Posts

This article is part of a series of notes that Paul Chaignon and I wrote to prepare a presentation introducing the BPF verifier state pruning for Linux Plumbers 2025 in Tokyo, see Making Sense of State Pruning. You can also find the slides and the video recording of the presentation. The version of the kernel code for these notes is v6.17. Why do we care about prune points? The entry point of the state pruning logic in the BPF verifier resides in the do_check function going over each instruction. Early in that function, the state pruning logic is triggered via the is_state_visited function and guarded by is_prune_point. ...

This is quick note on using the BPF_F_MMAPABLE map flag that was added end of 2019 by Andrii Nakryiko, see kernel patch. I noticed that there weren’t a lot of tutorials on that so I thought about writing this, then I realized I should have looked at kernel selftest, because it’s obviously tested there, but anyway. Pre-requisites This uses clang to compile the BPF progs, bpftool to generate the skeleton and libbpf to load them, I relied on the excellent libbpf-bootstrap repo. In short, for compiling the BPF progs you’ll need clang 11+, then you’ll need bpftool to generate the BPF skeletons, and finally you’ll also need a “recent” version of libbpf, which depends on libelf and zlib. See more details and instruction in libbpf-bootstrap deps. ...

Let’s try to understand the memory use of an application written in Golang. For memory management, Golang uses garbage collection which means that allocating and freeing memory is mostly transparent to the user. While it makes the manipulation of memory easy at first glance, troubleshooting memory issues requires you to understand how the garbage collector works. The quote part of this article are cut-outs from Golang Documentation: A Guide to the Go Garbage Collector. Note that it might be outdated, the article was written as of v1.22. Here are some other important resources: Go: The Optimization guide and Go: Diagnostics. There are so many resources out there (and I’m adding another one!), but I found this Google groups message to have good links as well. You will find more links through the article. ...

gRPC recently deprecated its grpc.Dial in favor of the new grpc.NewClient. The latter performs no I/O and lazily connects when you are eventually doing a RPC call. It changed the way we perform retry in tetra, the CLI of Tetragon because we previously used the connect that happened at the client creation (with grpc.Dial and WithBlock) to make sure the connection was possible, and retry in this case. This wasn’t extremely resilient but had the good taste of being in a single place for all subcommands that will make an RPC call: during client creation. ...

tl;dr: please jump directly to the conclusion if you think you already have some knowledge about memory and just want the recap. The conclusion links back to the other sections for more details. Disclaimer This (long) article is a Frankenstein 🧟 compilation of personal digest notes on various topics. Some sections are direct digests or extracts of very good resources I found on the topic and could not write something better: ...

The article is available on MISC magazine website. Note that this article is available behind a paywall, and in French. This article is an introduction to Tetragon, the project I’m working on at Isovalent.

This guide was originally published in the Tetragon documentation. It was first part of the getting started guides, but was later replaced and move to the tutorials section, that was later removed. Since we don’t want to maintain this guide anymore, it would have a good end of life on a blog if it can be useful to some people. Note that this guide is not a tutorial on how to deploy Tetragon standalone (i.e. without Kubernetes), you can see the container deployment and package deployment guides for that. This is just a walkthrough to try and experiment Tetragon for the first time. ...

The article is available on Quarkslab’s blog. It explains the discovery of Microsoft OMI and how I fuzzed it to discover some crashes. It then details the finding and how they work.

The article is available on Quarkslab’s blog. The corresponding article on Falco blog is also available. It presents the findings of our audit of Falco. You can find the complete audit report here.

The article is available on MISC magazine website. Note that this article is available behind a paywall, and in French. In this article, we focus on what’s new in Kubernetes security enhancements on versions still being maintained at the time of writing: 1.22, 1.23 and 1.24 released in August 2021, December 2021 and May 2022 respectively.

The article was originally published on kubernetes.io blog. The PodSecurityPolicy (PSP) admission controller has been removed, as of Kubernetes v1.25. Its deprecation was announced and detailed in the blog post PodSecurityPolicy Deprecation: Past, Present, and Future, published for the Kubernetes v1.21 release. This article aims to provide historical context on the birth and evolution of PSP, explain why the feature never made it to stable, and show why it was removed and replaced by Pod Security admission control. ...

During the last three months, I had the opportunity to go to multiple events. First, a proposal I submitted to Black Hat Asia Arsenal was accepted to present kdigger, a Kubernetes security tool. Then I had the chance to go to the KubeCon Europe to meet the people with whom I interacted in the project. And finally, I got the last few tickets for a kernel developer conference in Paris, Kernel Recipes. ...

The article is available on Quarkslab’s blog. It traces the history of three Kubernetes-related vulnerabilities. Explaining what they are, how they were patched, and how they are related. The exploitation of these vulnerabilities allowed access to the underlying host filesystem for users that were not properly authorized.

The article is available on Quarkslab’s blog. It’s an introduction to Kubernetes security through the release of a new context discovery tool, kdigger, and its mini CTF companion, minik8s-ctf.

This project was done for between the end of my last TLS-SEC semester and the beginning of my final year internship. We were in pairs and had to choose our subject. We chose to work on code injection in video game via the game commands themselves. The full report, unfortunately only available in French (but could be machine translated) and written with a very playful, student-like tone, can be downloaded here. ...

This internship was a collaboration between INP-ENSEEIHT, Toulouse, France and Kyoto University of Advanced Science, Kyoto, Japan. It took place during the summer of 2020, when the Covid-19 pandemic prevented me from going to Japan, so it was unfortunately a remote internship. You can find all the sources of the project in the github repository. Abstract During this summer internship, Pr. Ian Piumarta and myself implemented a prototype-based programming language, simple and reflexive by design. Programs written in this language can inspect themselves because the produced abstract syntax tree is stored in a common data structure. They can also extend the language functionalities and modify the primitive structures using the language syntax. ...