https://github.com/trailofbits/ebpfault
A BPF-based syscall fault injector
https://github.com/trailofbits/ebpfault
bpf debugging ebpf fault-injection llvm
Last synced: 10 months ago
JSON representation
A BPF-based syscall fault injector
- Host: GitHub
- URL: https://github.com/trailofbits/ebpfault
- Owner: trailofbits
- License: apache-2.0
- Created: 2019-12-20T23:37:02.000Z (about 6 years ago)
- Default Branch: main
- Last Pushed: 2023-04-12T15:08:14.000Z (almost 3 years ago)
- Last Synced: 2025-03-28T12:51:15.586Z (11 months ago)
- Topics: bpf, debugging, ebpf, fault-injection, llvm
- Language: C++
- Homepage: https://www.trailofbits.com/services/security-engineering
- Size: 48.8 KB
- Stars: 101
- Watchers: 35
- Forks: 10
- Open Issues: 1
-
Metadata Files:
- Readme: README.md
- License: LICENSE
Awesome Lists containing this project
README
# ebpfault
This tool is a syscall fault injector built on top of eBPF that has no requirements on the target machine other than a kernel version good enough to support the required features.
## Usage
### Sample configuration
The configuration supports both integers and errno value names.
```json
{
"fault_injectors": [
{
"syscall_name": "fchmodat",
"error_list": [
{
"exit_code": "-ENOENT",
"probability": 50
},
{
"exit_code": -100,
"probability": 30
}
]
},
{
"syscall_name": "openat",
"error_list": [
{
"exit_code": "-ENOENT",
"probability": 50
}
]
}
]
}
```
### Against a new process
```
ebpfault --config /path/to/config.json --exec /path/to/program arg1 arg2
```
### Against one or more running processes
```
ebpfault --config /path/to/config.json --pid_list pid1,pid2,pid3,...
```
### System wide, excluding one or more running processes
```
ebpfault --config /path/to/config.json --except-pid-list --pid_list pid1,pid2,pid3,...
```
## Building
### Prerequisites
* A recent Clang/LLVM installation (9.0 or better), compiled with BPF support
* A recent libc++ or stdc++ library, supporting C++17
* CMake >= 3.21.4. A pre-built binary can be downloaded from the [CMake's download page](https://cmake.org/download/).
* :warning: Linux kernel >= 5.x (tested on Ubuntu 19.10) with the `CONFIG_BPF_KPROBE_OVERRIDE` option enabled
### Building
1. Download the osquery-toolchain from the following page: https://github.com/osquery/osquery-toolchain
2. Extract the osquery-toolchain and set the `TOOLCHAIN_PATH` environment variable to its location
3. Obtain the source code: `git clone --recursive https://github.com/trailofbits/ebpfault`
4. In case the `--recursive` flag was not provided, run `git submodule update --init --recursive`
7. Configure the project: `cmake -S ebpfault -B build-ebpfault -DCMAKE_TOOLCHAIN_FILE=cmake/toolchain.cmake -DCMAKE_BUILD_TYPE=RelWithDebInfo -DEBPFAULT_ENABLE_INSTALL=true`
8. Build the project: `cmake --build build-ebpfault`