eBPF implementation that runs on top of Windows

Overview

eBPF for Windows

eBPF is a well-known technology for providing programmability and agility, especially for extending an OS kernel, for use cases such as DoS protection and observability. This project is a work-in-progress that allows using existing eBPF toolchains and APIs familiar in the Linux ecosystem to be used on top of Windows. That is, this project takes existing eBPF projects as submodules and adds the layer in between to make them run on top of Windows.

New to eBPF?

See our eBPF tutorial.

Architectural Overview

The following diagram shows the architecture of this project and related components:

Architectural Overview

As shown in the diagram, existing eBPF toolchains (clang, etc.) can be used to generate eBPF bytecode from source code in various languages. Bytecode can be consumed by any application, or via the Netsh command line tool, which use a shared library that exposes Libbpf APIs, though this is still in progress.

The eBPF bytecode is sent to a static verifier (the PREVAIL verifier) that is hosted in a user-mode protected process (a Windows security environment that allows a kernel component to trust a user-mode daemon signed by a key that it trusts). If the bytecode passes all the verifier checks, it can be either loaded into an interpreter (from uBPF in the kernel-mode execution context), or JIT compiled (via the uBPF JIT compiler) and have native code load into the kernel-mode execution context (but see the FAQ at bottom about HVCI).

Temporary Note: some parts are still under development and may not appear when building the master branch, but the end-to-end functionality can still be tested immediately while the security hardening is still in progress.

eBPF programs installed into the kernel-mode execution context can attach to various hooks (currently two hooks so far: an XDP-like hook that is based on the Windows Filtering Platform (WFP) layer 2 filtering, and a socket bind hook) and call various helper APIs exposed by the eBPF shim, which internally wraps public Windows kernel APIs, allowing the use of eBPF on existing versions of Windows. More hooks and helpers will be added over time.

Getting Started

This project supports eBPF on Windows 10, and on Windows Server 2016 or later. To try out this project, see our Getting Started Guide.

Want to help? We welcome contributions! See our Contributing guidelines.

Want to chat with us? We have a:

Frequently Asked Questions

1. Is this a fork of eBPF?

No.

The eBPF for Windows project leverages existing projects, including the IOVisor uBPF project and the PREVAIL verifier, running them on top of Windows by adding the Windows-specific hosting environment for that code.

2. Does this provide app compatibility with eBPF programs written for Linux?

The intent is to provide source code compatibility for code that uses common hooks and helpers that apply across OS ecosystems.

Linux provides many hooks and helpers, some of which are very Linux specific (e.g., using Linux internal data structs) that would not be applicable to other platforms. Other hooks and helpers are generically applicable and the intent is to support them for eBPF programs.

Similarly, the eBPF for Windows project exposes Libbpf APIs to provide source code compatibility for applications that interact with eBPF programs.

3. Will eBPF work with HyperVisor-enforced Code Integrity (HVCI)?

eBPF programs can be run either in an interpreter or natively using a JIT compiler.

HyperVisor-enforced Code Integrity (HVCI) is a mechanism whereby a hypervisor, such as Hyper-V, uses hardware virtualization to protect kernel-mode processes against the injection and execution of malicious or unverified code. Code integrity validation is performed in a secure environment that is resistant to attack from malicious software, and page permissions for kernel mode are set and maintained by the hypervisor.

Since a hypervisor doing such code integrity checks will refuse to accept code pages that aren't signed by a key that the hypervisor trusts, this does impact eBPF programs running natively. As such, when HVCI is enabled, eBPF programs work fine in interpreted mode, but not when using JIT compilation.

Comments
  • How to test XDP_TX performance using Linux traffic gen?

    How to test XDP_TX performance using Linux traffic gen?

    Hi,

    I have a sender Linux machine and receiver Windows machine, followed the xdp_test.exe guide https://github.com/microsoft/ebpf-for-windows/blob/master/docs/GettingStarted.md#xdp_testsexe to load the xdp program using netsh

    netsh ebpf>add program reflect_packet.o xdp
    netsh ebpf>show programs
    
        ID  Pins  Links  Mode       Type           Name
    ======  ====  =====  =========  =============  ====================
     65539     1      1  JIT        xdp            reflect_packet
    

    And I have another Linux machine running DPDK test-me to generate traffic

    [email protected]:~/dpdk/build/app# ./dpdk-testpmd -a 0000:02:00.0 -- -i --port-topology=chained --forward-mode=txonly --eth-peer=0,18:66:da:a2:62:6c --tx-ip=10.20.114.118,10.20.114.115
    Waiting for lcores to finish...
    
      ---------------------- Forward statistics for port 0  ----------------------
      RX-packets: 0              RX-dropped: 0             RX-total: 0
      TX-packets: 512830304      TX-dropped: 748000        TX-total: 513578304
      ----------------------------------------------------------------------------
    

    At Windows, I saw RX packets, but no TX packets. Screen Shot 2021-10-18 at 6 37 58 AM

    Question: How do I know which Windows interface the XDP program binds to? Is there a tool / command to know the XDP_TX packet rate? (Or any pointer to the source code for me to read)

    Thank you William

    documentation triaged 
    opened by williamtu 21
  • Failed to build with Visual Studio 2019 Community

    Failed to build with Visual Studio 2019 Community

    Describe the bug

    I was trying to follow GettingStarted to build the project with Visual Studio 2109 Community. Build failed.

    My Dev Environment:

    • VM on Azure
    OS Name:                   Microsoft Windows 10 Pro
    OS Version:                10.0.19044 N/A Build 19044
    OS Manufacturer:           Microsoft Corporation
    OS Configuration:          Standalone Workstation
    
    • Visual Studio
    Microsoft Visual Studio Community 2019
    Version 16.11.15
    VisualStudio.16.Release/16.11.15+32510.428
    Microsoft .NET Framework
    Version 4.8.04084
    
    Installed Version: Community
    
    Visual C++ 2019   00435-00000-00000-AA081
    Microsoft Visual C++ 2019
    
    ASP.NET and Web Tools 2019   16.11.106.23128
    ASP.NET and Web Tools 2019
    
    C# Tools   3.11.0-4.22108.8+d9bef045c4362fbcab27ef35daec4e95c8ff47e1
    C# components used in the IDE. Depending on your project type and settings, a different version of the compiler may be used.
    
    IntelliCode Extension   1.0
    IntelliCode Visual Studio Extension Detailed Info
    
    Microsoft JVM Debugger   1.0
    Provides support for connecting the Visual Studio debugger to JDWP compatible Java Virtual Machines
    
    Microsoft MI-Based Debugger   1.0
    Provides support for connecting Visual Studio to MI compatible debuggers
    
    Microsoft Visual C++ Wizards   1.0
    Microsoft Visual C++ Wizards
    
    Microsoft Visual Studio VC Package   1.0
    Microsoft Visual Studio VC Package
    
    NuGet Package Manager   5.11.0
    NuGet Package Manager in Visual Studio. For more information about NuGet, visit https://docs.nuget.org/
    
    ProjectServicesPackage Extension   1.0
    ProjectServicesPackage Visual Studio Extension Detailed Info
    
    Test Adapter for Boost.Test   1.0
    Enables Visual Studio's testing tools with unit tests written for Boost.Test.  The use terms and Third Party Notices are available in the extension installation directory.
    
    Test Adapter for Google Test   1.0
    Enables Visual Studio's testing tools with unit tests written for Google Test.  The use terms and Third Party Notices are available in the extension installation directory.
    
    TypeScript Tools   16.0.30526.2002
    TypeScript Tools for Microsoft Visual Studio
    
    Visual Basic Tools   3.11.0-4.22108.8+d9bef045c4362fbcab27ef35daec4e95c8ff47e1
    Visual Basic components used in the IDE. Depending on your project type and settings, a different version of the compiler may be used.
    
    Visual Studio Code Debug Adapter Host Package   1.0
    Interop layer for hosting Visual Studio Code debug adapters in Visual Studio
    
    Visual Studio Tools for CMake   1.0
    Visual Studio Tools for CMake
    

    OS information

    No response

    Steps taken to reproduce bug

    Following GettingStarted to build the project with Visual Studio 2109 Community.

    Build failed with the step nuget.exe restore ebpf-for-windows.sln

    Expected behavior

    Build Successfully

    Actual outcome

    Build failed with the step nuget.exe restore ebpf-for-windows.sln

    C:\Users\song\ebpf-for-windows>c:\pkgs\downloads\nuget.exe restore ebpf-for-windows.sln
    MSBuild auto-detection: using msbuild version '16.11.2.50704' from 'C:\Program Files (x86)\Microsoft Visual Studio\2019\BuildTools\MSBuild\Current\Bin'.
    C:\Users\song\ebpf-for-windows\external\ebpf-verifier\build\ebpfverifier.vcxproj(32,3): error MSB4019: The imported project "C:\Program Files (x86)\Microsoft Visual Studio\2019\BuildTools\MSBuild\Microsoft\VC\v160\Microsoft.Cpp.Default.props" was not found. Confirm that the expression in the Import declaration "C:\Program Files (x86)\Microsoft Visual Studio\2019\BuildTools\MSBuild\Microsoft\VC\v160\\Microsoft.Cpp.Default.props" is correct, and that the file exists on disk.
    

    Additional details

    Hit the same issue with Visual Studio 2019 professional as well.

    documentation triaged 
    opened by song-jiang 14
  • Fix code scanning alert - Comparison of narrow type with wide type in…

    Fix code scanning alert - Comparison of narrow type with wide type in…

    … loop condition ,index variable type are modified

    Description

    The purpose of this changes is to maintain code sanitation.

    Documentation

    No documentation impact by this changes

    cleanup 
    opened by Keerthivardhan1 13
  • Failed to build targets with Visual Studio IDE

    Failed to build targets with Visual Studio IDE

    I was trying to follow GettingStarted to build the project with Visual Studio IDE.

    After worked around issue https://github.com/microsoft/ebpf-for-windows/issues/683 , build failed for number of targets with entire VS output attached on the following comment.

    My Dev Environment:

    • VM on Azure
    OS Name:                   Microsoft Windows 10 Pro
    OS Version:                10.0.19042 N/A Build 19042
    OS Manufacturer:           Microsoft Corporation
    OS Configuration:          Standalone Workstation
    
    • Visual Studio
    Microsoft Visual Studio Professional 2019
    Version 16.9.14
    VisualStudio.16.Release/16.9.14+31910.168
    Microsoft .NET Framework
    Version 4.8.04084
    
    Installed Version: Professional
    
    Visual C++ 2019   00435-60000-00000-AA179
    Microsoft Visual C++ 2019
    
    ASP.NET and Web Tools 2019   16.9.693.2781
    ASP.NET and Web Tools 2019
    
    C# Tools   3.9.0-6.21160.10+59eedc33d35754759994155ea2f4e1012a9951e3
    C# components used in the IDE. Depending on your project type and settings, a different version of the compiler may be used.
    
    Debugging Tools for Windows   10.0.19030.1000
    Integrates the Windows Debugger functionality (http://go.microsoft.com/fwlink/?linkid=223405) in Visual Studio.
    
    IntelliCode Extension   1.0
    IntelliCode Visual Studio Extension Detailed Info
    
    Microsoft JVM Debugger   1.0
    Provides support for connecting the Visual Studio debugger to JDWP compatible Java Virtual Machines
    
    Microsoft MI-Based Debugger   1.0
    Provides support for connecting Visual Studio to MI compatible debuggers
    
    Microsoft Visual C++ Wizards   1.0
    Microsoft Visual C++ Wizards
    
    Microsoft Visual Studio VC Package   1.0
    Microsoft Visual Studio VC Package
    
    NuGet Package Manager   5.9.0
    NuGet Package Manager in Visual Studio. For more information about NuGet, visit https://docs.nuget.org/
    
    ProjectServicesPackage Extension   1.0
    ProjectServicesPackage Visual Studio Extension Detailed Info
    
    Test Adapter for Boost.Test   1.0
    Enables Visual Studio's testing tools with unit tests written for Boost.Test.  The use terms and Third Party Notices are available in the extension installation directory.
    
    Test Adapter for Google Test   1.0
    Enables Visual Studio's testing tools with unit tests written for Google Test.  The use terms and Third Party Notices are available in the extension installation directory.
    
    TypeScript Tools   16.0.30201.2001
    TypeScript Tools for Microsoft Visual Studio
    
    Visual Basic Tools   3.9.0-6.21160.10+59eedc33d35754759994155ea2f4e1012a9951e3
    Visual Basic components used in the IDE. Depending on your project type and settings, a different version of the compiler may be used.
    
    Visual Studio Code Debug Adapter Host Package   1.0
    Interop layer for hosting Visual Studio Code debug adapters in Visual Studio
    
    Visual Studio Tools for CMake   1.0
    Visual Studio Tools for CMake
    
    Windows Driver Kit   10.0.19030.1000
    Headers, libraries, and tools needed to develop, debug, and test Windows drivers (msdn.microsoft.com/en-us/windows/hardware/gg487428.aspx)
    
    documentation triaged 
    opened by song-jiang 13
  • Return module handle on native module load

    Return module handle on native module load

    Description

    This PR adds returning a module handle for the native module that are loaded.

    Changes:

    1. Add ebpf_base_object which is used for creating handles.
    2. Refactor code so that both ebpf_core_object ebpf_native_module derive from ebpf_base_object.
    3. Return module handle when EBPF_OPERATION_LOAD_NATIVE_MODULE is called.

    Testing

    Both existing tests and new tests cover this.

    Documentation

    NA

    Fixes #1303 Fixes #1664

    bug 
    opened by saxena-anurag 12
  • verifier_fuzzer crash 0453e1624bfaa415598db12a53e1c3745d5e4625

    verifier_fuzzer crash 0453e1624bfaa415598db12a53e1c3745d5e4625

    Describe the bug

    verifier_fuzzer.exe crash-0453e1624bfaa415598db12a53e1c3745d5e4625.o

    ==9992== ERROR: libFuzzer: fuzz target exited #0 0x7ffc953bca4d (C:\artifacts\clang_rt.asan_dbg_dynamic-x86_64.dll+0x18005ca4d) #1 0x7ff6be115caf in fuzzer::PrintStackTrace(void) D:\a_work\1\s\src\vctools\crt\asan\llvm\compiler-rt\lib\fuzzer\FuzzerUtil.cpp:210 #2 0x7ff6be12b33f in fuzzer::Fuzzer::ExitCallback(void) D:\a_work\1\s\src\vctools\crt\asan\llvm\compiler-rt\lib\fuzzer\FuzzerLoop.cpp:250 #3 0x7ffc992d2930 (C:\Windows\SYSTEM32\ucrtbased.dll+0x1800b2930) #4 0x7ffc992d2104 (C:\Windows\SYSTEM32\ucrtbased.dll+0x1800b2104) #5 0x7ffc992d2256 (C:\Windows\SYSTEM32\ucrtbased.dll+0x1800b2256) #6 0x7ffc992d2b43 (C:\Windows\SYSTEM32\ucrtbased.dll+0x1800b2b43) #7 0x7ffc992d19a4 (C:\Windows\SYSTEM32\ucrtbased.dll+0x1800b19a4) #8 0x7ffc992d170c (C:\Windows\SYSTEM32\ucrtbased.dll+0x1800b170c) #9 0x7ffc992d1786 (C:\Windows\SYSTEM32\ucrtbased.dll+0x1800b1786) #10 0x7ffc992d1b4f (C:\Windows\SYSTEM32\ucrtbased.dll+0x1800b1b4f) #11 0x7ffc992d1f05 (C:\Windows\SYSTEM32\ucrtbased.dll+0x1800b1f05) #12 0x7ff6be241164 in crab::z_number::operator unsigned __int64(void) const D:\a\ebpf-for-windows\ebpf-for-windows\external\ebpf-verifier\src\crab_utils\bignums.hpp:45 #13 0x7ff6be233646 in crab::domains::kill_and_find_var D:\a\ebpf-for-windows\ebpf-for-windows\external\ebpf-verifier\src\crab\array_domain.cpp:455 #14 0x7ff6be2305db in crab::domains::array_domain_t::store_type(class crab::domains::SplitDBM &, class linear_expression_t const &, class linear_expression_t const &, class linear_expression_t const &) D:\a\ebpf-for-windows\ebpf-for-windows\external\ebpf-verifier\src\crab\array_domain.cpp:574 #15 0x7ff6be2309b5 in crab::domains::array_domain_t::store_type(class crab::domains::SplitDBM &, class linear_expression_t const &, class linear_expression_t const &, struct asm_syntax::Reg const &) D:\a\ebpf-for-windows\ebpf-for-windows\external\ebpf-verifier\src\crab\array_domain.cpp:593 #16 0x7ff6be26d8c9 in ebpf_domain_t::do_store_stack<int, struct asm_syntax::Reg, class crab::variable_t>(class crab::domains::SplitDBM &, int, int const &, struct asm_syntax::Reg, class crab::variable_t, class std::optional const &) D:\a\ebpf-for-windows\ebpf-for-windows\external\ebpf-verifier\src\crab\ebpf_domain.cpp:1150 #17 0x7ff6be26d422 in ebpf_domain_t::do_mem_store<struct asm_syntax::Reg, class crab::variable_t>(struct asm_syntax::Mem const &, struct asm_syntax::Reg, class crab::variable_t, class std::optional const &) D:\a\ebpf-for-windows\ebpf-for-windows\external\ebpf-verifier\src\crab\ebpf_domain.cpp:1253 #18 0x7ff6be25281b in ebpf_domain_t::operator()(struct asm_syntax::Mem const &) D:\a\ebpf-for-windows\ebpf-for-windows\external\ebpf-verifier\src\crab\ebpf_domain.cpp:1237 #19 0x7ff6be275de4 in std::invoke<class ebpf_domain_t &, struct asm_syntax::Mem const &>(class ebpf_domain_t &, struct asm_syntax::Mem const &) C:\Program Files (x86)\Microsoft Visual Studio\2019\Enterprise\VC\Tools\MSVC\14.29.30133\include\type_traits:1534 #20 0x7ff6be268a64 in std::_Variant_dispatcher<struct std::integer_sequence<unsigned __int64, 8>>::_Dispatch2<void, class ebpf_domain_t &, class std::variant<struct asm_syntax::Undefined, struct asm_syntax::Bin, struct asm_syntax::Un, struct asm_syntax::LoadMapFd, struct asm_syntax::Call, struct asm_syntax::Exit, struct asm_syntax::Jmp, struct asm_syntax::Mem, struct asm_syntax::Packet, struct asm_syntax::LockAdd, struct asm_syntax::Assume, struct asm_syntax::Assert> const &, 0>(class ebpf_domain_t &, class std::variant<struct asm_syntax::Undefined, struct asm_syntax::Bin, struct asm_syntax::Un, struct asm_syntax::LoadMapFd, struct asm_syntax::Call, struct asm_syntax::Exit, struct asm_syntax::Jmp, struct asm_syntax::Mem, struct asm_syntax::Packet, struct asm_syntax::LockAdd, struct asm_syntax::Assume, struct asm_syntax::Assert> const &) C:\Program Files (x86)\Microsoft Visual Studio\2019\Enterprise\VC\Tools\MSVC\14.29.30133\include\variant:1499 #21 0x7ff6be26b378 in std::_Visit_strategy<2>::_Visit2<void, struct std::_Meta_list<struct std::integer_sequence<unsigned __int64, 0>, struct std::integer_sequence<unsigned __int64, 1>, struct std::integer_sequence<unsigned __int64, 2>, struct std::integer_sequence<unsigned __int64, 3>, struct std::integer_sequence<unsigned __int64, 4>, struct std::integer_sequence<unsigned __int64, 5>, struct std::integer_sequence<unsigned __int64, 6>, struct std::integer_sequence<unsigned __int64, 7>, struct std::integer_sequence<unsigned __int64, 8>, struct std::integer_sequence<unsigned __int64, 9>, struct std::integer_sequence<unsigned __int64, 10>, struct std::integer_sequence<unsigned __int64, 11>, struct std::integer_sequence<unsigned __int64, 12>>, class ebpf_domain_t &, class std::variant<struct asm_syntax::Undefined, struct asm_syntax::Bin, struct asm_syntax::Un, struct asm_syntax::LoadMapFd, struct asm_syntax::Call, struct asm_syntax::Exit, struct asm_syntax::Jmp, struct asm_syntax::Mem, struct asm_syntax::Packet, struct asm_syntax::LockAdd, struct asm_syntax::Assume, struct asm_syntax::Assert> const &>(unsigned __int64, class ebpf_domain_t &, class std::variant<struct asm_syntax::Undefined, struct asm_syntax::Bin, struct asm_syntax::Un, struct asm_syntax::LoadMapFd, struct asm_syntax::Call, struct asm_syntax::Exit, struct asm_syntax::Jmp, struct asm_syntax::Mem, struct asm_syntax::Packet, struct asm_syntax::LockAdd, struct asm_syntax::Assume, struct asm_syntax::Assert> const &) C:\Program Files (x86)\Microsoft Visual Studio\2019\Enterprise\VC\Tools\MSVC\14.29.30133\include\variant:1614 #22 0x7ff6be26b61b in std::_Visit_impl<13, void, struct std::_Meta_list<struct std::integer_sequence<unsigned __int64, 0>, struct std::integer_sequence<unsigned __int64, 1>, struct std::integer_sequence<unsigned __int64, 2>, struct std::integer_sequence<unsigned __int64, 3>, struct std::integer_sequence<unsigned __int64, 4>, struct std::integer_sequence<unsigned __int64, 5>, struct std::integer_sequence<unsigned __int64, 6>, struct std::integer_sequence<unsigned __int64, 7>, struct std::integer_sequence<unsigned __int64, 8>, struct std::integer_sequence<unsigned __int64, 9>, struct std::integer_sequence<unsigned __int64, 10>, struct std::integer_sequence<unsigned __int64, 11>, struct std::integer_sequence<unsigned __int64, 12>>, class ebpf_domain_t &, class std::variant<struct asm_syntax::Undefined, struct asm_syntax::Bin, struct asm_syntax::Un, struct asm_syntax::LoadMapFd, struct asm_syntax::Call, struct asm_syntax::Exit, struct asm_syntax::Jmp, struct asm_syntax::Mem, struct asm_syntax::Packet, struct asm_syntax::LockAdd, struct asm_syntax::Assume, struct asm_syntax::Assert> const &>(class ebpf_domain_t &, class std::variant<struct asm_syntax::Undefined, struct asm_syntax::Bin, struct asm_syntax::Un, struct asm_syntax::LoadMapFd, struct asm_syntax::Call, struct asm_syntax::Exit, struct asm_syntax::Jmp, struct asm_syntax::Mem, struct asm_syntax::Packet, struct asm_syntax::LockAdd, struct asm_syntax::Assume, struct asm_syntax::Assert> const &) C:\Program Files (x86)\Microsoft Visual Studio\2019\Enterprise\VC\Tools\MSVC\14.29.30133\include\variant:1659 #23 0x7ff6be277b3d in std::visit<class ebpf_domain_t &, class std::variant<struct asm_syntax::Undefined, struct asm_syntax::Bin, struct asm_syntax::Un, struct asm_syntax::LoadMapFd, struct asm_syntax::Call, struct asm_syntax::Exit, struct asm_syntax::Jmp, struct asm_syntax::Mem, struct asm_syntax::Packet, struct asm_syntax::LockAdd, struct asm_syntax::Assume, struct asm_syntax::Assert> const &, void>(class ebpf_domain_t &, class std::variant<struct asm_syntax::Undefined, struct asm_syntax::Bin, struct asm_syntax::Un, struct asm_syntax::LoadMapFd, struct asm_syntax::Call, struct asm_syntax::Exit, struct asm_syntax::Jmp, struct asm_syntax::Mem, struct asm_syntax::Packet, struct asm_syntax::LockAdd, struct asm_syntax::Assume, struct asm_syntax::Assert> const &) C:\Program Files (x86)\Microsoft Visual Studio\2019\Enterprise\VC\Tools\MSVC\14.29.30133\include\variant:1677 #24 0x7ff6be24fd19 in ebpf_domain_t::operator()(class crab::basic_block_t const &, bool) D:\a\ebpf-for-windows\ebpf-for-windows\external\ebpf-verifier\src\crab\ebpf_domain.cpp:594 #25 0x7ff6be28d907 in crab::interleaved_fwd_fixpoint_iterator_t::transform_to_post(struct crab::label_t const &, class ebpf_domain_t) D:\a\ebpf-for-windows\ebpf-for-windows\external\ebpf-verifier\src\crab\fwd_analyzer.cpp:73 #26 0x7ff6be281007 in crab::interleaved_fwd_fixpoint_iterator_t::operator()(struct crab::label_t const &) D:\a\ebpf-for-windows\ebpf-for-windows\external\ebpf-verifier\src\crab\fwd_analyzer.cpp:147 #27 0x7ff6be285c14 in std::invoke<class crab::interleaved_fwd_fixpoint_iterator_t &, struct crab::label_t &>(class crab::interleaved_fwd_fixpoint_iterator_t &, struct crab::label_t &) C:\Program Files (x86)\Microsoft Visual Studio\2019\Enterprise\VC\Tools\MSVC\14.29.30133\include\type_traits:1534 #28 0x7ff6be283204 in std::_Variant_dispatcher<struct std::integer_sequence<unsigned __int64, 2>>::_Dispatch2<void, class crab::interleaved_fwd_fixpoint_iterator_t &, class std::variant<class std::shared_ptr, struct crab::label_t> &, 0>(class crab::interleaved_fwd_fixpoint_iterator_t &, class std::variant<class std::shared_ptr, struct crab::label_t> &) C:\Program Files (x86)\Microsoft Visual Studio\2019\Enterprise\VC\Tools\MSVC\14.29.30133\include\variant:1499 #29 0x7ff6be28494c in std::_Visit_strategy<1>::_Visit2<void, struct std::_Meta_list<struct std::integer_sequence<unsigned __int64, 0>, struct std::integer_sequence<unsigned __int64, 1>, struct std::integer_sequence<unsigned __int64, 2>>, class crab::interleaved_fwd_fixpoint_iterator_t &, class std::variant<class std::shared_ptr, struct crab::label_t> &>(unsigned __int64, class crab::interleaved_fwd_fixpoint_iterator_t &, class std::variant<class std::shared_ptr, struct crab::label_t> &) C:\Program Files (x86)\Microsoft Visual Studio\2019\Enterprise\VC\Tools\MSVC\14.29.30133\include\variant:1605 #30 0x7ff6be284a7b in std::_Visit_impl<3, void, struct std::_Meta_list<struct std::integer_sequence<unsigned __int64, 0>, struct std::integer_sequence<unsigned __int64, 1>, struct std::integer_sequence<unsigned __int64, 2>>, class crab::interleaved_fwd_fixpoint_iterator_t &, class std::variant<class std::shared_ptr, struct crab::label_t> &>(class crab::interleaved_fwd_fixpoint_iterator_t &, class std::variant<class std::shared_ptr, struct crab::label_t> &) C:\Program Files (x86)\Microsoft Visual Studio\2019\Enterprise\VC\Tools\MSVC\14.29.30133\include\variant:1659 #31 0x7ff6be285dcd in std::visit<class crab::interleaved_fwd_fixpoint_iterator_t &, class std::variant<class std::shared_ptr, struct crab::label_t> &, void>(class crab::interleaved_fwd_fixpoint_iterator_t &, class std::variant<class std::shared_ptr, struct crab::label_t> &) C:\Program Files (x86)\Microsoft Visual Studio\2019\Enterprise\VC\Tools\MSVC\14.29.30133\include\variant:1677 #32 0x7ff6be280c18 in crab::run_forward_analyzer(class crab::cfg_t &, class ebpf_domain_t const &, bool) D:\a\ebpf-for-windows\ebpf-for-windows\external\ebpf-verifier\src\crab\fwd_analyzer.cpp:130 #33 0x7ff6be1920aa in get_ebpf_report(class std::basic_ostream<char, struct std::char_traits> &, class crab::cfg_t &, struct program_info, struct ebpf_verifier_options_t const *) D:\a\ebpf-for-windows\ebpf-for-windows\external\ebpf-verifier\src\crab_verifier.cpp:158 #34 0x7ff6be190b6a in ebpf_verify_program(class std::basic_ostream<char, struct std::char_traits> &, class std::vector<class std::tuple<struct crab::label_t, class std::variant<struct asm_syntax::Undefined, struct asm_syntax::Bin, struct asm_syntax::Un, struct asm_syntax::LoadMapFd, struct asm_syntax::Call, struct asm_syntax::Exit, struct asm_syntax::Jmp, struct asm_syntax::Mem, struct asm_syntax::Packet, struct asm_syntax::LockAdd, struct asm_syntax::Assume, struct asm_syntax::Assert>, class std::optional>, class std::allocator<class std::tuple<struct crab::label_t, class std::variant<struct asm_syntax::Undefined, struct asm_syntax::Bin, struct asm_syntax::Un, struct asm_syntax::LoadMapFd, struct asm_syntax::Call, struct asm_syntax::Exit, struct asm_syntax::Jmp, struct asm_syntax::Mem, struct asm_syntax::Packet, struct asm_syntax::LockAdd, struct asm_syntax::Assume, struct asm_syntax::Assert>, class std::optional>>> const &, struct program_info const &, struct ebpf_verifier_options_t const *, struct ebpf_verifier_stats_t *) D:\a\ebpf-for-windows\ebpf-for-windows\external\ebpf-verifier\src\crab_verifier.cpp:230 #35 0x7ff6bdf3b5cb in _ebpf_api_elf_verify_section_from_stream D:\a\ebpf-for-windows\ebpf-for-windows\libs\api\Verifier.cpp:504 #36 0x7ff6bdf655f5 in ebpf_api_elf_verify_section_from_memory D:\a\ebpf-for-windows\ebpf-for-windows\libs\api\Verifier.cpp:553 #37 0x7ff6bdefefbb in LLVMFuzzerTestOneInput D:\a\ebpf-for-windows\ebpf-for-windows\tests\libfuzzer\verifier\libfuzz_harness.cpp:16 #38 0x7ff6be12b1cf in fuzzer::Fuzzer::ExecuteCallback(unsigned char const *, unsigned __int64) D:\a_work\1\s\src\vctools\crt\asan\llvm\compiler-rt\lib\fuzzer\FuzzerLoop.cpp:559 #39 0x7ff6be1035cd in fuzzer::RunOneTest(class fuzzer::Fuzzer *, char const *, unsigned __int64) D:\a_work\1\s\src\vctools\crt\asan\llvm\compiler-rt\lib\fuzzer\FuzzerDriver.cpp:301 #40 0x7ff6be0fe6b6 in fuzzer::FuzzerDriver(int *, char ***, int (__cdecl *)(unsigned char const *, unsigned __int64)) D:\a_work\1\s\src\vctools\crt\asan\llvm\compiler-rt\lib\fuzzer\FuzzerDriver.cpp:803 #41 0x7ff6be0f3cb2 in main D:\a_work\1\s\src\vctools\crt\asan\llvm\compiler-rt\lib\fuzzer\FuzzerMain.cpp:20 #42 0x7ff6be0ef968 in invoke_main D:\a_work\1\s\src\vctools\crt\vcstartup\src\startup\exe_common.inl:78 #43 0x7ff6be0ef8bd in __scrt_common_main_seh D:\a_work\1\s\src\vctools\crt\vcstartup\src\startup\exe_common.inl:288 #44 0x7ff6be0ef77d in __scrt_common_main D:\a_work\1\s\src\vctools\crt\vcstartup\src\startup\exe_common.inl:330 #45 0x7ff6be0ef9dd in mainCRTStartup D:\a_work\1\s\src\vctools\crt\vcstartup\src\startup\exe_main.cpp:16 #46 0x7ffcca227033 (C:\Windows\System32\KERNEL32.DLL+0x180017033) #47 0x7ffccc022650 (C:\Windows\SYSTEM32\ntdll.dll+0x180052650)

    SUMMARY: libFuzzer: fuzz target exited

    crash-0453e1624bfaa415598db12a53e1c3745d5e4625.o.zip

    OS information

    No response

    Steps taken to reproduce bug

    verifier_fuzzer.exe crash-0453e1624bfaa415598db12a53e1c3745d5e4625.o

    Expected behavior

    Fails verification

    Actual outcome

    Crashes

    Additional details

    No response

    bug triaged 
    opened by Alan-Jowett 10
  • build: Add CMake support

    build: Add CMake support

    Description

    This PR rewrites most of the existing Visual Studio-based build system in CMake. It is an initial PoC to simplify the build process. If this kind of work is interesting, it can be further refined to include:

    1. Packaging (MSI/NuGet through CPack)
    2. Better transitive dependencies and properties, which will automatically propagate things like include headers without having to copy/paste them for each target
    3. Better build settings
    opened by alessandrogario 10
  • Bump ossf/scorecard-action from 1.0.3 to 1.1.1

    Bump ossf/scorecard-action from 1.0.3 to 1.1.1

    Bumps ossf/scorecard-action from 1.0.3 to 1.1.1.

    Release notes

    Sourced from ossf/scorecard-action's releases.

    v1.1.1

    What's Changed

    Fix for ossf/scorecard-action#323

    Full Changelog: https://github.com/ossf/scorecard-action/compare/v1.1.0...v1.1.1

    v1.1.0

    Main changes

    This release lets you run Scorecards without creating a PAT token. If you don't provide a PAT token, Scorecards will use the default GITHUB_TOKEN available in the workflow. Due to limitations of the permissions model and GitHub APIs, be aware of the following limitations:

    1. Without a PAT, the Branch-Protection is not supported, so it will be disabled. You will not receive alerts for this check.
    2. Scorecards only supports PAT on private repositories. If you want to install Scorecards on a private repository, you still need to use a PAT.

    For more information, visit the README.md

    New Contributors

    Full Changelog: https://github.com/ossf/scorecard-action/compare/v1.0.4...v1.1.0

    v1.0.4

    Summary

    This release fixes null repository and branch issues: see ossf/scorecard-action#106, ossf/scorecard-action#84 and ossf/scorecard-action#73

    What's Changed

    New Contributors

    ... (truncated)

    Commits
    • 3e15ea8 ✨ Bump container hash to use scorecard v4.3.1 (#324)
    • 6c071ac :seedling: Bump actions/setup-go from 3.1.0 to 3.2.0
    • 51fbe79 :seedling: Bump debian from fbaacd5 to 06a93cb
    • d8a25b2 :seedling: Bump github.com/caarlos0/env/v6 from 6.9.2 to 6.9.3
    • cd3637b Update README.md (#319)
    • 77f5e34 :seedling: .github: Add dependency review action (#165)
    • ef34fe9 📖 docs/e2e: Add information about golang-staging branch tests (#170)
    • 1aa187d :seedling: Bump github/codeql-action from 2.1.10 to 2.1.11 (#311)
    • 049eb0c :seedling: Bump github.com/ossf/scorecard/v4 from 4.2.0 to 4.3.0 (#313)
    • 5c8bc69 multi-repo-action: Cleanups (1/n) (#301)
    • Additional commits viewable in compare view

    Dependabot compatibility score

    Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


    Dependabot commands and options

    You can trigger Dependabot actions by commenting on this PR:

    • @dependabot rebase will rebase this PR
    • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
    • @dependabot merge will merge this PR after your CI passes on it
    • @dependabot squash and merge will squash and merge this PR after your CI passes on it
    • @dependabot cancel merge will cancel a previously requested merge and block automerging
    • @dependabot reopen will reopen this PR if it is closed
    • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
    • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    dependencies github_actions 
    opened by dependabot[bot] 9
  • Does not build on Windows Server 2016

    Does not build on Windows Server 2016

    Turned up a fresh EC2 on AWS with Windows Server 2016, followed the Getting Started procedure verbatim. Everything looked good until the msbuild step. First issue was a dialog that said:

    The procedure entry point VirtualAlloc2 could not be located in the dynamic link library C:\Users\Administrator\git\ebpf-for-windows\x64\Debug\encode_program_info.exe
    

    Then the build failed after dismissing the dialog with:

    C:\Program Files (x86)\Microsoft Visual Studio\2019\BuildTools\MSBuild\Microsoft\VC\v160\Microsoft.CppBuild.targets(439,5): error MSB8020: The build tools for WindowsKernelModeDriver10.0 (Platform Toolset = 'WindowsKernelModeDriver10.0') cannot be found. To build using the WindowsKernelModeDriver10.0 build tools, please install WindowsKernelModeDriver10.0 build tools.  Alternatively, you may upgrade to the current Visual Studio tools by selecting the Project menu or right-click the solution, and then selecting "Retarget solution". [C:\Users\Administrator\git\ebpf-for-windows\libs\ubpf\kernel\ubpf_kernel.vcxproj]
    
    C:\Program Files (x86)\Microsoft Visual Studio\2019\BuildTools\MSBuild\Microsoft\VC\v160\Microsoft.CppBuild.targets(439,5): error MSB8020: The build tools for WindowsKernelModeDriver10.0 (Platform Toolset = 'WindowsKernelModeDriver10.0') cannot be found. To build using the WindowsKernelModeDriver10.0 build tools, please install WindowsKernelModeDriver10.0 build tools.  Alternatively, you may upgrade to the current Visual Studio tools by selecting the Project menu or right-click the solution, and then selecting "Retarget solution". [C:\Users\Administrator\git\ebpf-for-windows\libs\execution_context\kernel\execution_context_kernel.vcxproj]
    
    C:\Program Files (x86)\Microsoft Visual Studio\2019\BuildTools\MSBuild\Microsoft\VC\v160\Microsoft.CppCommon.targets(286,5): error MSB3073: The command "cd /d C:\Users\Administrator\git\ebpf-for-windows\x64\Debug\ [C:\Users\Administrator\git\ebpf-for-windows\tools\encode_program_info\encode_program_info.vcxproj]C:\Program Files (x86)\Microsoft Visual Studio\2019\BuildTools\MSBuild\Microsoft\VC\v160\Microsoft.CppCommon.targets(286,5): error MSB3073: C:\Users\Administrator\git\ebpf-for-windows\x64\Debug\encode_program_info.exe [C:\Users\Administrator\git\ebpf-for-windows\tools\encode_program_info\encode_program_info.vcxproj] C:\Program Files (x86)\Microsoft Visual Studio\2019\BuildTools\MSBuild\Microsoft\VC\v160\Microsoft.CppCommon.targets(286,5): error MSB3073: :VCEnd" exited with code -1073741511. [C:\Users\Administrator\git\ebpf-for-windows\tools\encode_program_info\encode_program_info.vcxproj]
    

    Maybe Windows Server 2016 isn't supported with this procedure?

    Visual Studio details:

    Microsoft Visual Studio Community 2019
    Version 16.11.8
    VisualStudio.16.Release/16.11.8+32002.261
    Microsoft .NET Framework
    Version 4.8.03761
    
    Installed Version: Community
    
    Visual C++ 2019   00435-60000-00000-AA081
    Microsoft Visual C++ 2019
    
    ASP.NET and Web Tools 2019   16.11.94.52318
    ASP.NET and Web Tools 2019
    
    Azure App Service Tools v3.0.0   16.11.94.52318
    Azure App Service Tools v3.0.0
    
    C# Tools   3.11.0-4.21403.6+ae1fff344d46976624e68ae17164e0607ab68b10
    C# components used in the IDE. Depending on your project type and settings, a different version of the compiler may be used.
    
    Common Azure Tools   1.10
    Provides common services for use by Azure Mobile Services and Microsoft Azure Tools.
    
    Debugging Tools for Windows   10.0.19030.1000
    Integrates the Windows Debugger functionality (http://go.microsoft.com/fwlink/?linkid=223405) in Visual Studio.
    
    IntelliCode Extension   1.0
    IntelliCode Visual Studio Extension Detailed Info
    
    Microsoft JVM Debugger   1.0
    Provides support for connecting the Visual Studio debugger to JDWP compatible Java Virtual Machines
    
    Microsoft MI-Based Debugger   1.0
    Provides support for connecting Visual Studio to MI compatible debuggers
    
    Microsoft Visual C++ Wizards   1.0
    Microsoft Visual C++ Wizards
    
    Microsoft Visual Studio VC Package   1.0
    Microsoft Visual Studio VC Package
    
    NuGet Package Manager   5.11.0
    NuGet Package Manager in Visual Studio. For more information about NuGet, visit https://docs.nuget.org/
    
    ProjectServicesPackage Extension   1.0
    ProjectServicesPackage Visual Studio Extension Detailed Info
    
    Test Adapter for Boost.Test   1.0
    Enables Visual Studio's testing tools with unit tests written for Boost.Test.  The use terms and Third Party Notices are available in the extension installation directory.
    
    Test Adapter for Google Test   1.0
    Enables Visual Studio's testing tools with unit tests written for Google Test.  The use terms and Third Party Notices are available in the extension installation directory.
    
    TypeScript Tools   16.0.30526.2002
    TypeScript Tools for Microsoft Visual Studio
    
    Visual Basic Tools   3.11.0-4.21403.6+ae1fff344d46976624e68ae17164e0607ab68b10
    Visual Basic components used in the IDE. Depending on your project type and settings, a different version of the compiler may be used.
    
    Visual Studio Code Debug Adapter Host Package   1.0
    Interop layer for hosting Visual Studio Code debug adapters in Visual Studio
    
    Visual Studio Tools for CMake   1.0
    Visual Studio Tools for CMake
    
    Windows Driver Kit   10.0.19030.1000
    Headers, libraries, and tools needed to develop, debug, and test Windows drivers (msdn.microsoft.com/en-us/windows/hardware/gg487428.aspx)
    
    documentation triaged 
    opened by jayhoughton 9
  • Add support for j*32 instructions

    Add support for j*32 instructions

    Description

    This PR adds support for the 32-bit JMP instruction variants.

    Testing

    Existing tests are sufficient to test this change-set. No new tests needed.

    Results of the command bpf_conformance_runner.exe --test_file_directory D:\wrk\ebpf-for-windows\external\bpf_conformance\tests\ --exclude_regex lock* --plugin_path .\bpf2c_plugin.exe --plugin_options "--include d:\wrk\ebpf-for-windows\include" attached.

    Documentation

    No documentation changes needed

    Fixes #1667

    bpf_conformance_test_results.txt

    opened by dv-msft 8
  • Fix code scanning alert - Comparison of narrow type with wide type in loop condition

    Fix code scanning alert - Comparison of narrow type with wide type in loop condition

    Tracking issue for:

    • [ ] https://github.com/microsoft/ebpf-for-windows/security/code-scanning/436

    Not a threat, but should be fixed for code sanitation.

    good first issue cleanup triaged 
    opened by Alan-Jowett 8
  • Replace dawidd6/action-download-artifact with actions/download-artifact

    Replace dawidd6/action-download-artifact with actions/download-artifact

    Describe the bug

    Currently we use two different github actions to download artifacts across our workflows:

    ossar-scan.yml: uses: actions/[email protected] reusable-build.yml: uses: dawidd6/[email protected]5 reusable-cmake-build.yml: uses: dawidd6/[email protected]5 reusable-test.yml: uses: actions/[email protected]

    We should make them all just use actions/download-artifact.

    OS information

    No response

    Steps taken to reproduce bug

    cd .github/workflows findstr download *

    Expected behavior

    Should just use actions/download-artifact

    Actual outcome

    Half the workflows use one action, and half use the other action

    Additional details

    No response

    cleanup 
    opened by dthaler 0
  • Bump dawidd6/action-download-artifact from 2.24.2 to 2.24.3

    Bump dawidd6/action-download-artifact from 2.24.2 to 2.24.3

    Bumps dawidd6/action-download-artifact from 2.24.2 to 2.24.3.

    Commits
    • bd10f38 Merge pull request #218 from dawidd6/dependabot-npm_and_yarn-adm-zip-0.5.10
    • 61a654a build(deps): bump adm-zip from 0.5.9 to 0.5.10
    • dcadc4b Merge pull request #211 from koplo199/master
    • ceeb280 Remove unnecessary semicolon
    • 806bb52 Catch 'Artifact has expired' error
    • See full diff in compare view

    Dependabot compatibility score

    Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


    Dependabot commands and options

    You can trigger Dependabot actions by commenting on this PR:

    • @dependabot rebase will rebase this PR
    • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
    • @dependabot merge will merge this PR after your CI passes on it
    • @dependabot squash and merge will squash and merge this PR after your CI passes on it
    • @dependabot cancel merge will cancel a previously requested merge and block automerging
    • @dependabot reopen will reopen this PR if it is closed
    • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
    • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    dependencies github_actions 
    opened by dependabot[bot] 1
  • Bump actions/download-artifact from 3.0.1 to 3.0.2

    Bump actions/download-artifact from 3.0.1 to 3.0.2

    Bumps actions/download-artifact from 3.0.1 to 3.0.2.

    Release notes

    Sourced from actions/download-artifact's releases.

    v3.0.2

    • Bump @actions/artifact to v1.1.1 - actions/download-artifact#195
    • Fixed a bug in Node16 where if an HTTP download finished too quickly (<1ms, e.g. when it's mocked) we attempt to delete a temp file that has not been created yet actions/toolkit#1278
    Commits

    Dependabot compatibility score

    Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


    Dependabot commands and options

    You can trigger Dependabot actions by commenting on this PR:

    • @dependabot rebase will rebase this PR
    • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
    • @dependabot merge will merge this PR after your CI passes on it
    • @dependabot squash and merge will squash and merge this PR after your CI passes on it
    • @dependabot cancel merge will cancel a previously requested merge and block automerging
    • @dependabot reopen will reopen this PR if it is closed
    • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
    • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    dependencies github_actions 
    opened by dependabot[bot] 1
  • Bump external/ubpf from `253031d` to `2936d81`

    Bump external/ubpf from `253031d` to `2936d81`

    Bumps external/ubpf from 253031d to 2936d81.

    Commits

    Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


    Dependabot commands and options

    You can trigger Dependabot actions by commenting on this PR:

    • @dependabot rebase will rebase this PR
    • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
    • @dependabot merge will merge this PR after your CI passes on it
    • @dependabot squash and merge will squash and merge this PR after your CI passes on it
    • @dependabot cancel merge will cancel a previously requested merge and block automerging
    • @dependabot reopen will reopen this PR if it is closed
    • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
    • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    dependencies submodules 
    opened by dependabot[bot] 1
  • Bump external/Catch2 from `72b60df` to `04382af`

    Bump external/Catch2 from `72b60df` to `04382af`

    Bumps external/Catch2 from 72b60df to 04382af.

    Commits

    Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


    Dependabot commands and options

    You can trigger Dependabot actions by commenting on this PR:

    • @dependabot rebase will rebase this PR
    • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
    • @dependabot merge will merge this PR after your CI passes on it
    • @dependabot squash and merge will squash and merge this PR after your CI passes on it
    • @dependabot cancel merge will cancel a previously requested merge and block automerging
    • @dependabot reopen will reopen this PR if it is closed
    • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
    • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    dependencies submodules 
    opened by dependabot[bot] 1
  • Bump actions/checkout from 3.2.0 to 3.3.0

    Bump actions/checkout from 3.2.0 to 3.3.0

    Bumps actions/checkout from 3.2.0 to 3.3.0.

    Release notes

    Sourced from actions/checkout's releases.

    v3.3.0

    What's Changed

    New Contributors

    Full Changelog: https://github.com/actions/checkout/compare/v3.2.0...v3.3.0

    Commits

    Dependabot compatibility score

    Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


    Dependabot commands and options

    You can trigger Dependabot actions by commenting on this PR:

    • @dependabot rebase will rebase this PR
    • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
    • @dependabot merge will merge this PR after your CI passes on it
    • @dependabot squash and merge will squash and merge this PR after your CI passes on it
    • @dependabot cancel merge will cancel a previously requested merge and block automerging
    • @dependabot reopen will reopen this PR if it is closed
    • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
    • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    dependencies github_actions 
    opened by dependabot[bot] 1
Releases(v0.5.0)
  • v0.5.0(Oct 3, 2022)

    What's Changed

    • Add xdp_tests.exe to deploy script by @dthaler in https://github.com/microsoft/ebpf-for-windows/pull/1397
    • Fix unregistering hook providers by @shankarseal in https://github.com/microsoft/ebpf-for-windows/pull/1402
    • Include hash of program information in metadata by @Alan-Jowett in https://github.com/microsoft/ebpf-for-windows/pull/1376
    • Fix get_attach_type_windows() by @saxena-anurag in https://github.com/microsoft/ebpf-for-windows/pull/1421
    • Update verifier to latest by @dthaler in https://github.com/microsoft/ebpf-for-windows/pull/1419
    • Pull version number from resource\ebpf_version.h by @Alan-Jowett in https://github.com/microsoft/ebpf-for-windows/pull/1373
    • Update ebpf_version.h by @Alan-Jowett in https://github.com/microsoft/ebpf-for-windows/pull/1428
    • Add correct path to .guid files by @Alan-Jowett in https://github.com/microsoft/ebpf-for-windows/pull/1429
    • Implement correct division by zero behavior by @Alan-Jowett in https://github.com/microsoft/ebpf-for-windows/pull/1411
    • Add tests to verify BPF code generation for interpret and jit by @Alan-Jowett in https://github.com/microsoft/ebpf-for-windows/pull/1430
    • Fix the bpf_map_lookup_elem / bpf_map_update_elem API for per-cpu maps. by @Alan-Jowett in https://github.com/microsoft/ebpf-for-windows/pull/1423
    • Update setup_build.vcxproj by @Alan-Jowett in https://github.com/microsoft/ebpf-for-windows/pull/1432
    • Add ability to enumerate maps associated with a program by @dthaler in https://github.com/microsoft/ebpf-for-windows/pull/1395

    Full Changelog: https://github.com/microsoft/ebpf-for-windows/compare/v0.4.0...v0.5.0

    Source code(tar.gz)
    Source code(zip)
    ebpf-for-windows-0.5.0.msi(11.02 MB)
    eBPF-for-Windows.0.5.0.nupkg(826.34 KB)
  • v0.4.0(Sep 15, 2022)

    What's Changed

    • Bump external/Catch2 from 5a1ef7e to 5f9109a by @dependabot in https://github.com/microsoft/ebpf-for-windows/pull/1278
    • Bump external/FindWDK from 43fd504 to 0492964 by @dependabot in https://github.com/microsoft/ebpf-for-windows/pull/1277
    • Update install instructions to allow using released MSI by @dthaler in https://github.com/microsoft/ebpf-for-windows/pull/1274
    • add --type option to bpf2c tool by @saxena-anurag in https://github.com/microsoft/ebpf-for-windows/pull/1283
    • Add support for ifindex and ifalias in bpftool attach command on Windows by @dthaler in https://github.com/microsoft/ebpf-for-windows/pull/1280
    • Fix ring buffer test subscriber logic. by @shankarseal in https://github.com/microsoft/ebpf-for-windows/pull/1286
    • Move TestLog.log to the TEMP directory by @dthaler in https://github.com/microsoft/ebpf-for-windows/pull/1281
    • Clean up hard coded program type in EC by @saxena-anurag in https://github.com/microsoft/ebpf-for-windows/pull/1294
    • Explain where to find the wprp file by @dthaler in https://github.com/microsoft/ebpf-for-windows/pull/1292
    • Bump external/Catch2 from 5f9109a to 1bd2338 by @dependabot in https://github.com/microsoft/ebpf-for-windows/pull/1298
    • Bump actions/cache from 3.0.4 to 3.0.5 by @dependabot in https://github.com/microsoft/ebpf-for-windows/pull/1299
    • Bump external/ebpf-verifier from d259d31 to 8f0bb3f by @dependabot in https://github.com/microsoft/ebpf-for-windows/pull/1297
    • Bump github/codeql-action from 2.1.15 to 2.1.16 by @dependabot in https://github.com/microsoft/ebpf-for-windows/pull/1301
    • Clean up Verifier.cpp by @dthaler in https://github.com/microsoft/ebpf-for-windows/pull/1296
    • Clean up ebpf_program.c by @dthaler in https://github.com/microsoft/ebpf-for-windows/pull/1302
    • Update ubpf and fix build by @Alan-Jowett in https://github.com/microsoft/ebpf-for-windows/pull/1293
    • Bump external/Catch2 from 1bd2338 to 97c48e0 by @dependabot in https://github.com/microsoft/ebpf-for-windows/pull/1309
    • Add support for new libbpf APIs by @dthaler in https://github.com/microsoft/ebpf-for-windows/pull/1288
    • Bump external/pe-parse from eecdb3d to 29220c9 by @dependabot in https://github.com/microsoft/ebpf-for-windows/pull/1308
    • Bump external/ebpf-verifier from 8f0bb3f to 88735d9 by @dependabot in https://github.com/microsoft/ebpf-for-windows/pull/1314
    • Add negative tests for native module by @saxena-anurag in https://github.com/microsoft/ebpf-for-windows/pull/1310
    • Bump external/Catch2 from 97c48e0 to 997a7d4 by @dependabot in https://github.com/microsoft/ebpf-for-windows/pull/1313
    • Add noexcept keyword to various internal APIs by @dthaler in https://github.com/microsoft/ebpf-for-windows/pull/1305
    • Bump github/codeql-action from 2.1.16 to 2.1.17 by @dependabot in https://github.com/microsoft/ebpf-for-windows/pull/1315
    • Implement bpf_prog_detach and bpf_prog_detach2 APIs. by @shankarseal in https://github.com/microsoft/ebpf-for-windows/pull/1311
    • Bump actions/cache from 3.0.5 to 3.0.6 by @dependabot in https://github.com/microsoft/ebpf-for-windows/pull/1318
    • Bump external/Catch2 from 997a7d4 to 47d56f2 by @dependabot in https://github.com/microsoft/ebpf-for-windows/pull/1320
    • Bump github/codeql-action from 2.1.17 to 2.1.18 by @dependabot in https://github.com/microsoft/ebpf-for-windows/pull/1321
    • Bump version to 0.3.0 by @dthaler in https://github.com/microsoft/ebpf-for-windows/pull/1323
    • Bump external/ebpf-verifier from 88735d9 to 11366cd by @dependabot in https://github.com/microsoft/ebpf-for-windows/pull/1317
    • Bump external/ubpf from ee1eb2a to af0194f by @dependabot in https://github.com/microsoft/ebpf-for-windows/pull/1319
    • Fix handling of long map names by @dthaler in https://github.com/microsoft/ebpf-for-windows/pull/1328
    • Add note about WDK vsix checkbox when installing WDK by @dthaler in https://github.com/microsoft/ebpf-for-windows/pull/1327
    • Bump dawidd6/action-download-artifact from 2.21.1 to 2.22.0 by @dependabot in https://github.com/microsoft/ebpf-for-windows/pull/1333
    • Fix issued that caused epoch to not cleanup by @Alan-Jowett in https://github.com/microsoft/ebpf-for-windows/pull/1332
    • Fix LLVM guidance in Getting Started by @dthaler in https://github.com/microsoft/ebpf-for-windows/pull/1331
    • Bump actions/cache from 3.0.6 to 3.0.7 by @dependabot in https://github.com/microsoft/ebpf-for-windows/pull/1334
    • Move preemptible check outside of spinlock region by @Alan-Jowett in https://github.com/microsoft/ebpf-for-windows/pull/1350
    • Bump step-security/harden-runner from 1.4.4 to 1.4.5 by @dependabot in https://github.com/microsoft/ebpf-for-windows/pull/1335
    • Bump microsoft/setup-msbuild from becb80cf9a036187bb1e07e74eb64e25850d757a to 1.1 by @dependabot in https://github.com/microsoft/ebpf-for-windows/pull/1359
    • Update actions/checkout requirement to 2541b1294d2704b0964813337f33b291d3f8596b by @dependabot in https://github.com/microsoft/ebpf-for-windows/pull/1356
    • Bump external/Catch2 from 47d56f2 to dc001fa by @dependabot in https://github.com/microsoft/ebpf-for-windows/pull/1357
    • Bump github/codeql-action from 2.1.18 to 2.1.20 by @dependabot in https://github.com/microsoft/ebpf-for-windows/pull/1362
    • Fix doc link by @dthaler in https://github.com/microsoft/ebpf-for-windows/pull/1338
    • Update bpftool by @dthaler in https://github.com/microsoft/ebpf-for-windows/pull/1337
    • bpf_object__open_file() should allow null opts by @dthaler in https://github.com/microsoft/ebpf-for-windows/pull/1363
    • Fix invalid map value size for prog_array and map_array by @Alan-Jowett in https://github.com/microsoft/ebpf-for-windows/pull/1361
    • remove deprecated prog_load API. by @shankarseal in https://github.com/microsoft/ebpf-for-windows/pull/1352
    • Bump actions/cache from 3.0.7 to 3.0.8 by @dependabot in https://github.com/microsoft/ebpf-for-windows/pull/1381
    • Clean up the deprecated netsh use of bpf_object__for_each_safe() by @dthaler in https://github.com/microsoft/ebpf-for-windows/pull/1368
    • Remove trailing whitespace in committed files by @Alan-Jowett in https://github.com/microsoft/ebpf-for-windows/pull/1377
    • Fix leak of reference on WDFREQUEST by @Alan-Jowett in https://github.com/microsoft/ebpf-for-windows/pull/1383
    • Bump github/codeql-action from 2.1.20 to 2.1.21 by @dependabot in https://github.com/microsoft/ebpf-for-windows/pull/1380
    • Create or update issue on workflow failure by @Alan-Jowett in https://github.com/microsoft/ebpf-for-windows/pull/1385
    • Enable KMDF tag tracking. by @shankarseal in https://github.com/microsoft/ebpf-for-windows/pull/1375
    • Update nuget package to include export_program_info.exe by @Alan-Jowett in https://github.com/microsoft/ebpf-for-windows/pull/1372
    • Add nuget docs by @dthaler in https://github.com/microsoft/ebpf-for-windows/pull/1386
    • Bump external/Catch2 from dc001fa to 7b2e7d6 by @dependabot in https://github.com/microsoft/ebpf-for-windows/pull/1387
    • Bump dawidd6/action-download-artifact from 2.22.0 to 2.23.0 by @dependabot in https://github.com/microsoft/ebpf-for-windows/pull/1389
    • Bump github/codeql-action from 2.1.21 to 2.1.22 by @dependabot in https://github.com/microsoft/ebpf-for-windows/pull/1388
    • Add workaround for netsh regression by @dthaler in https://github.com/microsoft/ebpf-for-windows/pull/1396
    • Bump external/Catch2 from 7b2e7d6 to dea1a6a by @dependabot in https://github.com/microsoft/ebpf-for-windows/pull/1393
    • Bump version to 0.4.0 by @dthaler in https://github.com/microsoft/ebpf-for-windows/pull/1391

    Full Changelog: https://github.com/microsoft/ebpf-for-windows/compare/v0.2.0...v0.4.0

    Source code(tar.gz)
    Source code(zip)
    ebpf-for-windows-0.4.0.msi(10.93 MB)
    eBPF-for-Windows.0.4.0.nupkg(822.75 KB)
  • v0.3.0(Aug 9, 2022)

    What's Changed

    • add --type option to bpf2c tool by @saxena-anurag in https://github.com/microsoft/ebpf-for-windows/pull/1283
    • Add support for ifindex and ifalias in bpftool attach command on Windows by @dthaler in https://github.com/microsoft/ebpf-for-windows/pull/1280
    • Add support for new libbpf APIs by @dthaler in https://github.com/microsoft/ebpf-for-windows/pull/1288
    • Implement bpf_prog_detach and bpf_prog_detach2 APIs. by @shankarseal in https://github.com/microsoft/ebpf-for-windows/pull/1311

    Full Changelog: https://github.com/microsoft/ebpf-for-windows/compare/v0.2.0...v0.3.0

    Source code(tar.gz)
    Source code(zip)
    ebpf-for-windows-0.3.0.msi(10.91 MB)
    eBPF-for-Windows.0.3.0.nupkg(800.90 KB)
  • v0.2.0(Jul 9, 2022)

Owner
Microsoft
Open source projects and samples from Microsoft
Microsoft
libsinsp, libscap, the kernel module driver, and the eBPF driver sources

falcosecurity/libs As per the OSS Libraries Contribution Plan, this repository has been chosen to be the new home for libsinsp, libscap, the kernel mo

Falco 133 Dec 29, 2022
Linux Application Level Firewall based on eBPF and NFQUEUE.

eBPFSnitch eBPFSnitch is a Linux Application Level Firewall based on eBPF and NFQUEUE. It is inspired by OpenSnitch, and Douane, but utilizing modern

Harpo Roeder 665 Dec 29, 2022
eBPF bytecode assembler and compiler

An eBPF bytecode assembler and compiler that * Assembles the bytecode to object code. * Compiles the bytecode to C macro preprocessors. Symbolic

Emil Masoumi 6 Jan 23, 2022
Example how to run eBPF probes without a usermode process using fentry

Pinning eBPF Probes Simple example to demonstrate how to pin kernel function and syscall probes. Overview From my reading of the kernel code, KProbe a

pat_h/to/file 3 Jun 7, 2021
A Rust crate that simplifies the integration of Rust and eBPF programs written in C.

This crate simplifies the compilation of eBPF programs written in C integrating clang with Rust and the cargo build system with functions that can be

Simone Margaritelli 19 Mar 16, 2022
ebpfkit-monitor is a tool that detects and protects against eBPF powered rootkits

ebpfkit-monitor ebpfkit-monitor is an utility that you can use to statically analyse eBPF bytecode or monitor suspicious eBPF activity at runtime. It

Guillaume Fournier 79 Dec 18, 2022
A very basic eBPF Load Balancer in a few lines of C

An eBPF Load Balancer from scratch As seen at eBPF Summit 2021. This is not production ready :-) This uses libbpf as a git submodule. If you clone thi

Liz Rice 168 Jan 8, 2023
skbtracer on ebpf

skbtracer skbtracer 基于 ebpf 技术的 skb 网络包路径追踪利器, 实现代码基于 BCC (required Linux Kernel 4.15+) 使用样例 skbtracer.py # trace

DavadDi 54 Dec 30, 2022
some experiments with ebpf

Learning eBPF and some kernel tracing, probe DNS + TCP connection with portable bpf prog. DevEnv Ubuntu 20.04 Install go Install make, clang, llvm Ins

null 11 Aug 4, 2022
Small utility that leverages eBPF to dump the traffic of a unix domain socket

UnixDump UnixDump is a small eBPF powered utility that can be used to dump unix socket traffic. System requirements This project was developed on a Ub

Guillaume Fournier 8 Nov 19, 2022
Tool for Preventing Data Exfiltration with eBPF

bouheki: Tool for Preventing Data Exfiltration with eBPF bouheki is a KSRI implementation using LSM Hook by eBPF. Flexibility to apply restricted netw

mrtc0 54 Jan 3, 2023
The Beginner's Guide to eBPF Programming for Networking

The Beginner's Guide to eBPF Programming for Networking As seen at Cloud Native eBPF Day 2021. Setup Create a container that we can issue curl request

Liz Rice 79 Dec 23, 2022
pwru is an eBPF-based tool for tracing network packets in the Linux kernel with advanced filtering capabilities.

pwru (packet, where are you?) pwru is an eBPF-based tool for tracing network packets in the Linux kernel with advanced filtering capabilities. It allo

Cilium 1.1k Dec 28, 2022
Dectect syscall hooking using eBPF

BPF-HookDetect Detect Kernel Rootkits hooking syscalls Overview Details To Build To Run Example Test Resources Overview Kernel Rootkits such as Diamor

pat_h/to/file 95 Dec 27, 2022
A collection of eBPF programs demonstrating bad behavior

Bad BPF A collection of malicious eBPF programs that make use of eBPF's ability to read and write user data in between the usermode program and the ke

pat_h/to/file 288 Dec 26, 2022
bpflock - eBPF driven security for locking and auditing Linux machines

bpflock - Lock Linux machines bpflock - eBPF driven security for locking and auditing Linux machines. This is a Work In Progress: bpflock is currently

The Linux lock machine projects 113 Nov 28, 2022
A list of network measurement sketch algorithms implemented in eBPF

eBPF Sketches This repository contains a list of the most famous sketches implemented within the eBPF/XDP subsystem. In particular, we have: Count Ske

null 15 Dec 21, 2022
A Linux Host-based Intrusion Detection System based on eBPF.

eHIDS 介绍 eBPF内核技术实现的HIDS demo. 功能实现: TCP网络数据捕获 UDP网络数据捕获 uprobe方式的DNS信息捕获 进程数据捕获 uprobe方式实现JAVA的RASP命令执行场景事件捕获 eBPF的go框架实现,针对kprobe\uprobe挂载方式,多类型even

CFC4N 291 Dec 30, 2022
eBPF-based EDR for Linux

ebpf-edr A proof-of-concept eBPF-based EDR for Linux Seems to be working fine with the 20 basic rules implemented. Logs the alerts to stdout at the mo

null 15 Nov 9, 2022