Add eBPF syscall-write-trace example #534
Conversation
|
Our non TLS examples are more about showing someone how they would convert a client and / or server to TLS. I'm not sure the advantage of doing write() intercept example for non TLS. I'd prefer to see an example that does SSL_read() and SSL_write(). I started with write() in my demo that I spent less than hour on because I didn't want to introduce another dependency on the "hello world" basic example. Then I did SSL_write() to address adding one thing. And finally read for each if I remember correctly. |
|
Hi @toddouska, thanks for the comments. I’ve now added the full TLS example with uprobes on both wolfSSL_write() and wolfSSL_read(), which aligns much better with the rest of the wolfSSL examples. It was a bit more involved since I had to port the BPF side to x86_64 as well, but everything is now tested and working. Going forward, we can also explore hooking other wolfSSL-related paths such as WolfGuard (kernel module) or the higher-level bindings. Do you want me to drop the TCP example? |
toddouska
left a comment
toddouska
left a comment
There was a problem hiding this comment.
How come all the files don't have a wolfSSL copyright? I thought we moved all files to GPLv3.
sameehj
force-pushed
the
ebpf-syscall-write-trace
branch
2 times, most recently
from
f47ec06 to
dd0f5df
Compare
|
Thank you for the review @toddouska I have updated all the necessary files to include the appropriate license headers. |
ebpf/tls-uprobe-trace/ca-cert.pem
Outdated
| @@ -0,0 +1,93 @@ | |||
| Certificate: | |||
There was a problem hiding this comment.
Do we already have these in wolfssl-examples/certs/? If not please document where these came from so we can make sure they are updated. I'd prefer if possible to use the example keys/certs in the root certs dir. Thanks.
There was a problem hiding this comment.
Hey @dgarske, thank you for the comment. These are indeed the same from /certs. Dropped the copies completely and reused the ones in /certs.
sameehj
force-pushed
the
ebpf-syscall-write-trace
branch
from
dd0f5df to
d6b1acc
Compare
This commit adds two examples: 1. Add eBPF syscall-write-trace example Includes TCP client/server demo, write() syscall eBPF tracer, Makefile, and full README detailing problem, solution, architecture, and usage. 2. eBPF: add trace wolfSSL_write() and wolfSSL_read() using eBPF uprobes. Includes: - TLS client and server examples - eBPF programs for write/read entry and read return - userspace loader with perf buffer handling - automatic symbol lookup (no hardcoded offsets) - x86_64 and ARM64 register handling - full README with usage, architecture, and explanation Shows how to observe TLS plaintext inside applications without modifying wolfSSL or application code. Signed-off-by: sameeh.jubran <sameeh@wolfssl.com>
sameehj
force-pushed
the
ebpf-syscall-write-trace
branch
from
d6b1acc to
90f3a1e
Compare
5 participants
Includes TCP client/server demo, write() syscall eBPF tracer, Makefile, and full README detailing problem, solution, architecture, and usage.