089b6de6a7
Signed-off-by: Dave Thaler <dthaler@ntdev.microsoft.com> |
||
---|---|---|
.config | ||
.github/workflows | ||
.pipelines | ||
.version | ||
docs | ||
external | ||
scripts | ||
src | ||
.clang-format | ||
.gitattributes | ||
.gitignore | ||
.gitmodules | ||
CONTRIBUTING.md | ||
Directory.Build.props | ||
LICENSE.txt | ||
Nuget.config | ||
README.md | ||
ebpf-demo.sln | ||
ebpf-kernel.sln | ||
ebpf-user.sln | ||
global.json | ||
owners.txt | ||
repo.config |
README.md
eBPF on Windows
eBPF is a well-known technology for providing programmability and agility, especially for extending an OS kernel, for use cases such as DoS protection and observability. This project allows using existing eBPF toolchains and APIs familiar in the Linux ecosystem to be used on top of Windows. That is, this project takes existing eBPF projects (as submodules) and adds the layer in between to make them run on top of Windows.
Prerequisites
The following must be installed in order to build this project:
- Git (e.g., Git for Windows 64-bit)
- Visual Studio 2019, including the "MSVC v142 - VS 2019 C++ x64/x86 Spectre-mitigated libs (v14.28)" which must be selected as an Individual component in the VS installer
- Visual Studio Build Tools 2019
- WDK for Windows 10, version 2004
- Clang/LLVM for Windows 64-bit
How to clone and build the project
git clone --recurse-submodules https://github.com/microsoft/ebpf-for-windows.git
cd ebpf-for-windows
cmake -S external\ebpf-verifier -B external\ebpf-verifier\build
msbuild /m /p:Configuration=Debug /p:Platform=x64 ebpf-demo.sln
or to build from within Visual Studio:- Open ebpf-demo.sln
- Switch to debug / x64
- Build solution
Using eBPF for Windows
This section shows how to use eBPF for Windows in a demo that defends against a 0-byte UDP attack on a DNS server.
Prep
Set up 2 VMs, which we will refer to as the "attacker" machine and the "defender" machine
On the defender machine, do the following:
- Install and set up a DNS server
- Make sure the kernel debugger (KD) is attached and running.
- Install Debug VS 2019 VC redist from TBD (or switch everything to Multi-threaded Debug (/MTd) and rebuild)
- Copy ebpfcore.sys to %windir%\system32\drivers
- Copy ebpfapi.dll and ebpfnetsh.dll to %windir%\system32
- Do
sc create EbpfCore type=kernel start=boot binpath=%windir%\system32\drivers\ebpfcore.sys
- Do
sc start EbpfCore
- Do
netsh add helper %windir%\system32\ebpfnetsh.dll
- Install clang
- Copy droppacket.c and ebpf.h to a folder (such as c:\test)
On the attacker machine, do the following:
- Copy DnsFlood.exe to attacker machine
Demo
On the attacker machine
- Run
for /L %i in (1,1,4) do start /min DnsFlood <ip of defender>
On the defender machine
- Start perfomance monitor and add UDPv4 Datagrams/sec
- Show that 200K packets per second are being received
- Show & explain code of droppacket.c
- Compile droppacket.c
clang -target bpf -O2 -Wall -c droppacket.c -o droppacket.o
- Show eBPF byte code for droppacket.o
netsh ebpf show disassembly droppacket.o xdp
- Show that the verifier checks the code
netsh ebpf show verification droppacket.o xdp
- Launch netsh
netsh
- Switch to ebpf context
ebpf
- Load eBPF program
add program droppacket.o xdp
- Show UDP datagrams received drop to under 10 per second
- Unload program
delete program droppacket.o xdp
- Show UDP datagrams received drop to back up to ~200K per second
- Modify droppacket.c to be unsafe - Comment out line 20 & 21
- Compile droppacket.c
clang -target bpf -O2 -Wall -c droppacket.c -o droppacket.o
- Show that the verifier rejects the code
netsh ebpf show verification droppacket.o xdp
- Show that loading the program fails
netsh ebpf add program droppacket.o xdp