Upload
cmnunogmartins
View
2.263
Download
0
Embed Size (px)
DESCRIPTION
Network monitoring of processes in Linux, using Linux dynamic Kernel instrumentation (KProbes)Monitoring network interactions of one process accessing the network is not always simple and it has some performance issues.A Linux Kernel Module was developed, which uses dynamic instrumentation and monitors the target user process for interactions and registers the information to a repository.When packets pass through the network interface the repository is queried to decide if the packet should be captured for further analysis.To control this monitoring mechanism an interface was developed which can be modified through files in the virtual filesystem, DebugFS.To use this monitoring mechanism it is necessary to have the Linux Kernel Module loaded and have a user process running that performs the network monitoring (such as TCPDump). This monitoring process can use this mechanism without changing its own source code.
Citation preview
Energia Open Source
27.02.2012 Network Monitoring by Process id 2
Monitoring
Understand programs' actual behaviour when running
Analyse resource usage
Create a usage profile, to evaluate performance and correctness
Can be done actively (polling the monitor) or passively
Through dynamic or static instrumentation
Analysis of the data can be done online (during capture) or offline (post mortem)
Energia Open Source
27.02.2012 Network Monitoring by Process id 3
Network Monitoring Network monitoring is done passively by capturing packets
Generally it is done using PCap (Packet Capture) Library with LSF (Linux Socket Filtering)
Analysis of communication protocols Analysis of the interactions between distributed entities Error detection, performance rating, troubleshooting, etc.
The reduction in obtained data is done through filters This way the overhead is reduced (because it doesn't have to copy so much data) Only capture the relevant packets for analysis
Energia Open Source
27.02.2012 Network Monitoring by Process id 4
Actual Network Monitoring
NICHardware
Kernel
User
Network
TCPDump
LibPCAPUser APP User APP User APP
Before sending or receiving packets
TCP/IP stackPACKET stack
...
Energia Open Source
27.02.2012 Network Monitoring by Process id 5
Actual Monitoring Mechanism
A filter is a set of rules These rules can be based on ports, addresses, protocols, etc. Or on a specific set of bytes Rules are combined with logical operands
Changing the filter with libpcap Necessary to drain the socket Possible to lose packets
When filters are more complex they can't be applied on kernel space All packets are captured and the filter is applied in userspace
Without specifying a filter the monitor will capture all packets
Energia Open Source
27.02.2012 Network Monitoring by Process id 6
Challenges of network monitoring by process id
Monitoring the network activity of a process in user space is limited to some cases and can overload the system
Changing the filter by using libpcap has non-negligible latency
pcap filter Compile andoptimise
Draining and attach the new
filter
Latency when attaching a new filter0 Time
Energia Open Source
27.02.2012 Network Monitoring by Process id 7
Network Monitoring by Process ID
New Approach towards the reduction of data for analysis More specific analysis
Performance and overhead issues When we only want a subset of the packets flowing on the network card
Can simplify the use of bpf filters
Energia Open Source
27.02.2012 Network Monitoring by Process id 8
Why we need this
Analysis of closed protocols No access to source code Not easy to understand / follow some network protocols
Debug protocols when creating new ones
Determining if a program is leaking information
In production machines Cannot stop servers for debug Troubleshooting specific threads
Energia Open Source
27.02.2012 Network Monitoring by Process id 9
Kernel Space Changes
Two Main Parts Main kernel code
Created a hook to be attached by the filter function Changed the filter_function at the end to call the hook
Module (MRoP – “Monitorização de Rede orientada ao Processo” [Pt])
KProbes handler functions Repository (a RB-Tree) Filter function User space interface (through DebugFS)
Energia Open Source
27.02.2012 Network Monitoring by Process id 10
Kernel Components
The Kernel module developed has 4 components Syscalls hooked handlers
Repository (of socket information) ports and addresses
Filter function
DebugFS interface Communication to/from user land Statistics and control
Energia Open Source
27.02.2012 Network Monitoring by Process id 11
New Filter Mechanism (by process id)
DebugFS
PID, stats, etc
Kernelfilter
module
Monitor Apptcpdump
Root userApp
User app
Kernel
User space
Packetstack
Sendingor receiving
packets
Energia Open Source
27.02.2012 Network Monitoring by Process id 12
TCPDumpPcap LibraryMonitor
Control API
KProbes
Packet Filter Function
Repository
InstrumentedSyscalls handlers Hook
AF_PACKET
GenericProcess
NIC Driver
NIC
Packets
Energia Open Source
27.02.2012 Network Monitoring by Process id 13
KProbes
Dynamic Instrumentation Mechanism on kernel space Different types of instrumentation based on what want to be
achieved Kprobe, Jprobe, KretProbe
int 3 instruction (trap) Does not need Debug information Uses kallsyms
To locate symbols Overhead of 0.6 microseconds
per probe hit It's a mechanism not a tool
Energia Open Source
27.02.2012 Network Monitoring by Process id 14
Syscalls hooked handlers Connect, accept, bind, recvfrom, sendto and sock_close
function
KProbes is a kernel mechanism for instrumentationKRetProbes are probes that get the return value of the functionsKRetProbes use a trampolin to catch the return value
Inside the handlers the computation must be very quick
Energia Open Source
27.02.2012 Network Monitoring by Process id 15
Syscalls hooked handlers (II)
Inside handlers Need to get the socket information The socket's information is on the parameters of the syscall or on socket descriptor The registers have the value of the socket descriptor The socket information is written to the repository
The are two handlers, one on the entry of the function and the other on the return This way on the return handler using the return value we are sure if the call was successful, if not the information on the repository regarding that socket is removed
Energia Open Source
27.02.2012 Network Monitoring by Process id 16
Filter Function Packets that will be accepted by the bpf program filter are
evaluated by the module filter function The filter function only evaluates TCP and UDP packets Search the repository for the packet port
If it finds verifies the protocol and the address
Energia Open Source
27.02.2012 Network Monitoring by Process id 17
Repository
This repository is for socket information so that the filter can know if a specific packet belongs to the target process
Implemented using a Red and Black Tree Mainly performance (must be searched once per packet)
Energia Open Source
27.02.2012 Network Monitoring by Process id 18
Repository II
Energia Open Source
27.02.2012 Network Monitoring by Process id 19
DebugFS interface to user land Created a directory on the DebugFS
Files for controlling the filtering mechanismSearch the process structure and add information to the repositoryClear the repositoryIdentify which process to monitor
Files for statistics/logging purposesHow many packets passed/dropped by the filterHow many times the handlers functions were calledHow many elements have the repository
Energia Open Source
27.02.2012 Network Monitoring by Process id 20
Evaluation
Functional evaluation Created small and specific programs to verify socket information on both sides (user space and kernel space)
Transfered data using http, ftp and iperf protocols
Data transferred with http and ftp was monitored and saved to a file
It was visualized on Wireshark Application layer data was compared with the data sent using md5 and sha1 checksums
Energia Open Source
27.02.2012 Network Monitoring by Process id 21
Evaluation II Performance Evaluation
Evaluated the overhead using a 1GB transfer While transferring data it was monitored and saved to a file
Overhead introduced: Dynamic instrumentation Managing the repository
Energia Open Source
27.02.2012 Network Monitoring by Process id 22
Performance Evaluation Two machines connected directly on a 100 Mbit/s link Transferring 1GB data through that link using:
ftp, http protocols and iperf tool
Capturing only one flow of data
Capturing two flows of data (one being the relevant one) Capturing only one flow using MRoP
VS Capturing two flows
Measured times: Without monitoring (transfer only) Using standard monitoring Using MRoP (tcpdump + developed kernel module)
Energia Open Source
27.02.2012 Network Monitoring by Process id 23
Performance Evaluation II
Energia Open Source
27.02.2012 Network Monitoring by Process id 24
Performance Evaluation III
3.5%
Energia Open Source
27.02.2012 Network Monitoring by Process id 25
Network Monitoring by Process ID
Created a new kernel module to extend functionality of network monitoring of a Process
Only captures the relevant packets for analysis
Low overhead
Maintains compatibility with old bpf filters
Shows better results when the analysis is focused on a subset of the network packets
Energia Open Source
27.02.2012 Network Monitoring by Process id 26
More Integrated (Work in Progress)
This approach has some integration issues It is necessary to use the debugfs to introduce process ids Not integrated with libpcap Filters still don't have a pid mnemonic
The core functionality will be kept
Energia Open Source
27.02.2012 Network Monitoring by Process id 27
TCPDumpPCap LibraryMonitor
Control API
KProbes
Packet Filter Function
Repository
InstrumentedSyscalls handlers Hook
AF_PACKET
GenericProcess
NIC Driver
NIC
Packets
Energia Open Source
27.02.2012 Network Monitoring by Process id 28
TCPDumpPcap LibraryMonitor
Control API
KProbes
Packet Filter Function
Repository
InstrumentedSyscalls handlers Hook
AF_PACKET
GenericProcess
NIC Driver
NIC
Packets
(as debug)
Control API
Energia Open Source
27.02.2012 Network Monitoring by Process id 29
Final Considerations
These changes benefit the new monitoring system based on process id
The mechanism of applying a new filter function may also benefit other kernel developers
Wireshark developers desire a mechanism to filter packets based on application id (they have it in their wish list)
Maybe it can be used to detect malware (since the instrumentation is done below the userspace)