Gregg: DTrace for Linux 2016

[Posted October 27, 2016 by corbet]

Brendan Gregg celebrates the capabilities of Linux kernel tracing with BPF. "With the final major capability for BPF tracing (timed sampling) merging in Linux 4.9-rc1, the Linux kernel now has raw capabilities similar to those provided by DTrace, the advanced tracer from Solaris. As a long time DTrace user and expert, this is an exciting milestone! On Linux, you can now analyze the performance of applications and the kernel using production-safe low-overhead custom tracing, with latency histograms, frequency counts, and more."

Gregg: DTrace for Linux 2016

Posted Oct 27, 2016 20:20 UTC (Thu) by SEJeff (guest, #51588) [Link]

This closing comment is great:

"""
Linux doesn't have DTrace (the language), but it now does, in a way, have the DTraceToolkit (the tools).
"""

Gregg: DTrace for Linux 2016

Posted Oct 28, 2016 9:30 UTC (Fri) by behaupt (guest, #111575) [Link] (2 responses)

Hmm, all these tools must be run as root. And they execute arbitrary BPF code inside the kernel.
What could possibly go wrong....

Gregg: DTrace for Linux 2016

Posted Oct 28, 2016 10:55 UTC (Fri) by FLHerne (guest, #105373) [Link] (1 responses)

It's only 'arbitrary' insofar as the kernel's BPF verifier allows it. No loops (finite time/resources), no access to uninitialised memory or outside the BPF stack. A BPF program doesn't have much power to influence the kernel's behaviour, except by preventing actions that would otherwise be allowed.

Gregg: DTrace for Linux 2016

Posted Oct 28, 2016 15:11 UTC (Fri) by SEJeff (guest, #51588) [Link]

His worries aren't unwarranted:

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2383
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4557
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4558
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4794

Granted, BPF is a quite small attack surface, so finding these problems and fixing them is much easier.