stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity
Files
fa4a98dfef353e6065bb8daaa43c05943205fd49
git.stella-ops.org/docs/reachability/probe-reference.md
master 644887997c test fixes and new product advisories work
2026-01-28 02:30:48 +02:00

8.4 KiB
Raw Blame History

Probe Reference

Overview

This document details each eBPF probe used for runtime evidence collection, including kernel requirements, captured data, and known limitations.

Tracepoint Probes

sys_enter_openat

Location: tracepoint/syscalls/sys_enter_openat

Purpose: Capture file access operations to prove which files were read or written.

Kernel Requirement: 2.6.16+ (openat syscall), 4.14+ for eBPF attachment

Source File: src/Signals/__Libraries/StellaOps.Signals.Ebpf/Probes/Bpf/syscall_openat.bpf.c

Captured Fields:

Field Type Description
timestamp_ns u64 Nanoseconds since boot
pid u32 Process ID
tid u32 Thread ID
cgroup_id u64 Kernel cgroup ID
dfd int Directory file descriptor
flags int Open flags (O_RDONLY, O_WRONLY, etc.)
mode u16 File mode for creation
filename char[256] File path
comm char[16] Process command name

Filtering:

  • Cgroup-based: Only capture events from specified containers
  • Path-based: Allowlist/denylist patterns applied in user space

Fallback: For kernels without openat (pre-2.6.16), attaches to sys_enter_open instead.

Performance Impact: ~1-2% CPU at 10,000 opens/second

sched_process_exec

Location: tracepoint/sched/sched_process_exec

Purpose: Capture process execution to prove which binaries were invoked.

Kernel Requirement: 3.4+ for tracepoint, 4.14+ for eBPF attachment

Source File: src/Signals/__Libraries/StellaOps.Signals.Ebpf/Probes/Bpf/syscall_exec.bpf.c

Captured Fields:

Field Type Description
timestamp_ns u64 Nanoseconds since boot
pid u32 Process ID (after exec)
ppid u32 Parent process ID
cgroup_id u64 Kernel cgroup ID
filename char[256] Executed binary path
comm char[16] Process command name
argv0 char[128] First argument

Argv Capture:

  • Limited to first 4 arguments for safety
  • Each argument truncated to 128 bytes
  • Uses bpf_probe_read_user_str() with bounds checking

Interpreter Detection:

  • Recognizes shebangs for Python, Node, Ruby, Shell scripts
  • Maps /usr/bin/python script.py to script path

Performance Impact: Minimal (exec rate typically low)

inet_sock_set_state

Location: tracepoint/sock/inet_sock_set_state

Purpose: Capture TCP connection lifecycle to prove network communication patterns.

Kernel Requirement: 4.16+ (tracepoint added), BTF recommended for CO-RE

Source File: src/Signals/__Libraries/StellaOps.Signals.Ebpf/Probes/Bpf/syscall_network.bpf.c

Captured Fields:

Field Type Description
timestamp_ns u64 Nanoseconds since boot
pid u32 Process ID
cgroup_id u64 Kernel cgroup ID
oldstate u8 Previous TCP state
newstate u8 New TCP state
sport u16 Source port
dport u16 Destination port
family u8 AF_INET (2) or AF_INET6 (10)
saddr_v4 / saddr_v6 u32 / u8[16] Source address
daddr_v4 / daddr_v6 u32 / u8[16] Destination address
comm char[16] Process command name

State Transition Filtering:

  • Default: Only * -> ESTABLISHED and * -> CLOSE
  • Configurable: All transitions for debugging

Address Formatting:

  • IPv4: Dotted decimal (e.g., 192.168.1.1)
  • IPv6: RFC 5952 compressed (e.g., 2001:db8::1)

Performance Impact: ~1% CPU at high connection rate

Uprobe Probes

libc connect/accept

Location:

  • uprobe/libc.so.6:connect
  • uretprobe/libc.so.6:connect
  • uprobe/libc.so.6:accept
  • uprobe/libc.so.6:accept4

Purpose: Capture network operations at libc level as alternative to kernel tracepoints.

Library Support:

  • glibc: libc.so.6
  • musl: libc.musl-*.so.1

Source File: src/Signals/__Libraries/StellaOps.Signals.Ebpf/Probes/Bpf/uprobe_libc.bpf.c

Captured Fields (connect):

Field Type Description
timestamp_ns u64 Nanoseconds since boot
pid u32 Process ID
cgroup_id u64 Kernel cgroup ID
fd int Socket file descriptor
family u16 Address family
addr varies Remote address
port u16 Remote port
comm char[16] Process command name
result int Return value (from uretprobe)

Library Path Resolution:

  1. Parse /etc/ld.so.cache for library locations
  2. Fall back to common paths (/lib/x86_64-linux-gnu/, etc.)
  3. Handle container-specific paths via /proc/{pid}/root

Byte Counting (optional):

  • uprobe/libc.so.6:read and uprobe/libc.so.6:write
  • Tracks bytes per file descriptor
  • Aggregated to prevent event flood

OpenSSL SSL_read/SSL_write

Location:

  • uprobe/libssl.so.3:SSL_read
  • uretprobe/libssl.so.3:SSL_read
  • uprobe/libssl.so.3:SSL_write
  • uretprobe/libssl.so.3:SSL_write

Purpose: Capture TLS traffic volumes without decryption.

Library Support:

  • OpenSSL 1.1.x: libssl.so.1.1
  • OpenSSL 3.x: libssl.so.3
  • LibreSSL: libssl.so.* (best-effort)
  • BoringSSL: Limited support

Source File: src/Signals/__Libraries/StellaOps.Signals.Ebpf/Probes/Bpf/uprobe_openssl.bpf.c

Captured Fields:

Field Type Description
timestamp_ns u64 Nanoseconds since boot
pid u32 Process ID
cgroup_id u64 Kernel cgroup ID
operation u8 READ (0) or WRITE (1)
requested_bytes u32 Bytes requested
actual_bytes u32 Bytes transferred (from uretprobe)
ssl_ptr u64 SSL context pointer
comm char[16] Process command name

Session Correlation:

  • ssl_ptr can correlate with SSL_get_fd for socket mapping
  • Optional: SSL_get_peer_certificate for peer info

Byte Aggregation:

  • High-throughput connections aggregate to periodic summaries
  • Prevents event flood on bulk data transfer

Function Tracer (Generic)

Location: uprobe/{binary}:{symbol}

Purpose: Attach to arbitrary function symbols for custom evidence.

Source File: src/Signals/__Libraries/StellaOps.Signals.Ebpf/Probes/Bpf/function_tracer.bpf.c

Captured Fields:

Field Type Description
timestamp_ns u64 Nanoseconds since boot
pid u32 Process ID
cgroup_id u64 Kernel cgroup ID
address u64 Runtime address
symbol_id u32 Symbol identifier (from BPF map)
comm char[16] Process command name

Symbol Resolution:

  • User-space resolves address to symbol via ELF tables
  • ASLR offset calculated from /proc/{pid}/maps
  • Cached for performance

Kernel Version Compatibility

Feature Minimum Kernel Recommended
Basic eBPF 4.14 5.x+
BTF (CO-RE) 5.2 5.8+
Ring buffer 5.8 5.8+
sys_enter_openat 4.14 5.x+
sched_process_exec 4.14 5.x+
inet_sock_set_state 4.16 5.x+
Uprobes 4.14 5.x+

Known Limitations

Tracepoints

  • sys_enter_openat: Path may be relative; resolution requires dfd lookup
  • sched_process_exec: Argv reading limited by verifier complexity
  • inet_sock_set_state: UDP not covered; use kprobe for UDP if needed

Uprobes

  • Library resolution: May fail for statically linked binaries
  • musl libc: Some symbol names differ from glibc
  • OpenSSL: Version detection required for correct symbol names
  • Stripped binaries: Uprobes require symbol tables

General

  • eBPF verifier: Complex programs may be rejected
  • Container namespaces: Paths may differ from host view
  • High event rate: Ring buffer overflow possible under extreme load

Troubleshooting

Probe Failed to Attach

Error: Failed to attach tracepoint/syscalls/sys_enter_openat
  • Check kernel version supports the tracepoint
  • Verify eBPF is enabled (CONFIG_BPF=y, CONFIG_BPF_SYSCALL=y)
  • Check permissions (CAP_BPF or root required)

Missing BTF

Error: BTF not found for kernel version
  • Install kernel BTF package (linux-image-*-dbg on Debian/Ubuntu)
  • Use BTFHub for external BTF files
  • Fall back to pre-compiled probes for specific kernel

Ring Buffer Overflow

Warning: Ring buffer full, events dropped
  • Increase buffer size: --ring-buffer-size 1M
  • Enable more aggressive filtering
  • Enable rate limiting: --max-events-per-second 10000