Hacker News new | past | comments | ask | show | jobs | submit login
BPF – In-kernel virtual machine [pdf] (linuxfoundation.org)
47 points by jsnell on May 14, 2015 | hide | past | favorite | 9 comments



BPF is used at CloudFlare for DDoS filtering. We've recently written a JITer for it as well to get even greater speed.

https://blog.cloudflare.com/bpf-the-forgotten-bytecode/

https://blog.cloudflare.com/introducing-the-bpf-tools/


There's been some interesting work that has been done recently on building a trustworthy BPF verifier (Jitk, OSDI 2014).

https://www.usenix.org/system/files/conference/osdi14/osdi14...


Next obvious step: Compile the kernel into BPF using LLVM and run it inside itself.


Unfortunately the kernel does have loops…


If BPF can be used to modify packets, can a filter be used to send packets through loopback that then come back through the same filter? Sounds like a way to bootstrap a loop.


You have a very very dangerous mind... I like it.

Actually you could have stateful loops too. Make each packet duplicated at iptables and each time increment the counter. Send one to 127.0.0.1 (true, continue) and one to 127.0.0.2 (false, stop). The right answer is accepted, wrong dropped.


Couldn't this take the same approach as NaCl, where x86 code is being run in a sandbox environment?


For the kernel use-case it's important to not only prevent dangerous operations, but also to guarantee termination in very short time.


Ok, then perhaps the basic blocks (parts of the code without branches) could be surrounded with some checking code?




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: