https://ethanzyf.com/tags/systems/Recent content in Systems on Ethan-ZYFHugoen-usSun, 31 May 2026 01:10:00 -0700https://ethanzyf.com/blog/hyperloglog/Sun, 31 May 2026 01:10:00 -0700https://ethanzyf.com/blog/hyperloglog/<p>HyperLogLog (HLL) is a probabilistic <strong>cardinality estimation</strong> algorithm: using a tiny, fixed amount of memory (typically ~12 KB), it estimates the number of <em>distinct</em> elements in a huge set, with a standard error of about 0.81%.</p>https://ethanzyf.com/blog/cuckoo-filter/Sun, 31 May 2026 00:45:00 -0700https://ethanzyf.com/blog/cuckoo-filter/<p>A Cuckoo Filter is a probabilistic data structure for approximate set membership. Like a Bloom filter it answers &ldquo;is this element <em>possibly</em> in the set?&rdquo; with a tunable false-positive rate and zero false negatives — but unlike a standard Bloom filter it also supports <strong>deleting</strong> elements, is more space-efficient at low false-positive rates, and is more cache-friendly on lookups.</p>https://ethanzyf.com/blog/day5-apparmor/Sat, 16 May 2026 00:00:00 -0700https://ethanzyf.com/blog/day5-apparmor/<p>How AppArmor actually attaches to a process (via the <code>bprm_check_security</code> LSM hook at <code>execve</code> time, keyed on binary path), why <code>bash script.sh</code> silently runs <em>unconfined</em> while <code>./script.sh</code> does not, the six exec modifiers (<code>ix</code>/<code>Px</code>/<code>Cx</code>/<code>Ux</code> and their setuid-preserving uppercase forms), the hardlink and bind-mount tricks that bypass path-based MAC, and why a production sandbox layers <strong>namespace + capability + seccomp + AppArmor + cgroup</strong> — with the argument that, if you can only afford two, <strong>seccomp + AppArmor</strong> is the highest-ROI pair.</p>https://ethanzyf.com/blog/day4-seccomp-filter/Thu, 14 May 2026 00:00:00 -0700https://ethanzyf.com/blog/day4-seccomp-filter/<p>A deep dive into seccomp filter mode: the BPF data layout, why pointer args can&rsquo;t be dereferenced (TOCTOU <em>and</em> atomic context), the cBPF instruction skeleton, the multi-ABI bypasses every filter must defend against, and the eight <code>SECCOMP_RET_*</code> actions that power modern container security — including the <code>USER_NOTIF</code> + fd-injection pattern that runc/crun use.</p>https://ethanzyf.com/blog/day3-seccomp-strict/Wed, 13 May 2026 00:00:00 -0700https://ethanzyf.com/blog/day3-seccomp-strict/<p>How <code>seccomp</code> intercepts syscalls at the kernel entry, what <code>SECCOMP_MODE_STRICT</code> actually allows (and the <code>_exit()</code> trap that fools nearly everyone), plus the design philosophy that filter mode inherits: monotonic, irrevocable security state.</p>https://ethanzyf.com/blog/day2-strace/Tue, 12 May 2026 00:00:00 -0700https://ethanzyf.com/blog/day2-strace/<p>A practical guide to <code>strace</code>: flag cheat sheet, how to read program startup as three distinct layers (ld.so → libc init → main), annotated syscalls, and the gotchas you actually hit (fd reuse races, EINTR, short writes, locale noise).</p>https://ethanzyf.com/blog/day1-syscalls/Mon, 11 May 2026 00:30:00 -0700https://ethanzyf.com/blog/day1-syscalls/<p>A deep dive into how Linux system calls actually work on x86_64: the ABI, the <code>syscall</code> instruction&rsquo;s hardware side effects, the full user→kernel path, and a categorized cheat sheet of the syscalls worth knowing.</p>