Ethan-ZYF

HyperLogLog: Counting Billions of Distinct Items in Kilobytes

Sun, 31 May 2026 01:10:00 -0700

HyperLogLog (HLL) is a probabilistic cardinality estimation algorithm: using a tiny, fixed amount of memory (typically ~12 KB), it estimates the number of distinct elements in a huge set, with a standard error of about 0.81%.

Cuckoo Filter: Approximate Membership That Supports Deletion

Sun, 31 May 2026 00:45:00 -0700

A Cuckoo Filter is a probabilistic data structure for approximate set membership. Like a Bloom filter it answers “is this element possibly in the set?” with a tunable false-positive rate and zero false negatives — but unlike a standard Bloom filter it also supports deleting elements, is more space-efficient at low false-positive rates, and is more cache-friendly on lookups.

Week2 Day 4: K8s security — AppArmor

Thu, 21 May 2026 00:00:00 -0700

AppArmor as the path-based complement to seccomp’s syscall-based filtering — and a hands-on lesson in why that complement is harder to deploy. This post covers how K8s wraps AppArmor (securityContext.appArmorProfile, symmetric with seccomp’s three types), why an AppArmor profile is heavier than a seccomp one (it must be pre-loaded into the node’s kernel via apparmor_parser, not just dropped as a file), why deny /data/** w blocks every syscall that writes there (closing the hole where touch bypassed yesterday’s mkdir block), and the day’s most valuable lesson: the experiment couldn’t run at all because a Mac/Docker-Desktop kind node has no AppArmor LSM in its kernel — a firsthand encounter with the fail-open trap and the portability problem of AppArmor-based mitigations.

Week2 Day 3: K8s security — seccomp

Wed, 20 May 2026 00:00:00 -0700

Where Week 1 and Week 2 meet: K8s seccomp is the same kernel seccomp from Week 1, except runc installs the BPF filter for you instead of your application. This post traces the full kubelet → containerd → runc chain (and what runc actually does — namespaces, cgroups, NNP, caps, seccomp, AppArmor, then exec), the three profile types (Unconfined / RuntimeDefault / Localhost), why the profile JSON is just the declarative form of the cBPF you’d hand-write, why SCMP_ACT_ERRNO lets the process survive while mkdir returns EPERM, and the crucial limitation: seccomp blocks syscalls, not intent — block mkdir and touch (which uses openat) still creates files. Plus /proc/<pid>/status as the ground-truth proof a filter is loaded.

Week2 Day 2: K8s security — NetworkPolicy + Secrets

Tue, 19 May 2026 00:00:00 -0700

Hands-on with the network and secret-data layers of Kubernetes security: why the default flat network is a lateral-movement risk, the deeply counterintuitive “selective activation” model of NetworkPolicy (one allow rule silently flips a pod to default-deny), why Ingress and Egress are independent dimensions (and why locking egress breaks DNS), the YAML trap where a single - flips AND into OR, why NetworkPolicy needs a CNI that actually enforces it (kindnet doesn’t — another fail-open), and the truth about Secrets: they’re base64, not encrypted — RBAC is what protects them — plus the atomic-symlink-swap trick that powers volume-mounted secret rotation.

Week2 Day 1: K8s security — Pod Security Standards + RBAC

Mon, 18 May 2026 00:00:00 -0700

A first hands-on pass at Kubernetes-native security: how Pod Security Admission (PSA) actually attaches to namespaces via labels (and silently fails-open when the label is misspelled), why runAsNonRoot: true is necessary but not sufficient (the image’s USER still has to be non-root), the four-field minimum a pod needs to clear the restricted profile, and the full RBAC mental model — Role/ClusterRole × RoleBinding/ClusterRoleBinding as two independent dimensions that produce four combinations (one of which K8s rejects outright), why RBAC evaluation is union, not override, and the asymmetry that makes RBAC fail-closed while PSA fails open.

Day 5: AppArmor + layered sandbox design

Sat, 16 May 2026 00:00:00 -0700

How AppArmor actually attaches to a process (via the bprm_check_security LSM hook at execve time, keyed on binary path), why bash script.sh silently runs unconfined while ./script.sh does not, the six exec modifiers (ix/Px/Cx/Ux and their setuid-preserving uppercase forms), the hardlink and bind-mount tricks that bypass path-based MAC, and why a production sandbox layers namespace + capability + seccomp + AppArmor + cgroup — with the argument that, if you can only afford two, seccomp + AppArmor is the highest-ROI pair.

Day 4: seccomp BPF Filter (filter mode deep dive)

Thu, 14 May 2026 00:00:00 -0700

A deep dive into seccomp filter mode: the BPF data layout, why pointer args can’t be dereferenced (TOCTOU and atomic context), the cBPF instruction skeleton, the multi-ABI bypasses every filter must defend against, and the eight SECCOMP_RET_* actions that power modern container security — including the USER_NOTIF + fd-injection pattern that runc/crun use.

Day 3: seccomp Basics + Strict Mode

Wed, 13 May 2026 00:00:00 -0700

How seccomp intercepts syscalls at the kernel entry, what SECCOMP_MODE_STRICT actually allows (and the _exit() trap that fools nearly everyone), plus the design philosophy that filter mode inherits: monotonic, irrevocable security state.

Day 2: strace + Common Syscalls in Practice

Tue, 12 May 2026 00:00:00 -0700

A practical guide to strace: flag cheat sheet, how to read program startup as three distinct layers (ld.so → libc init → main), annotated syscalls, and the gotchas you actually hit (fd reuse races, EINTR, short writes, locale noise).

Day 1: Linux Syscall Internals

Mon, 11 May 2026 00:30:00 -0700

A deep dive into how Linux system calls actually work on x86_64: the ABI, the syscall instruction’s hardware side effects, the full user→kernel path, and a categorized cheat sheet of the syscalls worth knowing.

About

Fri, 08 May 2026 00:00:00 +0000

I’m Yifan (Ethan) Zhao, a software engineer interested in distributed systems, databases, and infrastructure. I’m currently pursuing my Master of Science in Software Engineering at Carnegie Mellon University, based in Mountain View, CA. This summer (May–August 2026) I’ll be joining Stripe in South San Francisco as a Software Engineering Intern on the Security team.

Education Link to heading

I earned my B.S. in Computer Science (Specialist) with a Minor in Mathematics from the University of Toronto (2020–2025), graduating with a 3.93/4.0 GPA and four years on the Dean’s List. I represented the school at ICPC, taking 12th place at the 2024 regional contest. I’m now at Carnegie Mellon University for my M.S. in Software Engineering (2025–2026).

Resume

Fri, 08 May 2026 00:00:00 +0000

Download PDF · Email · LinkedIn · GitHub · Sunnyvale, CA

Education Link to heading

Carnegie Mellon University — M.S. in Software Engineering August 2025 – December 2026, Mountain View, CA

University of Toronto — B.S. in Computer Science (Specialist), Minor in Mathematics September 2020 – June 2025, Toronto, ON

GPA: 3.93 / 4.0, Dean’s List (4 years)
2024 ICPC Regional Bronze Medalist (12th place)
Core coursework: Data Structures & Algorithms (99%), Operating Systems, Computer Networks, Database Systems

Skills Link to heading

Languages — C, C++, Go, Python, Java, JavaScript, TypeScript, PL/SQL, Shell, HTML/CSS
Frameworks & Libraries — React, Django, STL, Eigen, Pandas, PyTorch, MLX, libcurl, gRPC, REST API, RAG
Databases & Storage — PostgreSQL, MySQL, Hive, Redis, LevelDB, RocksDB, MongoDB, BadgerDB
Tools & Platforms — Docker, Git, CI/CD, GDB, GoogleTest, TPC-C, Kubernetes, Linux, AWS, Azure

Professional Experience Link to heading

Stripe — Software Engineering Intern, Security Link to heading

May 2026 – August 2026, South San Francisco, CA

Projects

Thu, 07 May 2026 00:00:00 +0000

A selection of things I’ve built. Full content coming soon.

Project Name Link to heading

Short description of the project, the problem it solves, and the tech stack.

Stack: Go, Rust, Python
Links: GitHub

Bigtable

Sun, 02 Nov 2025 22:00:12 -0800

Bigtable: A distributed storage system for structured data