Oxidize eBPF: eBPF programming with Rust

eBPF (extended Berkeley Packet Filter) is a virtual machine that can run custom programs inside the Linux kernel. It is a powerful tool that allows low-level system operations without modifying the kernel itself. This is achieved via the sandboxed eBPF VM that verifies and safely runs the program inside the Linux kernel. eBPF does to Linux what JavaScript does to web browsers. eBPF enables the dynamic addition of new functionality or instrumentation to the Linux kernel without modification. This book will teach you to write eBPF programs in Rust that will be compiled to run directly inside the Linux kernel.

To ease the learning curve, the book is divided into two parts. The first part will cover the basics of the eBPF Virtual Machine (VM), the VM instruction set, eBPF maps, and eBPF program types. The first part will also cover the setup required to run an eBPF Rust program and the tools needed to debug eBPF programs.

The book's second part will perform a thorough code walkthrough of several eBPF programs covering topics such as adding new instrumentation and modifying kernel behavior. The sample programs included cover topics such as

• Tracepoints
• kprobes (Kernel probes)
• uprobes (User Space probes)
• Socket filters
• XDP (eXpress Data Path)
• LSM (Linux Security Module)
• Traffic Control Classifier

The above examples are open source and can be found at https: //github.com/vishpat/oxidize-ebpf

The book aims to simplify the understanding of eBPF and provide a practical overview for the user to use the technology quickly.