microsoft
/
ebpf-for-windows
зеркало из https://github.com/microsoft/ebpf-for-windows.git
1
0
Форкнуть 0
Код Задачи Пакеты Проекты Релизы Вики Активность
eBPF implementation that runs on top of Windows
125 коммитов 34 Ветки 22 Теги 41 MiB
C 80.1%
C++ 17.7%
PowerShell 1.7%
Batchfile 0.2%
Shell 0.2%
Разное 0.1%
Перейти к файлу
Dave Thaler 089b6de6a7
Update README with latest changes (#7) 
Signed-off-by: Dave Thaler <dthaler@ntdev.microsoft.com>
 		2021-04-15 11:41:16 -07:00
.config Deleted cloudvault.json - breaks customers who copy this and do not change it 2020-03-10 17:53:10 +00:00
.github/workflows Add build task to github workflows (#2) 2021-04-14 11:03:01 -07:00
.pipelines Merged PR 4249706: Pull latest ebpf verifier and fix build break 2021-03-16 19:33:56 +00:00
.version build files 2019-10-30 17:08:48 -07:00
docs Add maps discussion to tutorial 2021-04-14 11:47:16 -07:00
external Merged PR 4256572: Update ebpf to use minimally changed ubpf 2021-03-17 22:10:24 +00:00
scripts Add github files 2021-04-13 15:48:48 -07:00
src Merged PR 4256572: Update ebpf to use minimally changed ubpf 2021-03-17 22:10:24 +00:00
.clang-format Fix build by restoring header ordering dependencies and turning off sort 2021-03-09 16:25:24 -08:00
.gitattributes Add setup_build project to install git hook 2021-03-05 21:46:30 -08:00
.gitignore Add verifier-in-an-enclave demo 2021-01-21 17:06:26 -08:00
.gitmodules Merged PR 4246780: Switch to ebpf / prevail master branch 2021-03-16 01:39:35 +00:00
CONTRIBUTING.md Add more contributing guidelines (#4) 2021-04-14 11:45:32 -07:00
Directory.Build.props Merged PR 3981140: Cleanup unused demo files 2021-01-14 22:12:54 +00:00
LICENSE.txt Add prereqs to readme file 2021-02-12 16:18:45 -08:00
Nuget.config Add build task to github workflows (#2) 2021-04-14 11:03:01 -07:00
README.md Update README with latest changes (#7) 2021-04-15 11:41:16 -07:00
ebpf-demo.sln Merged PR 4236890: Add option to dump loaded programs 2021-03-15 15:34:33 +00:00
ebpf-kernel.sln Split user and kernel build sequences 2021-03-15 09:35:44 -06:00
ebpf-user.sln Remove project that depends on clang 2021-03-15 11:04:09 -06:00
global.json Merged PR 3981140: Cleanup unused demo files 2021-01-14 22:12:54 +00:00
owners.txt Merged PR 4220809: First drop of port_quota demo 2021-03-10 02:38:31 +00:00
repo.config initial user samples 2019-10-30 17:01:05 -07:00

README.md

eBPF on Windows

eBPF is a well-known technology for providing programmability and agility, especially for extending an OS kernel, for use cases such as DoS protection and observability. This project allows using existing eBPF toolchains and APIs familiar in the Linux ecosystem to be used on top of Windows. That is, this project takes existing eBPF projects (as submodules) and adds the layer in between to make them run on top of Windows.

Prerequisites

The following must be installed in order to build this project:

  1. Git (e.g., Git for Windows 64-bit)
  2. Visual Studio 2019, including the "MSVC v142 - VS 2019 C++ x64/x86 Spectre-mitigated libs (v14.28)" which must be selected as an Individual component in the VS installer
  3. Visual Studio Build Tools 2019
  4. WDK for Windows 10, version 2004
  5. Clang/LLVM for Windows 64-bit

How to clone and build the project

  1. git clone --recurse-submodules https://github.com/microsoft/ebpf-for-windows.git
  2. cd ebpf-for-windows
  3. cmake -S external\ebpf-verifier -B external\ebpf-verifier\build
  4. msbuild /m /p:Configuration=Debug /p:Platform=x64 ebpf-demo.sln or to build from within Visual Studio:
    • Open ebpf-demo.sln
    • Switch to debug / x64
    • Build solution

Using eBPF for Windows

This section shows how to use eBPF for Windows in a demo that defends against a 0-byte UDP attack on a DNS server.

Prep

Set up 2 VMs, which we will refer to as the "attacker" machine and the "defender" machine

On the defender machine, do the following:

  1. Install and set up a DNS server
  2. Make sure the kernel debugger (KD) is attached and running.
  3. Install Debug VS 2019 VC redist from TBD (or switch everything to Multi-threaded Debug (/MTd) and rebuild)
  4. Copy ebpfcore.sys to %windir%\system32\drivers
  5. Copy ebpfapi.dll and ebpfnetsh.dll to %windir%\system32
  6. Do sc create EbpfCore type=kernel start=boot binpath=%windir%\system32\drivers\ebpfcore.sys
  7. Do sc start EbpfCore
  8. Do netsh add helper %windir%\system32\ebpfnetsh.dll
  9. Install clang
  10. Copy droppacket.c and ebpf.h to a folder (such as c:\test)

On the attacker machine, do the following:

  1. Copy DnsFlood.exe to attacker machine

Demo

On the attacker machine

  1. Run for /L %i in (1,1,4) do start /min DnsFlood <ip of defender>

On the defender machine

  1. Start perfomance monitor and add UDPv4 Datagrams/sec
  2. Show that 200K packets per second are being received
  3. Show & explain code of droppacket.c
  4. Compile droppacket.c clang -target bpf -O2 -Wall -c droppacket.c -o droppacket.o
  5. Show eBPF byte code for droppacket.o netsh ebpf show disassembly droppacket.o xdp
  6. Show that the verifier checks the code netsh ebpf show verification droppacket.o xdp
  7. Launch netsh netsh
  8. Switch to ebpf context ebpf
  9. Load eBPF program add program droppacket.o xdp
  10. Show UDP datagrams received drop to under 10 per second
  11. Unload program delete program droppacket.o xdp
  12. Show UDP datagrams received drop to back up to ~200K per second
  13. Modify droppacket.c to be unsafe - Comment out line 20 & 21
  14. Compile droppacket.c clang -target bpf -O2 -Wall -c droppacket.c -o droppacket.o
  15. Show that the verifier rejects the code netsh ebpf show verification droppacket.o xdp
  16. Show that loading the program fails netsh ebpf add program droppacket.o xdp