Protocol for correlating user space data with kernel space data
Uložené v:
| Názov: | Protocol for correlating user space data with kernel space data |
|---|---|
| Patent Number: | 11709,720 |
| Dátum vydania: | July 25, 2023 |
| Appl. No: | 17/652624 |
| Application Filed: | February 25, 2022 |
| Abstrakt: | Methods and systems are configured for monitoring operations of a computing device by associating threads executing in a user space with kernel events in a kernel space. The systems and methods are configured for detecting a kernel event in the kernel space of the computing device; in response to detecting the kernel event, accessing, from a mapping table that maps a computing thread in the user space to a span that is active on the computing thread, a base address of a memory in the user space of the computing device, the memory storing a span identifier for each span in the user space, the span comprising one or more operations of a computing thread that is active in the user space; accessing, based on the base address, a span identifier in the memory; and associating the span identifier with the kernel event. |
| Inventors: | Datadog, Inc. (New York, NY, US) |
| Assignees: | Datadog, Inc. (New York, NY, US) |
| Claim: | 1. A method for monitoring operations of a computing device, the method comprising: detecting a kernel event in a kernel space of the computing device; in response to detecting the kernel event, accessing, from a mapping table that maps a computing thread in a user space to a span that is active on the computing thread, a base address of a memory in the user space of the computing device, the memory storing a span identifier for each span in the user space, the span comprising one or more operations of a computing thread that is active in the user space; accessing, based on the base address, a span identifier in the memory; and associating the span identifier with the kernel event. |
| Claim: | 2. The method of claim 1 , further comprising: configuring the mapping table by performing, in the user space, a remote procedure call to the kernel space of the computing device, the remote procedure call storing the base address of the mapping table. |
| Claim: | 3. The method of claim 2 , wherein the remote procedure call stores a value of a maximum number of threads for monitoring, wherein the mapping table stores the value of a maximum number of threads for monitoring, and wherein accessing the span identifier in the memory is based on the value of a maximum number of threads for monitoring. |
| Claim: | 4. The method of claim 3 , wherein configuring the memory comprises: determining an allocated size of the memory; determining a length in memory of the span identifier and a trace identifier of a trace associated with the span; and determining the value of the maximum number of threads for monitoring based on a ratio of the allocated size and the length. |
| Claim: | 5. The method of claim 1 , wherein the memory has a predefined virtual address in the user space. |
| Claim: | 6. The method of claim 1 , wherein the kernel space comprises a virtual machine configured to execute at least one program in an operating system of the computing device. |
| Claim: | 7. The method of claim 6 , wherein the virtual machine is based on an Extended Berkeley Packet Filter (eBPF) specification. |
| Claim: | 8. The method of claim 1 , wherein the kernel event comprises a security event. |
| Claim: | 9. The method of claim 1 , wherein accessing the mapping table comprises executing a kernel helper function. |
| Claim: | 10. A method for monitoring operations of a computing device, the method comprising: detecting a kernel event in kernel space of the computing device; obtaining a process identifier or thread identifier for a process or thread that triggered the kernel event; accessing, from a first mapping table that maps the process identifier to coroutine context data, coroutine context data that specifies scheduler data for the process or thread that triggered the kernel event; accessing a second mapping table that maps coroutine identifiers to the process identifier to obtain a coroutine identifier of a coroutine associated with the process or the thread; combining, into a key value based on the scheduler data, the coroutine identifier with the process identifier or thread identifier; accessing, using the key value, a third mapping table mapping the process or the thread to at least one of a span identifier and a trace identifier to obtain at least one of the span identifier and the trace identifier associated with the process or the thread; and associating the kernel event with at least one of the span identifier and the trace identifier. |
| Claim: | 11. The method of claim 10 , further comprising: obtaining a security token, from the second mapping table, associated with the process or the thread; and validating the security token by matching the security token to a second token stored in the kernel space. |
| Claim: | 12. The method of claim 10 , further comprising: performing a function call path signatures check of a stack trace associated with the process or the thread; and validating the span identifier or trace identifier based on the function call path signatures check. |
| Claim: | 13. The method of claim 10 , wherein the kernel space comprises a virtual machine configured to execute at least one program in an operating system of the computing device. |
| Claim: | 14. The method of claim 13 , wherein the virtual machine is based on an Extended Berkeley Packet Filter (eBPF) specification. |
| Claim: | 15. The method of claim 10 , wherein the kernel event comprises a security event. |
| Claim: | 16. The method of claim 10 , wherein accessing the first, second, or third mapping tables comprises executing a kernel helper function. |
| Claim: | 17. A system for monitoring operations of a computing device, the system comprising: at least one processor; and a memory storing instructions that, when executed by the at least one processor, cause the at least one processor to perform operations comprising: detecting a kernel event in a kernel space of the computing device; in response to detecting the kernel event, accessing, from a mapping table that maps a computing thread in a user space to a span that is active on the computing thread, a base address of a memory in the user space of the computing device, the memory storing a span identifier for each span in the user space, the span comprising one or more operations of a computing thread that is active in the user space; accessing, based on the base address, a span identifier in the memory; and associating the span identifier with the kernel event. |
| Claim: | 18. The system of claim 17 , the operations further comprising: configuring the mapping table by performing, in the user space, a remote procedure call to the kernel space of the computing device, the remote procedure call storing the base address of the mapping table, wherein the remote procedure call stores a value of a maximum number of threads for monitoring, wherein the mapping table stores the value of a maximum number of threads for monitoring, and wherein accessing the span identifier in the memory is based on the value of a maximum number of threads for monitoring. |
| Claim: | 19. One or more non-transitory computer readable media storing instructions for monitoring operations of a computing device, the instructions, when executed by at least one processor, configured to cause the at least one processor to perform operations comprising: detecting a kernel event in the kernel space of the computing device; in response to detecting the kernel event, accessing, from a mapping table that maps a computing thread in the user space to a span that is active on the computing thread, a base address of a memory in the user space of the computing device, the memory storing a span identifier for each span in the user space, the span comprising one or more operations of a computing thread that is active in the user space; accessing, based on the base address, a span identifier in the memory; and associating the span identifier with the kernel event. |
| Claim: | 20. The one or more non-transitory computer readable media of claim 19 , the operations further comprising: configuring the mapping table by performing, in the user space, a remote procedure call to the kernel space of the computing device, the remote procedure call storing the base address of the mapping table, wherein the remote procedure call stores a value of a maximum number of threads for monitoring, wherein the mapping table stores the value of a maximum number of threads for monitoring, and wherein accessing the span identifier in the memory is based on the value of a maximum number of threads for monitoring. |
| Patent References Cited: | 10761965 September 2020 Radu 11507672 November 2022 Pagnozzi 20220083644 March 2022 Kulshreshtha |
| Other References: | Notes.volution.ro [online], “Exfiltrating Go current goroutine ID,” Aug. 4, 2019, retrieved on Aug. 29, 2022, retrieved from URL<https://notes.volution.ro/v1/2019/08/notes/23e3644e/>, 9 pages. cited by applicant |
| Primary Examiner: | Ho, Andy |
| Attorney, Agent or Firm: | Fish & Richardson P.C. |
| Prístupové číslo: | edspgr.11709720 |
| Databáza: | USPTO Patent Grants |
| Abstrakt: | Methods and systems are configured for monitoring operations of a computing device by associating threads executing in a user space with kernel events in a kernel space. The systems and methods are configured for detecting a kernel event in the kernel space of the computing device; in response to detecting the kernel event, accessing, from a mapping table that maps a computing thread in the user space to a span that is active on the computing thread, a base address of a memory in the user space of the computing device, the memory storing a span identifier for each span in the user space, the span comprising one or more operations of a computing thread that is active in the user space; accessing, based on the base address, a span identifier in the memory; and associating the span identifier with the kernel event. |
|---|