Add eBPF syscall-write-trace example #534
Conversation
Includes TCP client/server demo, write() syscall eBPF tracer, Makefile, and full README detailing problem, solution, architecture, and usage. Signed-off-by: sameeh.jubran <[email protected]>
|
Our non TLS examples are more about showing someone how they would convert a client and / or server to TLS. I'm not sure the advantage of doing write() intercept example for non TLS. I'd prefer to see an example that does SSL_read() and SSL_write(). I started with write() in my demo that I spent less than hour on because I didn't want to introduce another dependency on the "hello world" basic example. Then I did SSL_write() to address adding one thing. And finally read for each if I remember correctly. |
Includes: - TLS client and server examples - eBPF programs for write/read entry and read return - userspace loader with perf buffer handling - automatic symbol lookup (no hardcoded offsets) - x86_64 and ARM64 register handling - full README with usage, architecture, and explanation Shows how to observe TLS plaintext inside applications without modifying wolfSSL or application code. Signed-off-by: sameeh.jubran <[email protected]>
|
Hi @toddouska, thanks for the comments. I’ve now added the full TLS example with uprobes on both wolfSSL_write() and wolfSSL_read(), which aligns much better with the rest of the wolfSSL examples. It was a bit more involved since I had to port the BPF side to x86_64 as well, but everything is now tested and working. Going forward, we can also explore hooking other wolfSSL-related paths such as WolfGuard (kernel module) or the higher-level bindings. Do you want me to drop the TCP example? |
5 participants
Includes TCP client/server demo, write() syscall eBPF tracer, Makefile, and full README detailing problem, solution, architecture, and usage.