harpoon

command module

v0.4.1 Latest Latest Go to latest Published: Apr 22, 2024 License: Apache-2.0 Imports: 1 Imported by: 0

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

github.com/alegrey91/harpoon

Links

Open Source Insights

README ¶

Harpoon

gopher

Harpoon aims to capture the syscalls (as if they were fishes) from the execution flow (the river) of a single user-defined function.

N.B. This is currently a PoC made for fun in my free time. Definitely, not a production grade project.

Introduction

This tool is designed to provide fine-grained visibility into the syscalls made by specific functions within a program. Unlike traditional system call tracing tools like strace, which capture all syscalls made during the entire program's execution, this project leverages the power of eBPF to pinpoint and monitor system calls exclusively within targeted functions.

Getting Started

First of all, let's identify the symbol of the function you want to trace from the binary. Suppose you want to trace the function doSomething() present in the example program ./binary. In order to get the symbol from the binary itself, you need to use the following command:

objdump --syms ./binary | grep doSomething
0000000000480720 g     F .text  0000000000000067 main.doSomething

So, main.doSomething is the symbol of the function we want to trace using harpoon.

Then, let's run harpoon to extract the syscalls from the function main.doSomething:

harpoon capture -f main.doSomething ./binary
read
sigaltstack
gettid
close
mmap
fcntl
write
futex
openat
clone
getrlimit

These are the syscalls that have been executed by the traced function!

Installation

To install harpoon you currently have 2 options:

Download

You can easily download the latest release using the installation script:

curl -s https://raw.githubusercontent.com/alegrey91/harpoon/main/install | sudo sh

Build

Or you can build harpoon manually by using the following command:

make build

After the build is completed, you can find the executable under the bin/ directory.

Debugging

In case you want to run the application locally, I've provided the .vscode/launch.json file to easily debug the application with root privileges in vscode. Just replace the parameters marked with <>.

Talks

I had the pleasure of presenting harpoon at the following conferences:

FOSDEM

References

I would like to point out that without the references mentioned below this project would never have come to life. As a result, the code draws significant inspiration from the references listed here:

https://www.grant.pizza/blog/tracing-go-functions-with-ebpf-part-1/
https://itnext.io/seccomp-in-kubernetes-part-2-crafting-custom-seccomp-profiles-for-your-applications-c28c658f676e
https://github.com/containers/oci-seccomp-bpf-hook
https://sysdig.com/blog/ebpf-offensive-capabilities/
Liz Rice. Learning eBPF, 173-176. O'Reilly, 2023

Documentation ¶

Overview ¶

Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at

http://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.

Source Files ¶

View all Source files

main.go

Directories ¶

Path	Synopsis
cmd
internal
archiver
elfreader
embeddable
executor
privileged
syscallswriter

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL