eBPF implementation that runs on top of Windows

Overview

eBPF for Windows

eBPF is a well-known technology for providing programmability and agility, especially for extending an OS kernel, for use cases such as DoS protection and observability. This project is a work-in-progress that allows using existing eBPF toolchains and APIs familiar in the Linux ecosystem to be used on top of Windows. That is, this project takes existing eBPF projects as submodules and adds the layer in between to make them run on top of Windows.

New to eBPF?

See our eBPF tutorial.

Architectural Overview

The following diagram shows the architecture of this project and related components:

Architectural Overview

As shown in the diagram, existing eBPF toolchains (clang, etc.) can be used to generate eBPF bytecode from source code in various languages. Bytecode can be consumed by any application, or via the Netsh command line tool, which use a shared library that exposes Libbpf APIs, though this is still in progress.

The eBPF bytecode is sent to a static verifier (the PREVAIL verifier) that is hosted in a user-mode protected process (a Windows security environment that allows a kernel component to trust a user-mode daemon signed by a key that it trusts). If the bytecode passes all the verifier checks, it can be either loaded into an interpreter (from uBPF in the kernel-mode execution context), or JIT compiled (via the uBPF JIT compiler) and have native code load into the kernel-mode execution context (but see the FAQ at bottom about HVCI).

Temporary Note: some parts are still under development and may not appear when building the master branch, but the end-to-end functionality can still be tested immediately while the security hardening is still in progress.

eBPF programs installed into the kernel-mode execution context can attach to various hooks (currently two hooks so far: an XDP-like hook that is based on the Windows Filtering Platform (WFP) layer 2 filtering, and a socket bind hook) and call various helper APIs exposed by the eBPF shim, which internally wraps public Windows kernel APIs, allowing the use of eBPF on existing versions of Windows. More hooks and helpers will be added over time.

Getting Started

This project supports eBPF on Windows 10, and on Windows Server 2016 or later. To try out this project, see our Getting Started Guide.

Want to help? We welcome contributions! See our Contributing guidelines.

Want to chat with us? We have a:

Frequently Asked Questions

1. Is this a fork of eBPF?

No.

The eBPF for Windows project leverages existing projects, including the IOVisor uBPF project and the PREVAIL verifier, running them on top of Windows by adding the Windows-specific hosting environment for that code.

2. Does this provide app compatibility with eBPF programs written for Linux?

The intent is to provide source code compatibility for code that uses common hooks and helpers that apply across OS ecosystems.

Linux provides many hooks and helpers, some of which are very Linux specific (e.g., using Linux internal data structs) that would not be applicable to other platforms. Other hooks and helpers are generically applicable and the intent is to support them for eBPF programs.

Similarly, the eBPF for Windows project exposes Libbpf APIs to provide source code compatibility for applications that interact with eBPF programs.

3. Will eBPF work with HyperVisor-enforced Code Integrity (HVCI)?

eBPF programs can be run either in an interpreter or natively using a JIT compiler.

HyperVisor-enforced Code Integrity (HVCI) is a mechanism whereby a hypervisor, such as Hyper-V, uses hardware virtualization to protect kernel-mode processes against the injection and execution of malicious or unverified code. Code integrity validation is performed in a secure environment that is resistant to attack from malicious software, and page permissions for kernel mode are set and maintained by the hypervisor.

Since a hypervisor doing such code integrity checks will refuse to accept code pages that aren't signed by a key that the hypervisor trusts, this does impact eBPF programs running natively. As such, when HVCI is enabled, eBPF programs work fine in interpreted mode, but not when using JIT compilation.

Issues
  • How to test XDP_TX performance using Linux traffic gen?

    How to test XDP_TX performance using Linux traffic gen?

    Hi,

    I have a sender Linux machine and receiver Windows machine, followed the xdp_test.exe guide https://github.com/microsoft/ebpf-for-windows/blob/master/docs/GettingStarted.md#xdp_testsexe to load the xdp program using netsh

    netsh ebpf>add program reflect_packet.o xdp
    netsh ebpf>show programs
    
        ID  Pins  Links  Mode       Type           Name
    ======  ====  =====  =========  =============  ====================
     65539     1      1  JIT        xdp            reflect_packet
    

    And I have another Linux machine running DPDK test-me to generate traffic

    [email protected]:~/dpdk/build/app# ./dpdk-testpmd -a 0000:02:00.0 -- -i --port-topology=chained --forward-mode=txonly --eth-peer=0,18:66:da:a2:62:6c --tx-ip=10.20.114.118,10.20.114.115
    Waiting for lcores to finish...
    
      ---------------------- Forward statistics for port 0  ----------------------
      RX-packets: 0              RX-dropped: 0             RX-total: 0
      TX-packets: 512830304      TX-dropped: 748000        TX-total: 513578304
      ----------------------------------------------------------------------------
    

    At Windows, I saw RX packets, but no TX packets. Screen Shot 2021-10-18 at 6 37 58 AM

    Question: How do I know which Windows interface the XDP program binds to? Is there a tool / command to know the XDP_TX packet rate? (Or any pointer to the source code for me to read)

    Thank you William

    documentation triaged 
    opened by williamtu 21
  • Failed to build targets with Visual Studio IDE

    Failed to build targets with Visual Studio IDE

    I was trying to follow GettingStarted to build the project with Visual Studio IDE.

    After worked around issue https://github.com/microsoft/ebpf-for-windows/issues/683 , build failed for number of targets with entire VS output attached on the following comment.

    My Dev Environment:

    • VM on Azure
    OS Name:                   Microsoft Windows 10 Pro
    OS Version:                10.0.19042 N/A Build 19042
    OS Manufacturer:           Microsoft Corporation
    OS Configuration:          Standalone Workstation
    
    • Visual Studio
    Microsoft Visual Studio Professional 2019
    Version 16.9.14
    VisualStudio.16.Release/16.9.14+31910.168
    Microsoft .NET Framework
    Version 4.8.04084
    
    Installed Version: Professional
    
    Visual C++ 2019   00435-60000-00000-AA179
    Microsoft Visual C++ 2019
    
    ASP.NET and Web Tools 2019   16.9.693.2781
    ASP.NET and Web Tools 2019
    
    C# Tools   3.9.0-6.21160.10+59eedc33d35754759994155ea2f4e1012a9951e3
    C# components used in the IDE. Depending on your project type and settings, a different version of the compiler may be used.
    
    Debugging Tools for Windows   10.0.19030.1000
    Integrates the Windows Debugger functionality (http://go.microsoft.com/fwlink/?linkid=223405) in Visual Studio.
    
    IntelliCode Extension   1.0
    IntelliCode Visual Studio Extension Detailed Info
    
    Microsoft JVM Debugger   1.0
    Provides support for connecting the Visual Studio debugger to JDWP compatible Java Virtual Machines
    
    Microsoft MI-Based Debugger   1.0
    Provides support for connecting Visual Studio to MI compatible debuggers
    
    Microsoft Visual C++ Wizards   1.0
    Microsoft Visual C++ Wizards
    
    Microsoft Visual Studio VC Package   1.0
    Microsoft Visual Studio VC Package
    
    NuGet Package Manager   5.9.0
    NuGet Package Manager in Visual Studio. For more information about NuGet, visit https://docs.nuget.org/
    
    ProjectServicesPackage Extension   1.0
    ProjectServicesPackage Visual Studio Extension Detailed Info
    
    Test Adapter for Boost.Test   1.0
    Enables Visual Studio's testing tools with unit tests written for Boost.Test.  The use terms and Third Party Notices are available in the extension installation directory.
    
    Test Adapter for Google Test   1.0
    Enables Visual Studio's testing tools with unit tests written for Google Test.  The use terms and Third Party Notices are available in the extension installation directory.
    
    TypeScript Tools   16.0.30201.2001
    TypeScript Tools for Microsoft Visual Studio
    
    Visual Basic Tools   3.9.0-6.21160.10+59eedc33d35754759994155ea2f4e1012a9951e3
    Visual Basic components used in the IDE. Depending on your project type and settings, a different version of the compiler may be used.
    
    Visual Studio Code Debug Adapter Host Package   1.0
    Interop layer for hosting Visual Studio Code debug adapters in Visual Studio
    
    Visual Studio Tools for CMake   1.0
    Visual Studio Tools for CMake
    
    Windows Driver Kit   10.0.19030.1000
    Headers, libraries, and tools needed to develop, debug, and test Windows drivers (msdn.microsoft.com/en-us/windows/hardware/gg487428.aspx)
    
    documentation triaged 
    opened by song-jiang 13
  • verifier_fuzzer crash 0453e1624bfaa415598db12a53e1c3745d5e4625

    verifier_fuzzer crash 0453e1624bfaa415598db12a53e1c3745d5e4625

    Describe the bug

    verifier_fuzzer.exe crash-0453e1624bfaa415598db12a53e1c3745d5e4625.o

    ==9992== ERROR: libFuzzer: fuzz target exited #0 0x7ffc953bca4d (C:\artifacts\clang_rt.asan_dbg_dynamic-x86_64.dll+0x18005ca4d) #1 0x7ff6be115caf in fuzzer::PrintStackTrace(void) D:\a_work\1\s\src\vctools\crt\asan\llvm\compiler-rt\lib\fuzzer\FuzzerUtil.cpp:210 #2 0x7ff6be12b33f in fuzzer::Fuzzer::ExitCallback(void) D:\a_work\1\s\src\vctools\crt\asan\llvm\compiler-rt\lib\fuzzer\FuzzerLoop.cpp:250 #3 0x7ffc992d2930 (C:\Windows\SYSTEM32\ucrtbased.dll+0x1800b2930) #4 0x7ffc992d2104 (C:\Windows\SYSTEM32\ucrtbased.dll+0x1800b2104) #5 0x7ffc992d2256 (C:\Windows\SYSTEM32\ucrtbased.dll+0x1800b2256) #6 0x7ffc992d2b43 (C:\Windows\SYSTEM32\ucrtbased.dll+0x1800b2b43) #7 0x7ffc992d19a4 (C:\Windows\SYSTEM32\ucrtbased.dll+0x1800b19a4) #8 0x7ffc992d170c (C:\Windows\SYSTEM32\ucrtbased.dll+0x1800b170c) #9 0x7ffc992d1786 (C:\Windows\SYSTEM32\ucrtbased.dll+0x1800b1786) #10 0x7ffc992d1b4f (C:\Windows\SYSTEM32\ucrtbased.dll+0x1800b1b4f) #11 0x7ffc992d1f05 (C:\Windows\SYSTEM32\ucrtbased.dll+0x1800b1f05) #12 0x7ff6be241164 in crab::z_number::operator unsigned __int64(void) const D:\a\ebpf-for-windows\ebpf-for-windows\external\ebpf-verifier\src\crab_utils\bignums.hpp:45 #13 0x7ff6be233646 in crab::domains::kill_and_find_var D:\a\ebpf-for-windows\ebpf-for-windows\external\ebpf-verifier\src\crab\array_domain.cpp:455 #14 0x7ff6be2305db in crab::domains::array_domain_t::store_type(class crab::domains::SplitDBM &, class linear_expression_t const &, class linear_expression_t const &, class linear_expression_t const &) D:\a\ebpf-for-windows\ebpf-for-windows\external\ebpf-verifier\src\crab\array_domain.cpp:574 #15 0x7ff6be2309b5 in crab::domains::array_domain_t::store_type(class crab::domains::SplitDBM &, class linear_expression_t const &, class linear_expression_t const &, struct asm_syntax::Reg const &) D:\a\ebpf-for-windows\ebpf-for-windows\external\ebpf-verifier\src\crab\array_domain.cpp:593 #16 0x7ff6be26d8c9 in ebpf_domain_t::do_store_stack<int, struct asm_syntax::Reg, class crab::variable_t>(class crab::domains::SplitDBM &, int, int const &, struct asm_syntax::Reg, class crab::variable_t, class std::optional const &) D:\a\ebpf-for-windows\ebpf-for-windows\external\ebpf-verifier\src\crab\ebpf_domain.cpp:1150 #17 0x7ff6be26d422 in ebpf_domain_t::do_mem_store<struct asm_syntax::Reg, class crab::variable_t>(struct asm_syntax::Mem const &, struct asm_syntax::Reg, class crab::variable_t, class std::optional const &) D:\a\ebpf-for-windows\ebpf-for-windows\external\ebpf-verifier\src\crab\ebpf_domain.cpp:1253 #18 0x7ff6be25281b in ebpf_domain_t::operator()(struct asm_syntax::Mem const &) D:\a\ebpf-for-windows\ebpf-for-windows\external\ebpf-verifier\src\crab\ebpf_domain.cpp:1237 #19 0x7ff6be275de4 in std::invoke<class ebpf_domain_t &, struct asm_syntax::Mem const &>(class ebpf_domain_t &, struct asm_syntax::Mem const &) C:\Program Files (x86)\Microsoft Visual Studio\2019\Enterprise\VC\Tools\MSVC\14.29.30133\include\type_traits:1534 #20 0x7ff6be268a64 in std::_Variant_dispatcher<struct std::integer_sequence<unsigned __int64, 8>>::_Dispatch2<void, class ebpf_domain_t &, class std::variant<struct asm_syntax::Undefined, struct asm_syntax::Bin, struct asm_syntax::Un, struct asm_syntax::LoadMapFd, struct asm_syntax::Call, struct asm_syntax::Exit, struct asm_syntax::Jmp, struct asm_syntax::Mem, struct asm_syntax::Packet, struct asm_syntax::LockAdd, struct asm_syntax::Assume, struct asm_syntax::Assert> const &, 0>(class ebpf_domain_t &, class std::variant<struct asm_syntax::Undefined, struct asm_syntax::Bin, struct asm_syntax::Un, struct asm_syntax::LoadMapFd, struct asm_syntax::Call, struct asm_syntax::Exit, struct asm_syntax::Jmp, struct asm_syntax::Mem, struct asm_syntax::Packet, struct asm_syntax::LockAdd, struct asm_syntax::Assume, struct asm_syntax::Assert> const &) C:\Program Files (x86)\Microsoft Visual Studio\2019\Enterprise\VC\Tools\MSVC\14.29.30133\include\variant:1499 #21 0x7ff6be26b378 in std::_Visit_strategy<2>::_Visit2<void, struct std::_Meta_list<struct std::integer_sequence<unsigned __int64, 0>, struct std::integer_sequence<unsigned __int64, 1>, struct std::integer_sequence<unsigned __int64, 2>, struct std::integer_sequence<unsigned __int64, 3>, struct std::integer_sequence<unsigned __int64, 4>, struct std::integer_sequence<unsigned __int64, 5>, struct std::integer_sequence<unsigned __int64, 6>, struct std::integer_sequence<unsigned __int64, 7>, struct std::integer_sequence<unsigned __int64, 8>, struct std::integer_sequence<unsigned __int64, 9>, struct std::integer_sequence<unsigned __int64, 10>, struct std::integer_sequence<unsigned __int64, 11>, struct std::integer_sequence<unsigned __int64, 12>>, class ebpf_domain_t &, class std::variant<struct asm_syntax::Undefined, struct asm_syntax::Bin, struct asm_syntax::Un, struct asm_syntax::LoadMapFd, struct asm_syntax::Call, struct asm_syntax::Exit, struct asm_syntax::Jmp, struct asm_syntax::Mem, struct asm_syntax::Packet, struct asm_syntax::LockAdd, struct asm_syntax::Assume, struct asm_syntax::Assert> const &>(unsigned __int64, class ebpf_domain_t &, class std::variant<struct asm_syntax::Undefined, struct asm_syntax::Bin, struct asm_syntax::Un, struct asm_syntax::LoadMapFd, struct asm_syntax::Call, struct asm_syntax::Exit, struct asm_syntax::Jmp, struct asm_syntax::Mem, struct asm_syntax::Packet, struct asm_syntax::LockAdd, struct asm_syntax::Assume, struct asm_syntax::Assert> const &) C:\Program Files (x86)\Microsoft Visual Studio\2019\Enterprise\VC\Tools\MSVC\14.29.30133\include\variant:1614 #22 0x7ff6be26b61b in std::_Visit_impl<13, void, struct std::_Meta_list<struct std::integer_sequence<unsigned __int64, 0>, struct std::integer_sequence<unsigned __int64, 1>, struct std::integer_sequence<unsigned __int64, 2>, struct std::integer_sequence<unsigned __int64, 3>, struct std::integer_sequence<unsigned __int64, 4>, struct std::integer_sequence<unsigned __int64, 5>, struct std::integer_sequence<unsigned __int64, 6>, struct std::integer_sequence<unsigned __int64, 7>, struct std::integer_sequence<unsigned __int64, 8>, struct std::integer_sequence<unsigned __int64, 9>, struct std::integer_sequence<unsigned __int64, 10>, struct std::integer_sequence<unsigned __int64, 11>, struct std::integer_sequence<unsigned __int64, 12>>, class ebpf_domain_t &, class std::variant<struct asm_syntax::Undefined, struct asm_syntax::Bin, struct asm_syntax::Un, struct asm_syntax::LoadMapFd, struct asm_syntax::Call, struct asm_syntax::Exit, struct asm_syntax::Jmp, struct asm_syntax::Mem, struct asm_syntax::Packet, struct asm_syntax::LockAdd, struct asm_syntax::Assume, struct asm_syntax::Assert> const &>(class ebpf_domain_t &, class std::variant<struct asm_syntax::Undefined, struct asm_syntax::Bin, struct asm_syntax::Un, struct asm_syntax::LoadMapFd, struct asm_syntax::Call, struct asm_syntax::Exit, struct asm_syntax::Jmp, struct asm_syntax::Mem, struct asm_syntax::Packet, struct asm_syntax::LockAdd, struct asm_syntax::Assume, struct asm_syntax::Assert> const &) C:\Program Files (x86)\Microsoft Visual Studio\2019\Enterprise\VC\Tools\MSVC\14.29.30133\include\variant:1659 #23 0x7ff6be277b3d in std::visit<class ebpf_domain_t &, class std::variant<struct asm_syntax::Undefined, struct asm_syntax::Bin, struct asm_syntax::Un, struct asm_syntax::LoadMapFd, struct asm_syntax::Call, struct asm_syntax::Exit, struct asm_syntax::Jmp, struct asm_syntax::Mem, struct asm_syntax::Packet, struct asm_syntax::LockAdd, struct asm_syntax::Assume, struct asm_syntax::Assert> const &, void>(class ebpf_domain_t &, class std::variant<struct asm_syntax::Undefined, struct asm_syntax::Bin, struct asm_syntax::Un, struct asm_syntax::LoadMapFd, struct asm_syntax::Call, struct asm_syntax::Exit, struct asm_syntax::Jmp, struct asm_syntax::Mem, struct asm_syntax::Packet, struct asm_syntax::LockAdd, struct asm_syntax::Assume, struct asm_syntax::Assert> const &) C:\Program Files (x86)\Microsoft Visual Studio\2019\Enterprise\VC\Tools\MSVC\14.29.30133\include\variant:1677 #24 0x7ff6be24fd19 in ebpf_domain_t::operator()(class crab::basic_block_t const &, bool) D:\a\ebpf-for-windows\ebpf-for-windows\external\ebpf-verifier\src\crab\ebpf_domain.cpp:594 #25 0x7ff6be28d907 in crab::interleaved_fwd_fixpoint_iterator_t::transform_to_post(struct crab::label_t const &, class ebpf_domain_t) D:\a\ebpf-for-windows\ebpf-for-windows\external\ebpf-verifier\src\crab\fwd_analyzer.cpp:73 #26 0x7ff6be281007 in crab::interleaved_fwd_fixpoint_iterator_t::operator()(struct crab::label_t const &) D:\a\ebpf-for-windows\ebpf-for-windows\external\ebpf-verifier\src\crab\fwd_analyzer.cpp:147 #27 0x7ff6be285c14 in std::invoke<class crab::interleaved_fwd_fixpoint_iterator_t &, struct crab::label_t &>(class crab::interleaved_fwd_fixpoint_iterator_t &, struct crab::label_t &) C:\Program Files (x86)\Microsoft Visual Studio\2019\Enterprise\VC\Tools\MSVC\14.29.30133\include\type_traits:1534 #28 0x7ff6be283204 in std::_Variant_dispatcher<struct std::integer_sequence<unsigned __int64, 2>>::_Dispatch2<void, class crab::interleaved_fwd_fixpoint_iterator_t &, class std::variant<class std::shared_ptr, struct crab::label_t> &, 0>(class crab::interleaved_fwd_fixpoint_iterator_t &, class std::variant<class std::shared_ptr, struct crab::label_t> &) C:\Program Files (x86)\Microsoft Visual Studio\2019\Enterprise\VC\Tools\MSVC\14.29.30133\include\variant:1499 #29 0x7ff6be28494c in std::_Visit_strategy<1>::_Visit2<void, struct std::_Meta_list<struct std::integer_sequence<unsigned __int64, 0>, struct std::integer_sequence<unsigned __int64, 1>, struct std::integer_sequence<unsigned __int64, 2>>, class crab::interleaved_fwd_fixpoint_iterator_t &, class std::variant<class std::shared_ptr, struct crab::label_t> &>(unsigned __int64, class crab::interleaved_fwd_fixpoint_iterator_t &, class std::variant<class std::shared_ptr, struct crab::label_t> &) C:\Program Files (x86)\Microsoft Visual Studio\2019\Enterprise\VC\Tools\MSVC\14.29.30133\include\variant:1605 #30 0x7ff6be284a7b in std::_Visit_impl<3, void, struct std::_Meta_list<struct std::integer_sequence<unsigned __int64, 0>, struct std::integer_sequence<unsigned __int64, 1>, struct std::integer_sequence<unsigned __int64, 2>>, class crab::interleaved_fwd_fixpoint_iterator_t &, class std::variant<class std::shared_ptr, struct crab::label_t> &>(class crab::interleaved_fwd_fixpoint_iterator_t &, class std::variant<class std::shared_ptr, struct crab::label_t> &) C:\Program Files (x86)\Microsoft Visual Studio\2019\Enterprise\VC\Tools\MSVC\14.29.30133\include\variant:1659 #31 0x7ff6be285dcd in std::visit<class crab::interleaved_fwd_fixpoint_iterator_t &, class std::variant<class std::shared_ptr, struct crab::label_t> &, void>(class crab::interleaved_fwd_fixpoint_iterator_t &, class std::variant<class std::shared_ptr, struct crab::label_t> &) C:\Program Files (x86)\Microsoft Visual Studio\2019\Enterprise\VC\Tools\MSVC\14.29.30133\include\variant:1677 #32 0x7ff6be280c18 in crab::run_forward_analyzer(class crab::cfg_t &, class ebpf_domain_t const &, bool) D:\a\ebpf-for-windows\ebpf-for-windows\external\ebpf-verifier\src\crab\fwd_analyzer.cpp:130 #33 0x7ff6be1920aa in get_ebpf_report(class std::basic_ostream<char, struct std::char_traits> &, class crab::cfg_t &, struct program_info, struct ebpf_verifier_options_t const *) D:\a\ebpf-for-windows\ebpf-for-windows\external\ebpf-verifier\src\crab_verifier.cpp:158 #34 0x7ff6be190b6a in ebpf_verify_program(class std::basic_ostream<char, struct std::char_traits> &, class std::vector<class std::tuple<struct crab::label_t, class std::variant<struct asm_syntax::Undefined, struct asm_syntax::Bin, struct asm_syntax::Un, struct asm_syntax::LoadMapFd, struct asm_syntax::Call, struct asm_syntax::Exit, struct asm_syntax::Jmp, struct asm_syntax::Mem, struct asm_syntax::Packet, struct asm_syntax::LockAdd, struct asm_syntax::Assume, struct asm_syntax::Assert>, class std::optional>, class std::allocator<class std::tuple<struct crab::label_t, class std::variant<struct asm_syntax::Undefined, struct asm_syntax::Bin, struct asm_syntax::Un, struct asm_syntax::LoadMapFd, struct asm_syntax::Call, struct asm_syntax::Exit, struct asm_syntax::Jmp, struct asm_syntax::Mem, struct asm_syntax::Packet, struct asm_syntax::LockAdd, struct asm_syntax::Assume, struct asm_syntax::Assert>, class std::optional>>> const &, struct program_info const &, struct ebpf_verifier_options_t const *, struct ebpf_verifier_stats_t *) D:\a\ebpf-for-windows\ebpf-for-windows\external\ebpf-verifier\src\crab_verifier.cpp:230 #35 0x7ff6bdf3b5cb in _ebpf_api_elf_verify_section_from_stream D:\a\ebpf-for-windows\ebpf-for-windows\libs\api\Verifier.cpp:504 #36 0x7ff6bdf655f5 in ebpf_api_elf_verify_section_from_memory D:\a\ebpf-for-windows\ebpf-for-windows\libs\api\Verifier.cpp:553 #37 0x7ff6bdefefbb in LLVMFuzzerTestOneInput D:\a\ebpf-for-windows\ebpf-for-windows\tests\libfuzzer\verifier\libfuzz_harness.cpp:16 #38 0x7ff6be12b1cf in fuzzer::Fuzzer::ExecuteCallback(unsigned char const *, unsigned __int64) D:\a_work\1\s\src\vctools\crt\asan\llvm\compiler-rt\lib\fuzzer\FuzzerLoop.cpp:559 #39 0x7ff6be1035cd in fuzzer::RunOneTest(class fuzzer::Fuzzer *, char const *, unsigned __int64) D:\a_work\1\s\src\vctools\crt\asan\llvm\compiler-rt\lib\fuzzer\FuzzerDriver.cpp:301 #40 0x7ff6be0fe6b6 in fuzzer::FuzzerDriver(int *, char ***, int (__cdecl *)(unsigned char const *, unsigned __int64)) D:\a_work\1\s\src\vctools\crt\asan\llvm\compiler-rt\lib\fuzzer\FuzzerDriver.cpp:803 #41 0x7ff6be0f3cb2 in main D:\a_work\1\s\src\vctools\crt\asan\llvm\compiler-rt\lib\fuzzer\FuzzerMain.cpp:20 #42 0x7ff6be0ef968 in invoke_main D:\a_work\1\s\src\vctools\crt\vcstartup\src\startup\exe_common.inl:78 #43 0x7ff6be0ef8bd in __scrt_common_main_seh D:\a_work\1\s\src\vctools\crt\vcstartup\src\startup\exe_common.inl:288 #44 0x7ff6be0ef77d in __scrt_common_main D:\a_work\1\s\src\vctools\crt\vcstartup\src\startup\exe_common.inl:330 #45 0x7ff6be0ef9dd in mainCRTStartup D:\a_work\1\s\src\vctools\crt\vcstartup\src\startup\exe_main.cpp:16 #46 0x7ffcca227033 (C:\Windows\System32\KERNEL32.DLL+0x180017033) #47 0x7ffccc022650 (C:\Windows\SYSTEM32\ntdll.dll+0x180052650)

    SUMMARY: libFuzzer: fuzz target exited

    crash-0453e1624bfaa415598db12a53e1c3745d5e4625.o.zip

    OS information

    No response

    Steps taken to reproduce bug

    verifier_fuzzer.exe crash-0453e1624bfaa415598db12a53e1c3745d5e4625.o

    Expected behavior

    Fails verification

    Actual outcome

    Crashes

    Additional details

    No response

    bug triaged 
    opened by Alan-Jowett 10
  • build: Add CMake support

    build: Add CMake support

    Description

    This PR rewrites most of the existing Visual Studio-based build system in CMake. It is an initial PoC to simplify the build process. If this kind of work is interesting, it can be further refined to include:

    1. Packaging (MSI/NuGet through CPack)
    2. Better transitive dependencies and properties, which will automatically propagate things like include headers without having to copy/paste them for each target
    3. Better build settings
    opened by alessandrogario 10
  • Does not build on Windows Server 2016

    Does not build on Windows Server 2016

    Turned up a fresh EC2 on AWS with Windows Server 2016, followed the Getting Started procedure verbatim. Everything looked good until the msbuild step. First issue was a dialog that said:

    The procedure entry point VirtualAlloc2 could not be located in the dynamic link library C:\Users\Administrator\git\ebpf-for-windows\x64\Debug\encode_program_info.exe
    

    Then the build failed after dismissing the dialog with:

    C:\Program Files (x86)\Microsoft Visual Studio\2019\BuildTools\MSBuild\Microsoft\VC\v160\Microsoft.CppBuild.targets(439,5): error MSB8020: The build tools for WindowsKernelModeDriver10.0 (Platform Toolset = 'WindowsKernelModeDriver10.0') cannot be found. To build using the WindowsKernelModeDriver10.0 build tools, please install WindowsKernelModeDriver10.0 build tools.  Alternatively, you may upgrade to the current Visual Studio tools by selecting the Project menu or right-click the solution, and then selecting "Retarget solution". [C:\Users\Administrator\git\ebpf-for-windows\libs\ubpf\kernel\ubpf_kernel.vcxproj]
    
    C:\Program Files (x86)\Microsoft Visual Studio\2019\BuildTools\MSBuild\Microsoft\VC\v160\Microsoft.CppBuild.targets(439,5): error MSB8020: The build tools for WindowsKernelModeDriver10.0 (Platform Toolset = 'WindowsKernelModeDriver10.0') cannot be found. To build using the WindowsKernelModeDriver10.0 build tools, please install WindowsKernelModeDriver10.0 build tools.  Alternatively, you may upgrade to the current Visual Studio tools by selecting the Project menu or right-click the solution, and then selecting "Retarget solution". [C:\Users\Administrator\git\ebpf-for-windows\libs\execution_context\kernel\execution_context_kernel.vcxproj]
    
    C:\Program Files (x86)\Microsoft Visual Studio\2019\BuildTools\MSBuild\Microsoft\VC\v160\Microsoft.CppCommon.targets(286,5): error MSB3073: The command "cd /d C:\Users\Administrator\git\ebpf-for-windows\x64\Debug\ [C:\Users\Administrator\git\ebpf-for-windows\tools\encode_program_info\encode_program_info.vcxproj]C:\Program Files (x86)\Microsoft Visual Studio\2019\BuildTools\MSBuild\Microsoft\VC\v160\Microsoft.CppCommon.targets(286,5): error MSB3073: C:\Users\Administrator\git\ebpf-for-windows\x64\Debug\encode_program_info.exe [C:\Users\Administrator\git\ebpf-for-windows\tools\encode_program_info\encode_program_info.vcxproj] C:\Program Files (x86)\Microsoft Visual Studio\2019\BuildTools\MSBuild\Microsoft\VC\v160\Microsoft.CppCommon.targets(286,5): error MSB3073: :VCEnd" exited with code -1073741511. [C:\Users\Administrator\git\ebpf-for-windows\tools\encode_program_info\encode_program_info.vcxproj]
    

    Maybe Windows Server 2016 isn't supported with this procedure?

    Visual Studio details:

    Microsoft Visual Studio Community 2019
    Version 16.11.8
    VisualStudio.16.Release/16.11.8+32002.261
    Microsoft .NET Framework
    Version 4.8.03761
    
    Installed Version: Community
    
    Visual C++ 2019   00435-60000-00000-AA081
    Microsoft Visual C++ 2019
    
    ASP.NET and Web Tools 2019   16.11.94.52318
    ASP.NET and Web Tools 2019
    
    Azure App Service Tools v3.0.0   16.11.94.52318
    Azure App Service Tools v3.0.0
    
    C# Tools   3.11.0-4.21403.6+ae1fff344d46976624e68ae17164e0607ab68b10
    C# components used in the IDE. Depending on your project type and settings, a different version of the compiler may be used.
    
    Common Azure Tools   1.10
    Provides common services for use by Azure Mobile Services and Microsoft Azure Tools.
    
    Debugging Tools for Windows   10.0.19030.1000
    Integrates the Windows Debugger functionality (http://go.microsoft.com/fwlink/?linkid=223405) in Visual Studio.
    
    IntelliCode Extension   1.0
    IntelliCode Visual Studio Extension Detailed Info
    
    Microsoft JVM Debugger   1.0
    Provides support for connecting the Visual Studio debugger to JDWP compatible Java Virtual Machines
    
    Microsoft MI-Based Debugger   1.0
    Provides support for connecting Visual Studio to MI compatible debuggers
    
    Microsoft Visual C++ Wizards   1.0
    Microsoft Visual C++ Wizards
    
    Microsoft Visual Studio VC Package   1.0
    Microsoft Visual Studio VC Package
    
    NuGet Package Manager   5.11.0
    NuGet Package Manager in Visual Studio. For more information about NuGet, visit https://docs.nuget.org/
    
    ProjectServicesPackage Extension   1.0
    ProjectServicesPackage Visual Studio Extension Detailed Info
    
    Test Adapter for Boost.Test   1.0
    Enables Visual Studio's testing tools with unit tests written for Boost.Test.  The use terms and Third Party Notices are available in the extension installation directory.
    
    Test Adapter for Google Test   1.0
    Enables Visual Studio's testing tools with unit tests written for Google Test.  The use terms and Third Party Notices are available in the extension installation directory.
    
    TypeScript Tools   16.0.30526.2002
    TypeScript Tools for Microsoft Visual Studio
    
    Visual Basic Tools   3.11.0-4.21403.6+ae1fff344d46976624e68ae17164e0607ab68b10
    Visual Basic components used in the IDE. Depending on your project type and settings, a different version of the compiler may be used.
    
    Visual Studio Code Debug Adapter Host Package   1.0
    Interop layer for hosting Visual Studio Code debug adapters in Visual Studio
    
    Visual Studio Tools for CMake   1.0
    Visual Studio Tools for CMake
    
    Windows Driver Kit   10.0.19030.1000
    Headers, libraries, and tools needed to develop, debug, and test Windows drivers (msdn.microsoft.com/en-us/windows/hardware/gg487428.aspx)
    
    documentation triaged 
    opened by jayhoughton 9
  • Add support for tail calls

    Add support for tail calls

    This issue to track adding support for tail calls in eBPF for Windows. This mainly requires the following things:

    • [x] 1. Verifier support for tail calls. It should verify that the argument is indeed ctx pointer with offset 0, and that the type of the map is BPF_MAP_TYPE_PROG_ARRAY.
    • [x] 2. Support for BPF_MAP_TYPE_PROG_ARRAY map, including not allowing any entries to hold programs with a different type from the calling program.
    • [x] 3. bpf_tail_call like helper function, including limiting the number of calls.
    enhancement triaged 
    opened by saxena-anurag 8
  • Add script to generate bpf2c expected files

    Add script to generate bpf2c expected files

    Description

    If any change is done to bpf2c output, all the expected files need to be regenerated. This PR adds a script which can be manually run to update all the expected files. The script also trims the absolute file path from the generated code so that next iterations do not show large diffs.

    The script can be executed as follows: .\scripts\generate_expected_bpf2c_output.ps1 .\x64\Debug\

    Testing

    Current tests will cover it.

    Documentation

    NA

    opened by saxena-anurag 7
  • detach / unlink IOCTL missing from execution context.

    detach / unlink IOCTL missing from execution context.

    There needs to be an explicit DETACH / UNLINK IOCTL (which takes link handle as input) to detach a program from a hook. Simply closing the link handle should not detach the program from the hook.

    ebpf-km ebpfsvc triaged 
    opened by saxena-anurag 7
  • _open_osfhandle() fails for the program handle returned by ebpfcore.

    _open_osfhandle() fails for the program handle returned by ebpfcore.

    _open_osfhandle() is failing currently when called for the program handle returned by ebpfcore. It may have to do with the CreateOptions used in ZwCreateFile, needs to be investigated.

    bug triaged 
    opened by saxena-anurag 7
  • Error HRESULT E_FAIL has been returned from a call to a COM component.

    Error HRESULT E_FAIL has been returned from a call to a COM component.

    Hello,

    I followed the Getting Started guide verbatim, choosing the option of building from within VS2019. I get the following errors when loading the .sln:

    C:\Users\xxx\ebpf-for-windows\libs\execution_context\unit\execution_context_unit_test.vcxproj : error : Error HRESULT E_FAIL has been returned from a call to a COM component.

    C:\Users\xxx\ebpf-for-windows\libs\platform\unit\platform_unit_test.vcxproj : error : Error HRESULT E_FAIL has been returned from a call to a COM component.

    Please advise.

    bug help wanted 
    opened by sydbarrett74 7
  • verifier_fuzzer.exe crash 42e00cd42229150e43ed1aa313a7678a306b09bf

    verifier_fuzzer.exe crash 42e00cd42229150e43ed1aa313a7678a306b09bf

    Describe the bug

    C:\artifacts\verifier>..\verifier_fuzzer.exe crash-42e00cd42229150e43ed1aa313a7678a306b09bf INFO: Seed: 387285789 INFO: Loaded 1 modules (19160 inline 8-bit counters): 19160 [00007FF6BE301000, 00007FF6BE305AD8), ..\verifier_fuzzer.exe: Running 1 inputs 1 time(s) each. Running: crash-42e00cd42229150e43ed1aa313a7678a306b09bf ==9880== libFuzzer: run interrupted; exiting

    C:\artifacts\verifier>..\verifier_fuzzer.exe crash-42e00cd42229150e43ed1aa313a7678a306b09bf INFO: Seed: 510309477 INFO: Loaded 1 modules (19160 inline 8-bit counters): 19160 [00007FF6BE301000, 00007FF6BE305AD8), ..\verifier_fuzzer.exe: Running 1 inputs 1 time(s) each. Running: crash-42e00cd42229150e43ed1aa313a7678a306b09bf ==8360== ERROR: libFuzzer: deadly signal #0 0x7ffc9757ca4d (C:\artifacts\clang_rt.asan_dbg_dynamic-x86_64.dll+0x18005ca4d) #1 0x7ff6be115caf in fuzzer::PrintStackTrace(void) D:\a_work\1\s\src\vctools\crt\asan\llvm\compiler-rt\lib\fuzzer\FuzzerUtil.cpp:210 #2 0x7ff6be12a596 in fuzzer::Fuzzer::CrashCallback(void) D:\a_work\1\s\src\vctools\crt\asan\llvm\compiler-rt\lib\fuzzer\FuzzerLoop.cpp:233 #3 0x7ffc9a078e04 (C:\Windows\SYSTEM32\ucrtbased.dll+0x1800a8e04) #4 0x7ffc9a073de4 (C:\Windows\SYSTEM32\ucrtbased.dll+0x1800a3de4) #5 0x7ffc9a0753f2 (C:\Windows\SYSTEM32\ucrtbased.dll+0x1800a53f2) #6 0x7ffc9a0762c8 (C:\Windows\SYSTEM32\ucrtbased.dll+0x1800a62c8) #7 0x7ffc9a0752af (C:\Windows\SYSTEM32\ucrtbased.dll+0x1800a52af) #8 0x7ff6be249a94 in std::bitset<512>::_Validate(unsigned __int64) C:\Program Files (x86)\Microsoft Visual Studio\2019\Enterprise\VC\Tools\MSVC\14.29.30133\include\bitset:72 #9 0x7ff6be240a79 in std::bitset<512>::operator[](unsigned __int64) const C:\Program Files (x86)\Microsoft Visual Studio\2019\Enterprise\VC\Tools\MSVC\14.29.30133\include\bitset:85 #10 0x7ff6be24dec9 in bitset_domain_t::uniformity(unsigned __int64, int) const D:\a\ebpf-for-windows\ebpf-for-windows\external\ebpf-verifier\src\crab\bitset_domain.hpp:66 #11 0x7ff6be22f805 in crab::domains::array_domain_t::load(class crab::domains::SplitDBM &, enum crab::data_kind_t, class linear_expression_t const &, int) D:\a\ebpf-for-windows\ebpf-for-windows\external\ebpf-verifier\src\crab\array_domain.cpp:501 #12 0x7ff6be25809b in ebpf_domain_t::do_load_stack(class crab::domains::SplitDBM &, struct asm_syntax::Reg const &, class linear_expression_t const &, int, struct asm_syntax::Reg const &) D:\a\ebpf-for-windows\ebpf-for-windows\external\ebpf-verifier\src\crab\ebpf_domain.cpp:1012 #13 0x7ff6be259914 in ebpf_domain_t::do_load(struct asm_syntax::Mem const &, struct asm_syntax::Reg const &) D:\a\ebpf-for-windows\ebpf-for-windows\external\ebpf-verifier\src\crab\ebpf_domain.cpp:1113 #14 0x7ff6be252791 in ebpf_domain_t::operator()(struct asm_syntax::Mem const &) D:\a\ebpf-for-windows\ebpf-for-windows\external\ebpf-verifier\src\crab\ebpf_domain.cpp:1233 #15 0x7ff6be275de4 in std::invoke<class ebpf_domain_t &, struct asm_syntax::Mem const &>(class ebpf_domain_t &, struct asm_syntax::Mem const &) C:\Program Files (x86)\Microsoft Visual Studio\2019\Enterprise\VC\Tools\MSVC\14.29.30133\include\type_traits:1534 #16 0x7ff6be268a64 in std::_Variant_dispatcher<struct std::integer_sequence<unsigned __int64, 8>>::_Dispatch2<void, class ebpf_domain_t &, class std::variant<struct asm_syntax::Undefined, struct asm_syntax::Bin, struct asm_syntax::Un, struct asm_syntax::LoadMapFd, struct asm_syntax::Call, struct asm_syntax::Exit, struct asm_syntax::Jmp, struct asm_syntax::Mem, struct asm_syntax::Packet, struct asm_syntax::LockAdd, struct asm_syntax::Assume, struct asm_syntax::Assert> const &, 0>(class ebpf_domain_t &, class std::variant<struct asm_syntax::Undefined, struct asm_syntax::Bin, struct asm_syntax::Un, struct asm_syntax::LoadMapFd, struct asm_syntax::Call, struct asm_syntax::Exit, struct asm_syntax::Jmp, struct asm_syntax::Mem, struct asm_syntax::Packet, struct asm_syntax::LockAdd, struct asm_syntax::Assume, struct asm_syntax::Assert> const &) C:\Program Files (x86)\Microsoft Visual Studio\2019\Enterprise\VC\Tools\MSVC\14.29.30133\include\variant:1499 #17 0x7ff6be26b378 in std::_Visit_strategy<2>::_Visit2<void, struct std::_Meta_list<struct std::integer_sequence<unsigned __int64, 0>, struct std::integer_sequence<unsigned __int64, 1>, struct std::integer_sequence<unsigned __int64, 2>, struct std::integer_sequence<unsigned __int64, 3>, struct std::integer_sequence<unsigned __int64, 4>, struct std::integer_sequence<unsigned __int64, 5>, struct std::integer_sequence<unsigned __int64, 6>, struct std::integer_sequence<unsigned __int64, 7>, struct std::integer_sequence<unsigned __int64, 8>, struct std::integer_sequence<unsigned __int64, 9>, struct std::integer_sequence<unsigned __int64, 10>, struct std::integer_sequence<unsigned __int64, 11>, struct std::integer_sequence<unsigned __int64, 12>>, class ebpf_domain_t &, class std::variant<struct asm_syntax::Undefined, struct asm_syntax::Bin, struct asm_syntax::Un, struct asm_syntax::LoadMapFd, struct asm_syntax::Call, struct asm_syntax::Exit, struct asm_syntax::Jmp, struct asm_syntax::Mem, struct asm_syntax::Packet, struct asm_syntax::LockAdd, struct asm_syntax::Assume, struct asm_syntax::Assert> const &>(unsigned __int64, class ebpf_domain_t &, class std::variant<struct asm_syntax::Undefined, struct asm_syntax::Bin, struct asm_syntax::Un, struct asm_syntax::LoadMapFd, struct asm_syntax::Call, struct asm_syntax::Exit, struct asm_syntax::Jmp, struct asm_syntax::Mem, struct asm_syntax::Packet, struct asm_syntax::LockAdd, struct asm_syntax::Assume, struct asm_syntax::Assert> const &) C:\Program Files (x86)\Microsoft Visual Studio\2019\Enterprise\VC\Tools\MSVC\14.29.30133\include\variant:1614 #18 0x7ff6be26b61b in std::_Visit_impl<13, void, struct std::_Meta_list<struct std::integer_sequence<unsigned __int64, 0>, struct std::integer_sequence<unsigned __int64, 1>, struct std::integer_sequence<unsigned __int64, 2>, struct std::integer_sequence<unsigned __int64, 3>, struct std::integer_sequence<unsigned __int64, 4>, struct std::integer_sequence<unsigned __int64, 5>, struct std::integer_sequence<unsigned __int64, 6>, struct std::integer_sequence<unsigned __int64, 7>, struct std::integer_sequence<unsigned __int64, 8>, struct std::integer_sequence<unsigned __int64, 9>, struct std::integer_sequence<unsigned __int64, 10>, struct std::integer_sequence<unsigned __int64, 11>, struct std::integer_sequence<unsigned __int64, 12>>, class ebpf_domain_t &, class std::variant<struct asm_syntax::Undefined, struct asm_syntax::Bin, struct asm_syntax::Un, struct asm_syntax::LoadMapFd, struct asm_syntax::Call, struct asm_syntax::Exit, struct asm_syntax::Jmp, struct asm_syntax::Mem, struct asm_syntax::Packet, struct asm_syntax::LockAdd, struct asm_syntax::Assume, struct asm_syntax::Assert> const &>(class ebpf_domain_t &, class std::variant<struct asm_syntax::Undefined, struct asm_syntax::Bin, struct asm_syntax::Un, struct asm_syntax::LoadMapFd, struct asm_syntax::Call, struct asm_syntax::Exit, struct asm_syntax::Jmp, struct asm_syntax::Mem, struct asm_syntax::Packet, struct asm_syntax::LockAdd, struct asm_syntax::Assume, struct asm_syntax::Assert> const &) C:\Program Files (x86)\Microsoft Visual Studio\2019\Enterprise\VC\Tools\MSVC\14.29.30133\include\variant:1659 #19 0x7ff6be277b3d in std::visit<class ebpf_domain_t &, class std::variant<struct asm_syntax::Undefined, struct asm_syntax::Bin, struct asm_syntax::Un, struct asm_syntax::LoadMapFd, struct asm_syntax::Call, struct asm_syntax::Exit, struct asm_syntax::Jmp, struct asm_syntax::Mem, struct asm_syntax::Packet, struct asm_syntax::LockAdd, struct asm_syntax::Assume, struct asm_syntax::Assert> const &, void>(class ebpf_domain_t &, class std::variant<struct asm_syntax::Undefined, struct asm_syntax::Bin, struct asm_syntax::Un, struct asm_syntax::LoadMapFd, struct asm_syntax::Call, struct asm_syntax::Exit, struct asm_syntax::Jmp, struct asm_syntax::Mem, struct asm_syntax::Packet, struct asm_syntax::LockAdd, struct asm_syntax::Assume, struct asm_syntax::Assert> const &) C:\Program Files (x86)\Microsoft Visual Studio\2019\Enterprise\VC\Tools\MSVC\14.29.30133\include\variant:1677 #20 0x7ff6be24fd19 in ebpf_domain_t::operator()(class crab::basic_block_t const &, bool) D:\a\ebpf-for-windows\ebpf-for-windows\external\ebpf-verifier\src\crab\ebpf_domain.cpp:594 #21 0x7ff6be28d907 in crab::interleaved_fwd_fixpoint_iterator_t::transform_to_post(struct crab::label_t const &, class ebpf_domain_t) D:\a\ebpf-for-windows\ebpf-for-windows\external\ebpf-verifier\src\crab\fwd_analyzer.cpp:73 #22 0x7ff6be281007 in crab::interleaved_fwd_fixpoint_iterator_t::operator()(struct crab::label_t const &) D:\a\ebpf-for-windows\ebpf-for-windows\external\ebpf-verifier\src\crab\fwd_analyzer.cpp:147 #23 0x7ff6be285c14 in std::invoke<class crab::interleaved_fwd_fixpoint_iterator_t &, struct crab::label_t &>(class crab::interleaved_fwd_fixpoint_iterator_t &, struct crab::label_t &) C:\Program Files (x86)\Microsoft Visual Studio\2019\Enterprise\VC\Tools\MSVC\14.29.30133\include\type_traits:1534 #24 0x7ff6be283204 in std::_Variant_dispatcher<struct std::integer_sequence<unsigned __int64, 2>>::_Dispatch2<void, class crab::interleaved_fwd_fixpoint_iterator_t &, class std::variant<class std::shared_ptr, struct crab::label_t> &, 0>(class crab::interleaved_fwd_fixpoint_iterator_t &, class std::variant<class std::shared_ptr, struct crab::label_t> &) C:\Program Files (x86)\Microsoft Visual Studio\2019\Enterprise\VC\Tools\MSVC\14.29.30133\include\variant:1499 #25 0x7ff6be28494c in std::_Visit_strategy<1>::_Visit2<void, struct std::_Meta_list<struct std::integer_sequence<unsigned __int64, 0>, struct std::integer_sequence<unsigned __int64, 1>, struct std::integer_sequence<unsigned __int64, 2>>, class crab::interleaved_fwd_fixpoint_iterator_t &, class std::variant<class std::shared_ptr, struct crab::label_t> &>(unsigned __int64, class crab::interleaved_fwd_fixpoint_iterator_t &, class std::variant<class std::shared_ptr, struct crab::label_t> &) C:\Program Files (x86)\Microsoft Visual Studio\2019\Enterprise\VC\Tools\MSVC\14.29.30133\include\variant:1605 #26 0x7ff6be284a7b in std::_Visit_impl<3, void, struct std::_Meta_list<struct std::integer_sequence<unsigned __int64, 0>, struct std::integer_sequence<unsigned __int64, 1>, struct std::integer_sequence<unsigned __int64, 2>>, class crab::interleaved_fwd_fixpoint_iterator_t &, class std::variant<class std::shared_ptr, struct crab::label_t> &>(class crab::interleaved_fwd_fixpoint_iterator_t &, class std::variant<class std::shared_ptr, struct crab::label_t> &) C:\Program Files (x86)\Microsoft Visual Studio\2019\Enterprise\VC\Tools\MSVC\14.29.30133\include\variant:1659 #27 0x7ff6be285dcd in std::visit<class crab::interleaved_fwd_fixpoint_iterator_t &, class std::variant<class std::shared_ptr, struct crab::label_t> &, void>(class crab::interleaved_fwd_fixpoint_iterator_t &, class std::variant<class std::shared_ptr, struct crab::label_t> &) C:\Program Files (x86)\Microsoft Visual Studio\2019\Enterprise\VC\Tools\MSVC\14.29.30133\include\variant:1677 #28 0x7ff6be280c18 in crab::run_forward_analyzer(class crab::cfg_t &, class ebpf_domain_t const &, bool) D:\a\ebpf-for-windows\ebpf-for-windows\external\ebpf-verifier\src\crab\fwd_analyzer.cpp:130 #29 0x7ff6be1920aa in get_ebpf_report(class std::basic_ostream<char, struct std::char_traits> &, class crab::cfg_t &, struct program_info, struct ebpf_verifier_options_t const *) D:\a\ebpf-for-windows\ebpf-for-windows\external\ebpf-verifier\src\crab_verifier.cpp:158 #30 0x7ff6be190b6a in ebpf_verify_program(class std::basic_ostream<char, struct std::char_traits> &, class std::vector<class std::tuple<struct crab::label_t, class std::variant<struct asm_syntax::Undefined, struct asm_syntax::Bin, struct asm_syntax::Un, struct asm_syntax::LoadMapFd, struct asm_syntax::Call, struct asm_syntax::Exit, struct asm_syntax::Jmp, struct asm_syntax::Mem, struct asm_syntax::Packet, struct asm_syntax::LockAdd, struct asm_syntax::Assume, struct asm_syntax::Assert>, class std::optional>, class std::allocator<class std::tuple<struct crab::label_t, class std::variant<struct asm_syntax::Undefined, struct asm_syntax::Bin, struct asm_syntax::Un, struct asm_syntax::LoadMapFd, struct asm_syntax::Call, struct asm_syntax::Exit, struct asm_syntax::Jmp, struct asm_syntax::Mem, struct asm_syntax::Packet, struct asm_syntax::LockAdd, struct asm_syntax::Assume, struct asm_syntax::Assert>, class std::optional>>> const &, struct program_info const &, struct ebpf_verifier_options_t const *, struct ebpf_verifier_stats_t *) D:\a\ebpf-for-windows\ebpf-for-windows\external\ebpf-verifier\src\crab_verifier.cpp:230 #31 0x7ff6bdf3b5cb in _ebpf_api_elf_verify_section_from_stream D:\a\ebpf-for-windows\ebpf-for-windows\libs\api\Verifier.cpp:504 #32 0x7ff6bdf655f5 in ebpf_api_elf_verify_section_from_memory D:\a\ebpf-for-windows\ebpf-for-windows\libs\api\Verifier.cpp:553 #33 0x7ff6bdefefbb in LLVMFuzzerTestOneInput D:\a\ebpf-for-windows\ebpf-for-windows\tests\libfuzzer\verifier\libfuzz_harness.cpp:16 #34 0x7ff6be12b1cf in fuzzer::Fuzzer::ExecuteCallback(unsigned char const *, unsigned __int64) D:\a_work\1\s\src\vctools\crt\asan\llvm\compiler-rt\lib\fuzzer\FuzzerLoop.cpp:559 #35 0x7ff6be1035cd in fuzzer::RunOneTest(class fuzzer::Fuzzer *, char const *, unsigned __int64) D:\a_work\1\s\src\vctools\crt\asan\llvm\compiler-rt\lib\fuzzer\FuzzerDriver.cpp:301 #36 0x7ff6be0fe6b6 in fuzzer::FuzzerDriver(int *, char ***, int (__cdecl *)(unsigned char const *, unsigned __int64)) D:\a_work\1\s\src\vctools\crt\asan\llvm\compiler-rt\lib\fuzzer\FuzzerDriver.cpp:803 #37 0x7ff6be0f3cb2 in main D:\a_work\1\s\src\vctools\crt\asan\llvm\compiler-rt\lib\fuzzer\FuzzerMain.cpp:20 #38 0x7ff6be0ef968 in invoke_main D:\a_work\1\s\src\vctools\crt\vcstartup\src\startup\exe_common.inl:78 #39 0x7ff6be0ef8bd in __scrt_common_main_seh D:\a_work\1\s\src\vctools\crt\vcstartup\src\startup\exe_common.inl:288 #40 0x7ff6be0ef77d in __scrt_common_main D:\a_work\1\s\src\vctools\crt\vcstartup\src\startup\exe_common.inl:330 #41 0x7ff6be0ef9dd in mainCRTStartup D:\a_work\1\s\src\vctools\crt\vcstartup\src\startup\exe_main.cpp:16 #42 0x7ffcca227033 (C:\Windows\System32\KERNEL32.DLL+0x180017033) #43 0x7ffccc022650 (C:\Windows\SYSTEM32\ntdll.dll+0x180052650)

    NOTE: libFuzzer has rudimentary signal handlers. Combine libFuzzer with AddressSanitizer or similar for better crash reports. SUMMARY: libFuzzer: deadly signal

    crash-42e00cd42229150e43ed1aa313a7678a306b09bf.o.zip

    OS information

    No response

    Steps taken to reproduce bug

    verifier_fuzzer.exe crash-42e00cd42229150e43ed1aa313a7678a306b09bf.o

    Expected behavior

    Verification fails

    Actual outcome

    Verifier crashes

    Additional details

    No response

    bug triaged 
    opened by Alan-Jowett 6
  • Validate IOCTL header length

    Validate IOCTL header length

    Description

    Validate the header.length passed to various requests.

    Also add one test case that's part of #1139

    Testing

    Includes updated tests.

    Documentation

    No impact.

    opened by dthaler 1
  • Bump dawidd6/action-download-artifact from 2.21.0 to 2.21.1

    Bump dawidd6/action-download-artifact from 2.21.0 to 2.21.1

    Bumps dawidd6/action-download-artifact from 2.21.0 to 2.21.1.

    Commits

    Dependabot compatibility score

    Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


    Dependabot commands and options

    You can trigger Dependabot actions by commenting on this PR:

    • @dependabot rebase will rebase this PR
    • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
    • @dependabot merge will merge this PR after your CI passes on it
    • @dependabot squash and merge will squash and merge this PR after your CI passes on it
    • @dependabot cancel merge will cancel a previously requested merge and block automerging
    • @dependabot reopen will reopen this PR if it is closed
    • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
    • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    dependencies github_actions 
    opened by dependabot[bot] 1
  • Bump github/codeql-action from 2.1.12 to 2.1.14

    Bump github/codeql-action from 2.1.12 to 2.1.14

    Bumps github/codeql-action from 2.1.12 to 2.1.14.

    Changelog

    Sourced from github/codeql-action's changelog.

    CodeQL Action Changelog

    [UNRELEASED]

    • CodeQL query packs listed in the packs configuration field will be skipped if their target language is not being analyzed in the current Actions job. Previously, this would throw an error. #1116
    • The combination of python2 and poetry is no longer supported. See actions/setup-python#374 for more details. #1124

    2.1.14 - 22 Jun 2022

    No user facing changes.

    2.1.13 - 21 Jun 2022

    • Update default CodeQL bundle version to 2.9.4. #1100

    2.1.12 - 01 Jun 2022

    • Update default CodeQL bundle version to 2.9.3. #1084

    2.1.11 - 17 May 2022

    • Update default CodeQL bundle version to 2.9.2. #1074

    2.1.10 - 10 May 2022

    • Update default CodeQL bundle version to 2.9.1. #1056
    • When wait-for-processing is enabled, the workflow will now fail if there were any errors that occurred during processing of the analysis results.

    2.1.9 - 27 Apr 2022

    • Add working-directory input to the autobuild action. #1024
    • The analyze and upload-sarif actions will now wait up to 2 minutes for processing to complete after they have uploaded the results so they can report any processing errors that occurred. This behavior can be disabled by setting the wait-for-processing action input to "false". #1007
    • Update default CodeQL bundle version to 2.9.0.
    • Fix a bug where status reporting fails on Windows. #1042

    2.1.8 - 08 Apr 2022

    • Update default CodeQL bundle version to 2.8.5. #1014
    • Fix error where the init action would fail due to a GitHub API request that was taking too long to complete #1025

    2.1.7 - 05 Apr 2022

    • A bug where additional queries specified in the workflow file would sometimes not be respected has been fixed. #1018

    2.1.6 - 30 Mar 2022

    • [v2+ only] The CodeQL Action now runs on Node.js v16. #1000
    • Update default CodeQL bundle version to 2.8.4. #990
    • Fix a bug where an invalid commit_oid was being sent to code scanning when a custom checkout path was being used. #956

    ... (truncated)

    Commits
    • 41a4ada Merge pull request #1114 from github/update-v2.1.14-2e0c6caf
    • e524cd6 Update branch names for check-for-conflicts.yml job
    • 08f9ac4 Update changelog for v2.1.14
    • 2e0c6ca Merge pull request #1111 from github/aeisenberg/revert-1098
    • 99d4397 Revert "Add capability to filter queries #1098"
    • 47dc295 Merge pull request #1110 from github/edoardo/case-insensitive-update
    • 5a6f006 Fix issue with required checks sync script
    • ceacebd Merge pull request #1108 from github/mergeback/v2.1.13-to-main-d00e8c09
    • d069ed5 Merge branch 'main' into mergeback/v2.1.13-to-main-d00e8c09
    • 0e17d37 Update checked-in dependencies
    • Additional commits viewable in compare view

    Dependabot compatibility score

    Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


    Dependabot commands and options

    You can trigger Dependabot actions by commenting on this PR:

    • @dependabot rebase will rebase this PR
    • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
    • @dependabot merge will merge this PR after your CI passes on it
    • @dependabot squash and merge will squash and merge this PR after your CI passes on it
    • @dependabot cancel merge will cancel a previously requested merge and block automerging
    • @dependabot reopen will reopen this PR if it is closed
    • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
    • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    dependencies github_actions 
    opened by dependabot[bot] 1
  • Bump external/ubpf from `9e02978` to `48e526d`

    Bump external/ubpf from `9e02978` to `48e526d`

    Bumps external/ubpf from 9e02978 to 48e526d.

    Commits
    • 48e526d Merge pull request #109 from trail-of-forks/alessandro/build/add-cmake-support
    • 9bf152d Merge pull request #104 from yoursunny/vm-makefile
    • 5f97959 make: Add missing ubpf_config.h generator
    • 2055f35 cmake: Initial commit
    • 84dfbea vm: include ubpf_jit.o in dynamic library
    • See full diff in compare view

    Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


    Dependabot commands and options

    You can trigger Dependabot actions by commenting on this PR:

    • @dependabot rebase will rebase this PR
    • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
    • @dependabot merge will merge this PR after your CI passes on it
    • @dependabot squash and merge will squash and merge this PR after your CI passes on it
    • @dependabot cancel merge will cancel a previously requested merge and block automerging
    • @dependabot reopen will reopen this PR if it is closed
    • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
    • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    dependencies submodules 
    opened by dependabot[bot] 0
  • Bump external/Catch2 from `165647a` to `bea58bf`

    Bump external/Catch2 from `165647a` to `bea58bf`

    Bumps external/Catch2 from 165647a to bea58bf.

    Commits
    • bea58bf Allow building Catch2 as dynamic library
    • 34d9724 Add experimental CMake script for sharding tests in binaries
    • 5d26904 Add section on running tests in parallel to the FAQ
    • 95a1206 Add doc page with best practices and other usage tips
    • 6f9f146 Shorten lines in sharding docs
    • 8730260 Split apart combined TUs
    • bdfa920 Use binary path in testBazelReporter reporter output path
    • a369267 test-fixtures.md: Line-wrap code examples (#2464)
    • 1f381a1 Update commercial-users.md (#2465)
    • See full diff in compare view

    Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


    Dependabot commands and options

    You can trigger Dependabot actions by commenting on this PR:

    • @dependabot rebase will rebase this PR
    • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
    • @dependabot merge will merge this PR after your CI passes on it
    • @dependabot squash and merge will squash and merge this PR after your CI passes on it
    • @dependabot cancel merge will cancel a previously requested merge and block automerging
    • @dependabot reopen will reopen this PR if it is closed
    • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
    • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    dependencies submodules 
    opened by dependabot[bot] 1
Owner
Microsoft
Open source projects and samples from Microsoft
Microsoft
libsinsp, libscap, the kernel module driver, and the eBPF driver sources

falcosecurity/libs As per the OSS Libraries Contribution Plan, this repository has been chosen to be the new home for libsinsp, libscap, the kernel mo

Falco 100 Jun 30, 2022
Linux Application Level Firewall based on eBPF and NFQUEUE.

eBPFSnitch eBPFSnitch is a Linux Application Level Firewall based on eBPF and NFQUEUE. It is inspired by OpenSnitch, and Douane, but utilizing modern

Harpo Roeder 641 Jun 17, 2022
eBPF bytecode assembler and compiler

An eBPF bytecode assembler and compiler that * Assembles the bytecode to object code. * Compiles the bytecode to C macro preprocessors. Symbolic

Emil Masoumi 6 Jan 23, 2022
Example how to run eBPF probes without a usermode process using fentry

Pinning eBPF Probes Simple example to demonstrate how to pin kernel function and syscall probes. Overview From my reading of the kernel code, KProbe a

pat_h/to/file 3 Jun 7, 2021
A Rust crate that simplifies the integration of Rust and eBPF programs written in C.

This crate simplifies the compilation of eBPF programs written in C integrating clang with Rust and the cargo build system with functions that can be

Simone Margaritelli 19 Mar 16, 2022
ebpfkit-monitor is a tool that detects and protects against eBPF powered rootkits

ebpfkit-monitor ebpfkit-monitor is an utility that you can use to statically analyse eBPF bytecode or monitor suspicious eBPF activity at runtime. It

Guillaume Fournier 57 Jun 27, 2022
A very basic eBPF Load Balancer in a few lines of C

An eBPF Load Balancer from scratch As seen at eBPF Summit 2021. This is not production ready :-) This uses libbpf as a git submodule. If you clone thi

Liz Rice 137 Jul 2, 2022
skbtracer on ebpf

skbtracer skbtracer 基于 ebpf 技术的 skb 网络包路径追踪利器, 实现代码基于 BCC (required Linux Kernel 4.15+) 使用样例 skbtracer.py # trace

DavadDi 45 Jun 18, 2022
some experiments with ebpf

Learning eBPF and some kernel tracing, probe DNS + TCP connection with portable bpf prog. DevEnv Ubuntu 20.04 Install go Install make, clang, llvm Ins

null 9 Jun 19, 2022
Small utility that leverages eBPF to dump the traffic of a unix domain socket

UnixDump UnixDump is a small eBPF powered utility that can be used to dump unix socket traffic. System requirements This project was developed on a Ub

Guillaume Fournier 5 Dec 1, 2021
Tool for Preventing Data Exfiltration with eBPF

bouheki: Tool for Preventing Data Exfiltration with eBPF bouheki is a KSRI implementation using LSM Hook by eBPF. Flexibility to apply restricted netw

mrtc0 44 Jun 13, 2022
The Beginner's Guide to eBPF Programming for Networking

The Beginner's Guide to eBPF Programming for Networking As seen at Cloud Native eBPF Day 2021. Setup Create a container that we can issue curl request

Liz Rice 66 Jun 21, 2022
pwru is an eBPF-based tool for tracing network packets in the Linux kernel with advanced filtering capabilities.

pwru (packet, where are you?) pwru is an eBPF-based tool for tracing network packets in the Linux kernel with advanced filtering capabilities. It allo

Cilium 788 Jun 28, 2022
Dectect syscall hooking using eBPF

BPF-HookDetect Detect Kernel Rootkits hooking syscalls Overview Details To Build To Run Example Test Resources Overview Kernel Rootkits such as Diamor

pat_h/to/file 22 May 28, 2022
A collection of eBPF programs demonstrating bad behavior

Bad BPF A collection of malicious eBPF programs that make use of eBPF's ability to read and write user data in between the usermode program and the ke

pat_h/to/file 207 Jun 20, 2022
bpflock - eBPF driven security for locking and auditing Linux machines

bpflock - Lock Linux machines bpflock - eBPF driven security for locking and auditing Linux machines. This is a Work In Progress: bpflock is currently

The Linux lock machine projects 64 Jun 7, 2022
A list of network measurement sketch algorithms implemented in eBPF

eBPF Sketches This repository contains a list of the most famous sketches implemented within the eBPF/XDP subsystem. In particular, we have: Count Ske

null 11 May 22, 2022
A Linux Host-based Intrusion Detection System based on eBPF.

eHIDS 介绍 eBPF内核技术实现的HIDS demo. 功能实现: TCP网络数据捕获 UDP网络数据捕获 uprobe方式的DNS信息捕获 进程数据捕获 uprobe方式实现JAVA的RASP命令执行场景事件捕获 eBPF的go框架实现,针对kprobe\uprobe挂载方式,多类型even

CFC4N 236 Jul 1, 2022
eBPF-based EDR for Linux

ebpf-edr A proof-of-concept eBPF-based EDR for Linux Seems to be working fine with the 20 basic rules implemented. Logs the alerts to stdout at the mo

null 16 May 6, 2022