mtardy

BPF Verifier State Pruning: Prune Points

Fri, 19 Dec 2025 00:00:00 +0000

This article is part of a series of notes that Paul Chaignon and I wrote to prepare a presentation introducing the BPF verifier state pruning for Linux Plumbers 2025 in Tokyo, see Making Sense of State Pruning. You can also find the slides and the video recording of the presentation.

The version of the kernel code for these notes is v6.17.

Why do we care about prune points?

The entry point of the state pruning logic in the BPF verifier resides in the do_check function going over each instruction. Early in that function, the state pruning logic is triggered via the is_state_visited function and guarded by is_prune_point.

Memory mapping BPF maps with BPF_F_MMAPABLE

Wed, 12 Mar 2025 00:00:00 +0000

This is quick note on using the BPF_F_MMAPABLE map flag that was added end of 2019 by Andrii Nakryiko, see kernel patch. I noticed that there weren’t a lot of tutorials on that so I thought about writing this, then I realized I should have looked at kernel selftest, because it’s obviously tested there, but anyway.

Pre-requisites

This uses clang to compile the BPF progs, bpftool to generate the skeleton and libbpf to load them, I relied on the excellent libbpf-bootstrap repo. In short, for compiling the BPF progs you’ll need clang 11+, then you’ll need bpftool to generate the BPF skeletons, and finally you’ll also need a “recent” version of libbpf, which depends on libelf and zlib. See more details and instruction in libbpf-bootstrap deps.

A Deep Dive into Golang Memory

Tue, 29 Oct 2024 00:00:00 +0000

Let’s try to understand the memory use of an application written in Golang. For memory management, Golang uses garbage collection which means that allocating and freeing memory is mostly transparent to the user. While it makes the manipulation of memory easy at first glance, troubleshooting memory issues requires you to understand how the garbage collector works.

The quote part of this article are cut-outs from Golang Documentation: A Guide to the Go Garbage Collector. Note that it might be outdated, the article was written as of v1.22. Here are some other important resources: Go: The Optimization guide and Go: Diagnostics. There are so many resources out there (and I’m adding another one!), but I found this Google groups message to have good links as well. You will find more links through the article.

gRPC-Go: Built-in Client Retry Mechanism

Wed, 24 Jul 2024 00:00:00 +0000

A little guide to use gRPC-Go built-in client retry mechanism.

Memory Management on Kubernetes with Golang and eBPF: Deep Dive

Wed, 03 Jul 2024 00:00:00 +0000

A digest article on workload memory use, the memory control group, the OOM killer, and their relation with applications running on Kubernetes using Go and eBPF.

Introduction to Tetragon: real-time observability and security based on eBPF

Wed, 01 Nov 2023 00:00:00 +0000

The article is available on MISC magazine website. Note that this article is available behind a paywall, and in French.

This article is an introduction to Tetragon, the project I’m working on at Isovalent.

First contact: try Tetragon on Linux

Thu, 27 Apr 2023 00:00:00 +0000

Discover and experiment with Tetragon on your local Linux host!

Crashing Microsoft OMI with fuzzing

Fri, 31 Mar 2023 00:00:00 +0000

The article is available on Quarkslab’s blog.

It explains the discovery of Microsoft OMI and how I fuzzed it to discover some crashes. It then details the finding and how they work.

Introducing Falco audit results

Wed, 22 Mar 2023 00:00:00 +0000

The article is available on Quarkslab’s blog. The corresponding article on Falco blog is also available.

It presents the findings of our audit of Falco. You can find the complete audit report here.

New security features in Kubernetes

Sat, 01 Oct 2022 00:00:00 +0000

The article is available on MISC magazine website. Note that this article is available behind a paywall, and in French.

In this article, we focus on what’s new in Kubernetes security enhancements on versions still being maintained at the time of writing: 1.22, 1.23 and 1.24 released in August 2021, December 2021 and May 2022 respectively.

PodSecurityPolicy: The Historical Context

Tue, 23 Aug 2022 00:00:00 +0000

The article was originally published on kubernetes.io blog.

The PodSecurityPolicy (PSP) admission controller has been removed, as of Kubernetes v1.25. Its deprecation was announced and detailed in the blog post PodSecurityPolicy Deprecation: Past, Present, and Future, published for the Kubernetes v1.21 release.

This article aims to provide historical context on the birth and evolution of PSP, explain why the feature never made it to stable, and show why it was removed and replaced by Pod Security admission control.

Black Hat, KubeCon and Kernel Recipes

Mon, 04 Jul 2022 00:00:00 +0000

Having joined the IT world in covid times, these events were my first in-person international conferences!

Kubernetes and HostPath, a Love-Hate Relationship

Thu, 03 Mar 2022 00:00:00 +0000

The article is available on Quarkslab’s blog.

It traces the history of three Kubernetes-related vulnerabilities. Explaining what they are, how they were patched, and how they are related. The exploitation of these vulnerabilities allowed access to the underlying host filesystem for users that were not properly authorized.

kdigger: a Context Discovery Tool for Kubernetes

Thu, 07 Oct 2021 00:00:00 +0000

The article is available on Quarkslab’s blog.

It’s an introduction to Kubernetes security through the release of a new context discovery tool, kdigger, and its mini CTF companion, minik8s-ctf.

Arbitrary code injection in Super Mario Bros 3

Sun, 14 Mar 2021 00:00:00 +0000

This write-up is the extended abstract of my final year long-project. It was an exploration about arbitrary code injection in video games.

Summer Internship: Reflexive Programming Language Framework

Mon, 30 Nov 2020 00:00:00 +0000

This write-up is the extended abstract of my 2020 summer internship. It was a reflexivity-based programming language project written in C.