►
Description
Don’t miss out! Join us at our upcoming event: KubeCon + CloudNativeCon Europe 2023 in Amsterdam, The Netherlands from April 17-21. Learn more at https://kubecon.io. The conference features presentations from developers and end users of Kubernetes, Prometheus, Envoy, and all of the other CNCF-hosted projects.
Tracing SSL/TLS Encrypted Microservices with eBPF - Dom Del Nano , Twitter
SSL/TLS adoption in the Cloud Native environments is growing rapidly. While great for security, the encryption in such environments pose a unique challenge for observability tools. Many traffic sniffing tools can only collect the encrypted data, which is of limited value to the application developer. Important attributes like the operation, the endpoint and the payload are undecipherable. To truly help in the troubleshooting process, application developers need to be able to see these messages and their contents. In this talk, we present how eBPF can be used to tracing SSL/TLS connections. The method we present is used by tools like BCC’s sslsniff and Pixie’s protocol tracer. Specifically, we cover how eBPF uprobes can be attached to popular SSL/TLS libraries, including OpenSSL, BoringSSL and goTLS. We show how eBPF enables us to collect clear text data directly from the TLS library, while discussing the challenges of tracing dynamically vs statically linked TLS libraries. Finally, we also present how this feature could help with improving application observability at some of the largest engineering organizations without disrupting their production environment.
A
A
Let's
go
over
our
agenda
for
today,
we'll
start
off
with
a
background
and
motivation
for
why
Twitter
was
interested
in
this
work
from
there
we'll
do
an
overview
of
protocol
tracing
techniques,
then
we'll
do
a
deep
dive
into
the
Twitter
TLS
tracing
work.
We
implemented
we'll
see
a
live
demo
that
and
then
we
will
generalize
the
criteria
for
how
to
support
new
TLS
use
cases.
A
A
Another
thing
is
that
our
collection
and
ingestion
for
our
observability
data
has
largely
remained
the
same.
We
saw
that
ebpf
had
promise
with
auto
instrumentation
and
we
saw
the
Hubble
and
pixie
projects
doing
exciting
things,
and
so
we
wanted
to
explore
this
further
and
see
if
the
protocol
tracing
could
help
aid.
This
real-time
debugging
use
case.
A
A
A
So
you
can
see
in
the
send
to
syscall
five
is
the
file
descriptor,
and
the
second
argument
is
the
raw
protocol
data.
So
from
here
what
a
tool
like
pixiq
does
is
it
sets
these
probes
on
those
syscalls?
It
pulls
out
the
socket
file
descriptor
and
the
raw
protocol
data.
It
sends
it
to
the
pem,
which
is
their
user
space
Daemon
for
doing
more
processing
and
from
there
it
stitches
together
the
requests
and
response
Pairs
and
adds
more
metadata
so
that
you
get
rich
information
about
your
traffic.
A
A
It's
worth
mentioning
that,
while
openssl
is
popular,
the
there
are
many
other
TLS
libraries
and
so,
for
instance,
golang
has
its
own
crypto
implementation.
So,
while
it
it
has
a
similar
layer,
these
SSL
write
and
SL
read
functions.
Aren't
necessarily
it
don't
necessarily
exist.
In
that
case,
it's
worth
mentioning
that
the
popular
BCC
tools
project
has
a
tool
that
implements
tracing
in
this
way
called
SSL
sniff.
A
A
A
A
A
A
Now
that
we've
understood
the
background
and
some
tactics
for
doing
this
protocol
tracing,
let's
move
on
to
Twitter's
use
case,
so
we
built
out
our
TLS
tracing
on
top
of
the
pixie
project.
The
reason
why
we
were
interested
in
Pixi
is
because
it
provides
granular
observability
data
and
it's
at
the
edge
model
scales
for
real-time
debugging.
A
A
A
Another
note
about
Neti
is
that
it's
pretty
widely
used
across
many
Java
projects.
So
when
we
were
embarking
on
this,
we
were
hoping
that
if
we
could
solve
this
TLS
tracing
problem,
this
wouldn't
only
solve
it
for
Twitter's
use
case,
but
it
would
implement
it
for
Cassandra
for
elasticsearch
Java
grpc.
There's
a
large
variety
of
use
cases
that
all
use
this
library
and
so
I
felt
that
there
was
a
lot
of
potential
here.
A
The
most
obvious
difference
here
is
that
one
of
them
is
statically
linked
and
the
other
is
typically
dynamically
linked
and
we
weren't
really
sure
exactly
what
needed
to
be
done
here,
but
we
were
pretty
confident
that
there
would
be
something
to
work
out
starting
from
the
first
one.
Let's
talk
about
how
we
determined
the
finagle
TLS
version,
so
as
I
mentioned,
that
openssl
Version
num
function
is
in
the
elf
file,
so
one
way
to
solve
this
is
that
we
can
actually
calculate
its
raw
address
and
call
the
function
with
a
raw
function
pointer.
A
A
A
A
Nettie
has
a
concept
called
a
channel
which
is
a
one-to-one
mapping
between
a
connection,
and
it
also
provides
some
hooks
into
connection
life
cycles,
and
so
we
there
is
a
thing
called
Channel
active,
which
is
called
when
a
connection
is
created,
and
so
all
we
needed
to
do
was
call
the
function
there
and
pass
the
channel
in
so
that
it
was
passed
into
the
native
code
problem.
Two
was
then
solved
and
then
the
final
piece.
A
So
if
we
take
an
example
like
Envoy,
you
would
actually
put
the
BPF
Probe
on
the
envoy
binary
itself
rather
than
binary
or
envoys
TLS
shared
Library
finagle's
case
is
a
little
different,
because
Java
is
not
native
code,
it
has
a
runtime,
so
it
is
still
put
on
the
shared
Library,
but
the
shared
Library
doesn't
have
Dynamic.
Linking
second
thing
is
boring.
A
Ssl
is
Source
compatible
with
openssl,
but
that
doesn't
guarantee
that
the
offsets
that
we
use
to
find
the
socket
file
descriptor
are
the
same,
and
what
we
found
out
after
investigating
this
is
that
they
are
actually
different
and
that
boring
SSL
is
written
in
C
plus,
and
so
the
layout
in
memory
is
very
different
from
the
opensslc
implementation,
and
so
the
way
we
solve
that
is.
We
have
different
version,
offsets
for
boring,
SSL
and
different
ones
for
openssl
for
each
version.
That's
supported.
A
A
B
B
B
B
C
B
A
C
is
able
to
understand
who
metadata
and
so
that
this
localhost
case
is
actually
our
encrypted
demo.
So
we
can
see
that
it
doesn't
have
that
rich
data
to
attach
to
it
since
I'm
running
this
cluster
itself.
But
we
can,
we
can
see
that
both
of
them
are
generating
traffic
constantly.
So
we
can
see
that
the
plain.
B
A
Foreign
there
we
go
all
right,
so
in
conclusion,
I
wanted
to
give
an
overview
of
the
different
dimensions
of
things
you
need
to
be
aware
of
in
order
to
support
a
TLS
Library.
So,
to
begin
with,
we'll
be
just
describing
the
differences
between
nginx
and
node.js,
and
so
for
the
SSL
Library.
They
both
use
openssl.
A
They
are
dynamically
linked.
The
SSL
right
and
SSL
read:
symbols
are
accessible
and
in
the
dynsim,
which
means
that
we
can
set
a
u-probe
with
the
symbol
for
the
version
detection
so
that
we
know
which
offsets
to
apply.
We
can
use
the
we
can
use
DL
Sim
to
call
that
openssl
Version
num
function
in
nginx
case
the
socket
file
descriptor
is
populated,
which
results
in
pixie
supporting
that
use
case
for
node.js.
The
socket
file
descriptor
is
not
populated
and
pixie
has
additional
u-probes
to
capture
that
data,
which
results
in
node.js
being
supported.
A
Moving
on
to
Neti
so
for
finagle
we
know
the
library
is
boring.
Ssl
the
linking
is
static.
We
are
the
SSL
right
and
so
read.
Symbols
were
able
to
attach
it
with
the
symbol
itself.
In
for
the
version
detection,
we
are
using
the
raw
function,
pointers
and
the
socket
file.
Descriptor
is
populated
if
you're
using
a
TC
native
version
greater
than
or
equal
to
2.0.5.3.
A
On
the
other
use
cases
of
Neti,
all
of
the
other
details
are
the
same.
We
believe
that
it
should
be
supported,
but
it's
yet
to
be
tested
and,
as
I
mentioned
before,
this
is
something
that
I
think
will
be
really
powerful
to
for
this.
One
use
case
to
support
many
popular
projects
and
finally,
thinking
about
Envoy
Envoy
is
another
use
case
that
uses
boring
SSL
and
one
of
the
ones
that
the
pixie
team
was
actively
working
on
its
linking
is
obviously
static.
A
The
version
detection
since
the
last
time
I
checked
in
on
this
I
believe
it
was
to
be
determined
and
Envoy
actually
has
apis
that
hide
the
socket
file
descriptor.
So
that's
not
used,
and
so,
as
indicated
here,
it's
a
work
in
progress
and
and
just
to
note,
this
is
for
istio
istio
also
uses
Envoy
internally.
A
A
The
building
blocks
introduced
to
support,
boring
SSL
will
be
shared
by
Future
Integrations.
So
I
mentioned
that
istio
use
case.
It's
piggybacking
off
of
those
changes
and
then
looking
to
the
future,
I
mentioned
that
Neti
TLS
tracing
has
the
potential
to
support
many
other
projects.
This
could
include
Java,
grpc,
elasticsearch,
Cassandra
and
I
think
it
would
be
extremely
powerful
to
have
fully
end-to-end
tracing
all
the
way
through
to
your
data
store
and
so
I'm
excited
to
eventually
pursue
what
that
would
look
like.
F
G
A
A
Pixies
method
is,
you
know,
plucking
that
socket
file
descriptor
out,
so
we
were
kind
of
just
continuing
down
to
see
what
all
would
need
to
be
done
to
unify
that,
because
we
wanted
the
solution
to
work,
ideally
in
the
same
manner,
to
minimize
like
one-off
use
cases
I
think
now
that
we've
like
explored
it
fully
like
there
could
potentially
be
other
things.
You
know
like
thinking
about
ways
to
get
that
data
with
other
methods
and.
H
A
E
Hey
thanks
for
the
talk.
This
is
a
little
lower
than
I,
usually
know,
but
I
feel,
like
I
learned
a
lot,
so
it
seems
like
you're
kind
of
at
the
mercy,
I
guess
of
like
the
the
server,
the
the
networking
framework
that
you
use
right
to
be
able
to
expose
the
things
that
you
need
to
do
the
tracing.
So
I
guess.
Is
there
almost
like
a
wider
Call
to
Arms
for
different
Frameworks
to
open
up
this
access
up
so
that
we
can
have
this
kind
of
tracing
throughout?
E
A
Exactly
what
Ori
was
talking
about
in
his
talk
earlier
today
about
you
know,
this
is
using
you
probes
and
fortunately,
for
this
use
case.
Ssl,
write
and
SSL
read
are
more
of
a
defined
contract,
because
boring
SSL
provides
Source
compatible
support
for
it,
so
it's
less
unstable
in
that
sense,
but
I
do
think
that
doubling
down
on
like
implementing
ustts
in
popular
libraries,
is
the
right
way
to
go
to
get
stable
interfaces
for
getting
the
data
out
of
this.
E
F
D
F
Hi
for
Java
based
applications
with
the
jit
compiler.
Sometimes
the
code
that
is
generated
is
native
code.
For
example,
a
you
call
a
function,
one
time
or
ends
and
many
times
so
it
generates
a
native
code.
So
when
you
do
the
u-probes
or
even
on
the
SSL
or
some
other
like
and
Java
as
its
own
SSL
version.
So
how
do
you
cope
with
the
digit
compiler?
F
A
I
mentioned
before
Oh
I,
don't
have
my
slides
in
the
Nettie
has
kind
of
a
sub
project
inside
of
it.
That's
the
Neti
TC
native
part,
that's
all
Native
code,
so
the
jit
does
not
have
any
control
over
that
I
wouldn't
consider
myself
a
Java,
runtime
expert
but
I
believe
it's
it's
separate
in
that
sense,.
D
F
A
For
other
type
of
instrumentation,
yeah,
so
I
believe
there
is
a
project
to
add.
You
can
do
usdts
in
Java
code
I
when
I
initially
worked
on
this
I
thought
we
were
going
to
have
to
explore
that.
But
then
I
was
relieved
that
there
was
native
code
that
I
could
attach
to.
So
that's
something.
I
would
like
to
explore
more,
but
I
barely
scratched
the
surface.
A
We
are
not
using
it
today,
we're
currently
understanding
where
our
first
investment
will
be.
We
aren't
running
a
very
small
number
of
our
use
cases
or
on
kubernetes,
so
because
pixie
is
a
kubernetes
observability
tool,
we're
understanding
how
we
can
run
it
outside
of
kubernetes
and
extract
the
data
from
it,
and
we
are
anticipating
that
we
want
it
on
all
the
time.
A
There
is,
there
should
be
a
slight
performance
impact,
because
the
u-probe
will
cause
a
contact
switch
when
that
function
is
called
from
the
issues
that
I've
seen
at
Twitter
of
us
not
having
good
capabilities
for
slicing
and
dicing
or
investigating
real-time
issues.
I
think
that
that's
going
to
be
worth
it,
but
it's
not
been
measured
yet.