Published on: 2025-07-17 22:59:25
This adventures starts with a simple eBPF program to transparently redirect DNS requests on port 53 for a single program (or docker container). To do this I used BPF_CGROUP_INET4_CONNECT on a cgroup . That lets me inspect and redirect traffic when syscall.connect occurs from within the cgroup . Here is a simplified version 👇 int handle_connect_redirect ( struct bpf_sock_addr * ctx , __be32 original_ip , bool is_connect4 , struct redirect_result * result ) { __be32 new_ip = original_ip ; __be16
Keywords: address ctx ebpf ipv4 ipv6
Find related items on AmazonPublished on: 2025-08-10 16:16:56
ARMO researchers reveal a major blind spot in Linux runtime security tools caused by the io_uring interface—an asynchronous I/O mechanism that bypasses traditional system calls. Most tools, including Falco, Tetragon, and Microsoft Defender fail to detect rootkits using io_uring because they rely on syscall monitoring. ARMO’s proof-of-concept rootkit, Curing, operates fully via io_uring to demonstrate the threat. While some vendors responded with fixes or workarounds, the broader industry remains
Keywords: ebpf io_uring linux security vendors
Find related items on AmazonPublished on: 2025-08-14 05:17:16
In a perfect world, everyone’s systems would be fully updated, patched regularly, and running the latest kernel. But let’s be real—that’s rarely the case. Some environments still rely on legacy versions of Ubuntu or Fedora, while others don't even have their kernels compiled with BTF (BPF Type Format) support. And if you’re maintaining any open-source tools, things get even messier. You have zero control over what kind of system your users will run your program on. All of this makes it trick
Keywords: btf ebpf kernel program struct
Find related items on AmazonPublished on: 2025-09-03 03:23:17
Precise GPU observability and programmability are essential for optimizing performance in AI workloads and other computationally intensive high-performance computing (HPC) applications. In this paper, we introduce eGPU, the first framework and eBPF runtime that dynamically offloads eBPF bytecode onto GPUs via dynamic PTX injection. Designed primarily for observability, our system leverages real-time GPU telemetry, eBPF-based dynamic instrumentation, and automated performance analysis to pinpoint
Keywords: ebpf gpu instrumentation kernel memory
Find related items on AmazonPublished on: 2025-11-07 23:37:26
TLDR; Starting from Linux kernel version 6.9 on x86_64, there’s a new config option CONFIG_X86_FRED enabled and it adds 16 bytes to the starting point of a task’s kernel stack area, so you’ll need to account for this extra padding in your “raw” kernel stack & pt_regs lookup code. Introduction I’ve been using Ubuntu 24.04 as my main eBPF development and testing platform without issues since its release. It is shipped with Linux kernel version 6.8.0, but Canonical recently released an optional n
Keywords: define ebpf fred kernel struct
Find related items on AmazonGo K’awiil is a project by nerdhub.co that curates technology news from a variety of trusted sources. We built this site because, although news aggregation is incredibly useful, many platforms are cluttered with intrusive ads and heavy JavaScript that can make mobile browsing a hassle. By hand-selecting our favorite tech news outlets, we’ve created a cleaner, more mobile-friendly experience.
Your privacy is important to us. Go K’awiil does not use analytics tools such as Facebook Pixel or Google Analytics. The only tracking occurs through affiliate links to amazon.com, which are tagged with our Amazon affiliate code, helping us earn a small commission.
We are not currently offering ad space. However, if you’re interested in advertising with us, please get in touch at [email protected] and we’ll be happy to review your submission.