Presented by:


Rhys Rustad-Elliott

from Elastic

I'm a software engineer at Elastic on their security team, working Elastic's endpoint protection solution for Linux. I spend most of my day writing C & C++, staring at BPF bytecode, and poking around near the boundary between kernelspace and userspace. I'm broadly interested in computer systems related subjects, particularly as they pertain to security. Online I usually go by the (admittedly rather silly) handle GunshipPenguin.

You may have heard of BPF (or eBPF as it's officially, but somewhat less commonly known). BPF is a virtual machine, implemented in the Linux kernel, that allows users to safely and performantly run custom event-driven code in kernelspace with wide-ranging access to kernel data structures (among other super-powers).

While originally intended for the single-purpose of packet filtering, in recent years, BPF has been extended to a number of other use-cases including performance monitoring, security auditing, and even a Linux security module that can be driven by custom BPF programs. The BPF subsystem and associated ecosystem is still relatively immature, and continues to produce new interesting use-cases. In 2021, it’s an exciting technology to be involved in!

This talk will go over the motivation for and the usage of BPF, covering a variety of domains in which it’s useful. There will be a strong focus on concrete examples to back up concepts covered, because nobody likes just being fed theory. Come dip your toes into kernelspace in the most accessible way possible!

2022 April 23 - 15:00
45 min
Code Lab
LinuxFest Northwest 22
Open Source

Happening at the same time:

  1. Fediverse: Decentralized Social Networking and Services
  2. Start Time:
    2022 April 23 15:00


  3. MonitorPi: An Introduction to Open-Source Hardware Monitoring
  4. Start Time:
    2022 April 23 15:00


  5. Dive Into Kernelspace With BPF
  6. Start Time:
    2022 April 23 15:00

    Code Lab