eBPF is one of the functions provided by Linux, which allows users to add networking functions that operate within the kernel using dedicated BPF code. However, because eBPF directly interferes with kernel operations, there are restrictions on external data references to prevent kernel defects from occurring. For this reason, static analysis, which determines the presence or absence of grammatical errors and code rule violations, has been the mainstream method for eBPF safety verification without requiring internal data. Therefore, a sufficient verification environment has not been established. In order to provide flexible tracking of BPF code behavior according to the intended use, this research aims to provide a debugging function on a machine that masquerades as a BPF code in the user space. Furthermore, as a method of observing the behavior of BPF codes during data transmission and reception, we will construct a framework for invoking the masquerade machine in a bidirectional communication using two hosts. Each host can register BPF codes for debugging and send packets to the other host. When a packet is received, the operation is transferred to a virtual machine equipped with debugging functions for verification. The virtual machine is equipped with breakpoints and step execution, allowing the debugger to reference memory areas used during operation according to the application. The debugger also has a unique system of flags, which allows the debugger to manage operations not only line by line, but also instruction by instruction. In addition, the tail call function, which used to be an internal function of the kernel, is reproduced in user space, enabling verification of multiple programs that are linked together.

Top