RPRavidu Priyankarainravindu-priyankara.hashnode.dev·Jun 20 · 9 min readSqueezing Bytes: How I Optimised an eBPF Driver in Falco1. How I Found This Opportunity I wanted to make my first open source contribution, so I decided to fork a few eBPF projects — one of them being falcosecurity/libs. After compiling and running Falco, 00
RPRavidu Priyankarainravindu-priyankara.hashnode.dev·Jun 8 · 18 min readThe Case of the Disappearing eBPF Instruction: Inside Map FD Relocation and BPF_LD_IMM64While reading the disassembly of a compiled eBPF program I was working on, I noticed something strange — the 6th instruction was missing. Reading through the full disassembly again, I realized it wasn00
RPRavidu Priyankarainravindu-priyankara.hashnode.dev·May 18 · 7 min readeBPF Macros Are Just Costumes for ELF MetadataIn the previous part, we explored how our eBPF maps changed during preprocessing time. At first, those transformations looked strange. But after digging deeper, it became clear that most of the “speci00
RPRavidu Priyankarainravindu-priyankara.hashnode.dev·May 11 · 10 min readeBPF Map Definitions Are Fake — And That’s the PointI originally just wanted to observe what really happens after an eBPF hash map gets populated at runtime. To explore that, I built a very small tracing program and started digging into how maps actual00
RPRavidu Priyankarainravindu-priyankara.hashnode.dev·May 5 · 12 min readWhen Killing a Process Doesn't Kill the Risk: How PID Reuse and Stale eBPF State Caused Cascading False Positives in KernelEyeDuring kernelEye detection rule adjustments, I encountered an interesting bug worth sharing. The issue can be reproduced and understood within a few minutes through the write-up or the debugging video00