Project bpftime has been launched by Eunomia, aiming to develop a runtime and virtual machine for executing EBPF (Extended Berkeley Packet Filter) processors in the user space. This project offers the capability to create EBPF scenarios for tracing and intervening in processes. Notable features include support for uprobe and software interception of all system calls in the user space. By eliminating unnecessary context switching, BPFTIME achieves a tenfold reduction in overhead costs compared to using the UPROBE and URETPROBE functions provided by the Linux kernel. Additionally, BPFTIME simplifies debugging, can potentially be used on systems without a Linux kernel, and does not require advanced privileges to load EBPF applications in the kernel. The project’s code is written in C/C++ and is available under the MIT license.
System call interpretation and integration of the UPROBE-Provery technique by overwriting executable code (Binary REWRITING) is implemented in BPFTIME. This technique replaces system call invocations, entry points, and local functions with transitions to debugging handlers through modification of the executed application’s machine code. This approach proves to be more effective than interception at the Linux kernel level.
BPFTIME supports replacing or modifying functions, attaching handlers (HOOK) and filters, redirecting, blocking, or replacing system call parameters, intercepting entry and exit points of functions, and substituting handles at arbitrary code offsets. Furthermore, BPFTIME can be attached to any running process in the system without requiring a restart. Substitutions within processes can be achieved using PTRACE for running processes and LD_Preload for loaded processes.
BPFTIME encompasses a runtime that enables attaching EBPF programs to system call tracing points and UPROBEs, a JIT EBPF virtual machine for executing EBPF programs in user processes (along with optional AOT-compilation), a background process for interacting with the kernel and ensuring compatibility with the UPROBE kernel subsystem, and a method for loading EBPF programs from the kernel to facilitate collaboration with EBPF programs in the kernel (e.g., for KPROBE processing or applying network filters).
The EBPF virtual machine is provided as a linked library, offering an API similar to the ubpf project. This allows developers to integrate EBPF functionality into their own projects. BP