Stealth Production Debugging (No Alerts, No Restarts)
Stealth • Production • Debugging

Elite engineers debug production systems without triggering alerts, downtime, or data leaks.

Real-World Techniques: eBPF for invisible inspection — attach dynamic tracing to live systems without modifying binaries.
LD_PRELOAD/LD_AUDIT interception — override specific library calls for targeted instrumentation without recompiling.
Shadow traffic mirroring — test new services against a live production stream by duplicating packets/requests off the critical path.

1) eBPF tracing, profiling & data paths (no binary changes)

Quick start patterns

  • Hot function latency (kernel or user): pick fentry/uprobes; emit to ringbuf → userspace aggregator; keep sampling rates modest to avoid noisy neighbors. See ringbuf and Nakryiko.
  • Cross-service “slow request” hunt: enable Parca Agent with tracing correlation; slice by trace-ID to see cumulative CPU across hops (how-to).

2) Dynamic linker interception — beyond LD_PRELOAD

  • Understand the linker’s lifecycle: symbol resolution, PLT/GOT, lazy binding — LWN: dynamic linking, MaskRay on PLT, primer PLT/GOT explainer.
  • Use LD_AUDIT (rtld auditing) for stealthier hooks: loads before LD_PRELOAD, separate namespace, fine-grained callbacks. See rtld-audit(7), ld.so(8), Oracle docs (1, 2, 3), Arch man page notes.
  • Security posture & trade-offs: SentinelOne’s deep dive on using LD_AUDIT to beat traditional preloading — blog; additional research case study.
Minimal auditor skeleton (conceptual)

Export la_version() and la_symbind* to observe/redirect selected symbol bindings (e.g., connect, sendmsg) and emit metrics — not payloads — to avoid data-handling risk. Exact signatures: rtld-audit(7).

3) Shadow traffic (a.k.a. request mirroring) without touching users

Safe patterns

  • Mirror requests only or scrub bodies for PII; tag mirrored traffic via headers to avoid poisoning analytics. Envoy/Istio docs above show header-based mirroring.

Field recipes (tight, copyable starting points)

  • A. eBPF CO-RE trace of a user function (uprobes) → ringbuf
    Build with libbpf; attach uprobes to the symbol you care about; emit a struct with timestamp/args (mind ABI!) to bpf_ringbuf_output; consume in a tiny userspace reader. References: libbpf overview, ringbuf, deep dive, examples.
  • B. Zero-rebuild TLS/HTTP observability
    In K8s, deploy Pixie (or Parca + tracing) to capture HTTP metadata/TLS statistics without sidecars or code changes; constrain namespaces to reduce blast radius. See Pixie eBPF, Parca correlation.
  • C. LD_AUDIT request-metadata tap
    Provide an auditor that logs only (dst IP, port, bytes, errno) for connect/sendmsg bindings; ship via Unix domain socket to a local collector; avoid payload capture. API signatures: rtld-audit(7), loader behavior ld.so(8).
  • D. Envoy header-driven shadowing (on/off per call)
    Add request_mirror_policies with a cluster_header (e.g., x-mirror-cluster) so ops mirror only a subset by injecting that header. See sandbox & API.
  • E. NGINX multi-target mirroring
location /api/ {
  mirror /_shadow_a;
  mirror /_shadow_b;
  proxy_pass http://prod_upstream;
}
location = /_shadow_a { internal; proxy_pass http://shadow_a$request_uri; }
location = /_shadow_b { internal; proxy_pass http://shadow_b$request_uri; }
Docs: ngx_http_mirror_module

Engineering guardrails (to stay invisible)

  • Keep overhead tiny: prefer fentry/tracepoints over kprobes when possible; use ringbuf; sample, don’t stream (see ringbuf, LWN).
  • Portable by design: CO-RE + external BTF if needed; don’t bake kernel offsets (libbpf overview, CO-RE).
  • Don’t grab payloads: mirror headers/latencies and compute diffs server-side; Envoy/NGINX mirror ignores mirrored responses (Envoy, NGINX).
  • Prefer USDT / well-known probes before deep uprobes — less churn, safer upgrades (USDT, bpftrace).
  • Know your linker: LD_AUDIT is earlier/stronger than LD_PRELOAD; understand detection trade-offs (rtld-audit, SentinelOne).

Further deep sources (hand-picked)

Narrow Mender Labz© 2025 Stealth Debugging Notes • Single-file HTML with inline, minified CSS.

Comments

Post a Comment

Popular posts from this blog

Dolby Vision Metadata RPU Editing Guide Dolby Vision Metadata RPU Editing Guide Professional Instructional Document Introduction Workflow Processing Dolby Vision Profile 7 FEL Encoding Profile 5 to HDR10 Hybrid Release Resources Introduction In almost all cases, the source Dolby Vision metadata RPU (Reference Processing Unit) needs to be edited for use in an encode or another video. This guide will walk you through the process using dovi_tool and, for most examples, ffmpeg . Suggested RPU Editing Workflow Extract the RPU with mode 0 ffmpeg -i source.mkv -c:v copy -vbsf hevc_mp4toannexb -f hevc - | dovi_tool -m 0 extract-rpu - It's possible this step can fail with invalid files (e.g., from Apple). Remove mode 0 if you know what you're doing. Sync and Compare Video Files ...
Read more
AviSynthPlus Comprehensive Guide AviSynthPlus Comprehensive Guide Professional Instructional Document Introduction Prerequisites Setup Environment Plugins Pack Updating AviSynth+ Advanced Tools Scripts Changelog Resources Appendix Introduction This guide provides a detailed overview and step-by-step instructions for setting up and using AviSynthPlus, along with various plugins and scripts. It is designed for advanced users and developers who are looking to optimize their video processing workflows using AviSynthPlus. The document covers everything from installation and setup to advanced usage, updating, and troubleshooting. It is meant to serve as a comprehensive resource, ensuring users have all the necessary information to work effectively with AviSynthPlus. Prerequisites ...
Read more
Comprehensive Deew Guide for Dolby Encoding Comprehensive Deew Guide for Dolby Encoding In-Depth Reference and How-To for Using Deew with Dolby Encoding Engine Introduction Installation Usage Advanced Configuration Troubleshooting Conclusion Introduction Welcome to the comprehensive guide on using Deew , a powerful command-line tool that simplifies the process of working with the Dolby Encoding Engine (DEE) across various platforms including Linux, Windows, and macOS. This guide will take you through installation, usage, real-world examples, and advanced configurations, providing you with the knowledge to effectively encode audio with Dolby technologies. Whether you're dealing with Dolby Digital (DD), Dolby Digital Plus (DDP), AC-4, or TrueHD formats, Deew streamlines the encoding process, making it an essential tool for professionals...
Read more