BPF - Convert binary pattern matching to classic BPF programs

Your Libraries & OS Mentoring Libraries
,
1

I just pushed a library called BPF that converts binary pattern matching expressions into (classic) BPF (Berkeley Packet Filter) programs that you can use with SO_ATTACHFILTER or libpcap. There’s also an interpreter that allows you to test your programs against binaries.

BPF programs are essentially predicates on packets that run in the kernel and are usually used to filter traffic efficiently for programs like tcpdump etc, They are described using a Turing-incomplete instruction set.

I intend to add some integration tests using Tundra shortly.

Features

  • Elixir syntax - Write filters using binary pattern matching and guards
  • Multi-clause support - Multiple patterns with fallthrough semantics
  • Guard expressions - Comparisons, logical operators, bitwise operations, arithmetic
  • Packet length filtering - Use byte_size(packet) to filter by packet size
  • SSA-based compiler - Optimized code generation with register allocation

Package
Docs

11 Likes
2

Very cool! Do you have any example setup for how to call libpcap with it?

3

Not currently.

If you specifically want libpcap integration (i.e. take a dependency on libpcap.so/dylib at runtime). You could write a NIF that takes the interface and the assembled bytes and does something like:

// validation / error handling elided
ErlNifBinary prog;
enif_inspect_binary(env, argv[1], &prog)

struct bpf_program fp;
fp.bf_len = prog.size >> 3; // instructions, not bytes, so divide by 8
fp.bf_insns = (struct bpf_insn *)prog.data
pcap_setfilter(handle, &fp);

If i was doing this, i’d use pcap_get_selectable_fd and then integrate it with enif_select_read to avoid any blocking issues and play nicely with the scheduler (or stick the pcap loop on a thread, and mark it as a dirty nif, but i prefer to not manage threads in my NIFs)

If you’re (only) on Linux you can skip most of this and set it all up through the erlang :socket module directly using raw sockets at the link or ip layer depending on your use case. Unfortunately, you still need a (tiny) NIF to handle setting the SO_ATTACH_FILTER options as the C struct it takes is not describable in Erlang (it contains pointers)

On the elixir side:

{:ok, filter} = BPF.assemble(prog)
{:ok, fd} = :socket.get_opt(sock, {:otp, :fd})
:ok = Nif.attach_filter(fd, filter)

On the C side:

int fd;
enif_get_int(env, argv[0], &fd);
ErlNifBinary prog;
enif_inspect_binary(env, argv[1], &prog)

struct sock_sock_fprog bpf = {
    .len = prog.size >>> 3;
    .filter = (struct sock_filter*)prog.data;
};
setsockopt(fd, SOL_SOCKET, SO_ATTACH_FILTER, &bpf, sizeof(bpf));

You can then read the sock on the elixir side.

(None of the above code is tested, I’m winging it)

4

Gotcha, so it generates a struct sock_filter, I see, thanks. I will try to play with it then. Again, looks very interesting

5

I just did it anyway. I haven’t published a package for it yet, but I probably will.

6

I published it. I’ve tested it on macos and linux, but i haven’t stressed it.

1 Like
7

D:

That’s very nice. I can finally play with covert channels in Elixir. I think this library deserves a separate topic!