https://github.com/falcosecurity/pdig

ptrace-based event producer for udig
https://github.com/falcosecurity/pdig

Last synced: 3 months ago
JSON representation

ptrace-based event producer for udig

• Host: GitHub
• URL: https://github.com/falcosecurity/pdig
• Owner: falcosecurity
• License: apache-2.0
• Archived: true
• Created: 2020-05-05T13:35:30.000Z (over 4 years ago)
• Default Branch: master
• Last Pushed: 2022-07-20T09:30:57.000Z (over 2 years ago)
• Last Synced: 2024-05-02T18:07:53.140Z (6 months ago)
• Language: C
• Size: 66.4 KB
• Stars: 65
• Watchers: 8
• Forks: 13
• Open Issues: 4
• Metadata Files:
  • Readme: README.md
  • License: LICENSE

Awesome Lists containing this project

• awesome-hacking-lists - falcosecurity/pdig - ptrace-based event producer for udig (C)

README

        
# pdig

A standalone executable based on ptrace and falcosecurity libraries.

## Why pdig?

In some environments, like managed Kubernetes clusters, you cannot install your own kernel modules or eBPF probes.

This means you cannot use the high-performance in-kernel tracing, but with pdig you can still instrument your applications using ptrace.

## How to build it?

#### Prerequisites:

1. An x86-64 machine, as it's the only supported architecture now

2. `cmake` and the standard C/C++ toolchain (notably `gcc` and `g++`)

#### Instructions

You can either build pdig statically or dynamically linked.

A dynamically linked pdig is more suitable for environments

where you can control the available libraries.

A statically linked pdig on the other hand is very useful if

pdig needs to be used in environments where you can't

make assumptions about the available libraries.

##### Dynamically linked

```console

git clone https://github.com/falcosecurity/pdig

git clone https://github.com/falcosecurity/libs

cd pdig

mkdir -p build

cd build

cmake ..

make

# (optionally) sudo make install

```

##### Statically linked (using musl)

You can setup a musl toolchain yourself and then compile pdig

using the `-DMUSL_OPTIMIZED_BUILD=True` CMake flag.

However, a more convenient way is to do that using an alpine container.

An alpine container can be easily updated by downloading a new one

or doing `apk update`.

If you want to go the Alpine way:

```console

mkdir source

cd source

git clone https://github.com/falcosecurity/pdig

git clone https://github.com/falcosecurity/libs

docker run -v $PWD:/source -it alpine:3.12 sh

```

Now in the container

```console

apk add g++ gcc cmake cmake make libtool elfutils-dev libelf-static linux-headers

cd /source/pdig

mkdir -p build

cd build

cmake -DMUSL_OPTIMIZED_BUILD=True ..

make

```

You can now find the pdig binary in the source directory you created under `pdig/build/pdig`.

A quick `ldd` on that one shows this:

```console

ldd build/pdig

  statically linked

```

If you don't want to go the Alpine way, you will need to grab a copy of [musl libc](https://www.musl-libc.org/),

compile it and then create a [musl gcc wrapper](https://www.musl-libc.org/how.html).

Once you have the wrapper you can compile pdig using the same instructions in this way:

```console

git clone https://github.com/falcosecurity/pdig

git clone https://github.com/falcosecurity/libs

cd pdig

mkdir -p build

cd build

cmake -DMUSL_OPTIMIZED_BUILD=True ..

make

```

## How to run it?

Run `pdig` with the path (and arguments, if any) of the process you want to trace, similar to `strace(1)`, e.g.

    pdig [-a] curl https://example.com/

The `-a` option enables the full filter, which provides a richer set of instrumented system calls. You probably don't want to use this option  with Falco for performance reasons.

You can also attach to a running process with the `-p` option:

    pdig [-a] -p 1234

To observe any effect, you will need e.g. Falco running in a separate process, with udig (userspace instrumentation) enabled. For example:

    falco -u

## How slow is this?

Better than strace at least. While we can't do much about ptrace overhead, we use [seccomp filters](http://man7.org/linux/man-pages/man2/seccomp.2.html)

to limit the kinds of system calls we instrument.

With the caveat that there are lies, damn lies and benchmarks, here are some results from OSBench, as compared to a run without instrumentation:

 | Test    | Configuration      | Relative |

 | ------- | ------------------ | -------- |

 | osbench | Create Files       | 0.245    |

 | osbench | Create Threads     | 0.495    |

 | osbench | Launch Programs    | 0.255    |

 | osbench | Create Processes   | 0.285    |

 | osbench | Memory Allocations | 1.005    |

i.e. the worst case for OSBench is roughly 1/4 the original performance for system call heavy workloads.

**Note**: When attaching to an already running process with `-p`, `pdig` will not use the seccomp filter by default.

You can force it with the `-S` option, but remember that a seccomp filter cannot be removed, so killing `pdig` will also kill the traced processes.