (v2 network) daemon program that is controlled through the command line and remotely via RPC calls

adk-daemon: aidosd.v2 aidosd (v2) is a deamon which acts as bitcoind for adk. This version has been built specifically for network mesh version 2+ For

Aidos Kuneen 0 Dec 1, 2021
Basic Got chat program using Ably for networking

Go Terminal Chat Basic Got chat program using Ably for networking. Taken from GopherCon UK 2021: Tom Camp - Creating a basic chat app. Setup Replace t

Stephen Mahon 0 Nov 30, 2021
[WIP] gg is a portable tool to redirect the traffic of a given program to your modern proxy without installing any other programs.

gg gg (go-graft), was inspired by graftcp. go-graft is a pure golang implementation with more useful features. TODO: Use system DNS as the fallback. R

mzz 175 Jun 30, 2022
A Golang program that receives DNSTAP traffic and relays it to multiple other listeners.

socket-proxy socket-proxy is a Golang program that is used to proxy dnstap messages from one socket to multiple other sockets. Overview Name Servers t

Andrew Fried 0 Jan 10, 2022
Sample program of GCP pub/sub client with REST API

GCP pub/sub sample using REST API in Go GCP pub/sub publisher and subscriber sample programs. These use REST API and don't use pub/sub client library

Shohei YOSHIDA 0 Oct 12, 2021