eBPF
   HOME

TheInfoList



OR:

eBPF (often aliased BPF) is a technology that can run
sandboxed In computer security, a sandbox is a security mechanism for separating running programs, usually in an effort to mitigate system failures and/or software Vulnerability (computing), vulnerabilities from spreading. The isolation metaphor is taken ...
programs in a privileged context such as the
operating system An operating system (OS) is system software that manages computer hardware, software resources, and provides common services for computer programs. Time-sharing operating systems schedule tasks for efficient use of the system and may also in ...
kernel. It is used to safely and efficiently extend the capabilities of the kernel at runtime without requiring to change kernel
source code In computing, source code, or simply code, is any collection of code, with or without comments, written using a human-readable programming language, usually as plain text. The source code of a program is specially designed to facilitate the wo ...
or load kernel modules. Safety is provided through an in-kernel verifier which performs
static code analysis In computer science, static program analysis (or static analysis) is the analysis of computer programs performed without executing them, in contrast with dynamic program analysis, which is performed on programs during their execution. The term i ...
and rejects programs which crash, hang or otherwise interfere with the kernel negatively. Loaded programs which passed the verifier are either interpreted or in-kernel JIT compiled for native execution performance. The execution model is
event-driven Event driven may refer to: The term event-driven refers to a methodology that focuses on events and event dependencies. Examples include * Event-driven finite-state machine, finite-state machine where the transition from one state to another ...
and with few exceptions
run-to-completion Run-to-completion scheduling or nonpreemptive scheduling is a scheduling model in which each task runs until it either finishes, or explicitly yields control back to the scheduler. Run to completion systems typically have an event queue which is s ...
, meaning, programs can be attached to various hook points in the
operating system An operating system (OS) is system software that manages computer hardware, software resources, and provides common services for computer programs. Time-sharing operating systems schedule tasks for efficient use of the system and may also in ...
kernel and are run upon triggering of an event. eBPF use cases include (but are not limited to) networking such as XDP,
tracing Tracing may refer to: Computer graphics * Image tracing, digital image processing to convert raster graphics into vector graphics * Path tracing, a method of rendering images of three-dimensional scenes such that the global illumination is faithf ...
and
security Security is protection from, or resilience against, potential harm (or other unwanted coercive change) caused by others, by restraining the freedom of others to act. Beneficiaries (technically referents) of security may be of persons and social ...
subsystems. Given eBPF's efficiency and flexibility opened up new possibilities to solve production issues, Brendan Gregg famously coined eBPF as "superpowers for Linux".
Linus Torvalds Linus Benedict Torvalds ( , ; born 28 December 1969) is a Finnish software engineer who is the creator and, historically, the lead developer of the Linux kernel, used by Linux distributions and other operating systems such as Android. He also c ...
expressed that "BPF has actually been really useful, and the real power of it is how it allows people to do specialized code that isn't enabled until asked for". Due to its success in Linux, the eBPF runtime has been ported to other operating systems such as
Windows Windows is a group of several proprietary graphical operating system families developed and marketed by Microsoft. Each family caters to a certain sector of the computing industry. For example, Windows NT for consumers, Windows Server for serv ...
.


History


Evolution from classic BPF

eBPF was built on top of the
Berkeley Packet Filter The Berkeley Packet Filter (BPF) is a technology used in certain computer operating systems for programs that need to, among other things, analyze network traffic. It provides a raw interface to data link layers, permitting raw link-layer packets ...
(cBPF). At the lowest level, it introduced the use of ten 64-bit registers (instead of two 32-bit long registers for cBPF), different jump semantics, a call instruction and corresponding register passing convention, new instructions, and a different encoding for these instructions. A number of additional features were subsequently added. The evolution of eBPF took many years and a large community of contributors, and is still ongoing. The table below summarizes some of the most significant milestones of this evolution:


Adoption

eBPF has been adopted by a number of large-scale production users, for example: *
Meta Meta (from the Greek μετά, '' meta'', meaning "after" or "beyond") is a prefix meaning "more comprehensive" or "transcending". In modern nomenclature, ''meta''- can also serve as a prefix meaning self-referential, as a field of study or ende ...
uses eBPF through their Katran layer 4 load-balancer for all traffic going to facebook.com *
Google Google LLC () is an American multinational technology company focusing on search engine technology, online advertising, cloud computing, computer software, quantum computing, e-commerce, artificial intelligence, and consumer electronics. ...
uses eBPF in GKE, developed and uses BPF LSM to replace audit and it uses eBPF for networking *
Cloudflare Cloudflare, Inc. is an American content delivery network and DDoS mitigation company, founded in 2009. It primarily acts as a reverse proxy between a website's visitor and the Cloudflare customer's hosting provider. Its headquarters are in San ...
uses eBPF for load-balancing and DDoS protection and security enforcement *
Netflix Netflix, Inc. is an American subscription video on-demand over-the-top streaming service and production company based in Los Gatos, California. Founded in 1997 by Reed Hastings and Marc Randolph in Scotts Valley, California, it offers a fil ...
uses eBPF for fleet-wide network observability and performance diagnosis *
Dropbox Dropbox is a file hosting service operated by the American company Dropbox, Inc., headquartered in San Francisco, California, U.S. that offers cloud storage, file synchronization, personal cloud, and Client (computing), client software. Dropb ...
uses eBPF through Katran for layer 4 load-balancing * Android uses eBPF for NAT46 and traffic monitoring *
Alibaba Ali Baba (character), Ali Baba is a character from the folk tale ''Ali Baba and the Forty Thieves''. Ali Baba or Alibaba may also refer to: Films * Ali Baba and the Forty Thieves (1902 film), ''Ali Baba and the Forty Thieves'' (1902 film), a F ...
uses eBPF for
Kubernetes Kubernetes (, commonly stylized as K8s) is an open-source container orchestration system for automating software deployment, scaling, and management. Google originally designed Kubernetes, but the Cloud Native Computing Foundation now maintains ...
Pod load-balancing * Datadog uses eBPF for
Kubernetes Kubernetes (, commonly stylized as K8s) is an open-source container orchestration system for automating software deployment, scaling, and management. Google originally designed Kubernetes, but the Cloud Native Computing Foundation now maintains ...
Pod networking and security enforcement *
Trip.com Trip.com is an international online travel agency. The website is owned by Trip.com Group (formerly Ctrip.com International, Ltd. in China), one of the world's largest online travel agencies with over 400 million users worldwide, and also the par ...
uses eBPF for
Kubernetes Kubernetes (, commonly stylized as K8s) is an open-source container orchestration system for automating software deployment, scaling, and management. Google originally designed Kubernetes, but the Cloud Native Computing Foundation now maintains ...
Pod networking *
Microsoft Microsoft Corporation is an American multinational technology corporation producing computer software, consumer electronics, personal computers, and related services headquartered at the Microsoft Redmond campus located in Redmond, Washing ...
ported eBPF and XDP to Windows * Seznam uses eBPF through Cilium for layer 4 load-balancing * CapitalOne uses eBPF for
Kubernetes Kubernetes (, commonly stylized as K8s) is an open-source container orchestration system for automating software deployment, scaling, and management. Google originally designed Kubernetes, but the Cloud Native Computing Foundation now maintains ...
Pod networking *
Apple An apple is an edible fruit produced by an apple tree (''Malus domestica''). Apple fruit tree, trees are agriculture, cultivated worldwide and are the most widely grown species in the genus ''Malus''. The tree originated in Central Asia, wh ...
uses eBPF for
Kubernetes Kubernetes (, commonly stylized as K8s) is an open-source container orchestration system for automating software deployment, scaling, and management. Google originally designed Kubernetes, but the Cloud Native Computing Foundation now maintains ...
Pod security *
Sky The sky is an unobstructed view upward from the surface of the Earth. It includes the atmosphere and outer space. It may also be considered a place between the ground and outer space, thus distinct from outer space. In the field of astronomy, ...
uses eBPF for
Kubernetes Kubernetes (, commonly stylized as K8s) is an open-source container orchestration system for automating software deployment, scaling, and management. Google originally designed Kubernetes, but the Cloud Native Computing Foundation now maintains ...
Pod networking *
Walmart Walmart Inc. (; formerly Wal-Mart Stores, Inc.) is an American multinational retail corporation that operates a chain of hypermarkets (also called supercenters), discount department stores, and grocery stores from the United States, headquarter ...
uses eBPF for layer 4 load-balancing *
Huawei Huawei Technologies Co., Ltd. ( ; ) is a Chinese multinational technology corporation headquartered in Shenzhen, Guangdong, China. It designs, develops, produces and sells telecommunications equipment, consumer electronics and various smar ...
uses eBPF through their DIGLIM secure boot system *
Ikea IKEA (; ) is a Dutch multinational conglomerate based in the Netherlands that designs and sells , kitchen appliances, decoration, home accessories, and various other goods and home services. Started in 1943 by Ingvar Kamprad, IKEA has been t ...
uses eBPF for
Kubernetes Kubernetes (, commonly stylized as K8s) is an open-source container orchestration system for automating software deployment, scaling, and management. Google originally designed Kubernetes, but the Cloud Native Computing Foundation now maintains ...
Pod networking


Logo

The bee is the official logo for eBPF. At the first eBPF Summit there was a vote taken and the bee
mascot A mascot is any human, animal, or object thought to bring luck, or anything used to represent a group with a common public identity, such as a school, professional sports team, society, military unit, or brand name. Mascots are also used as fi ...
was named "eBee". The logo has originally been created by Vadim Shchekoldin. Earlier unofficial eBPF mascots have existed in the past, but haven't seen widespread adoption.


Naming

There has been controversy around the naming of eBPF. The alias eBPF is often interchangeably used with BPF, for example by the Linux kernel community. eBPF and BPF is referred to as a technology name like
LLVM LLVM is a set of compiler and toolchain technologies that can be used to develop a front end for any programming language and a back end for any instruction set architecture. LLVM is designed around a language-independent intermediate represen ...
. eBPF evolved from the
Berkeley Packet Filter The Berkeley Packet Filter (BPF) is a technology used in certain computer operating systems for programs that need to, among other things, analyze network traffic. It provides a raw interface to data link layers, permitting raw link-layer packets ...
as an extended version, but its use case outgrew networking, and today eBPF as a pseudo-acronym is preferred.


eBPF Foundation

The eBPF Foundation was created in August 2021 with the goal to expand the contributions being made to extend the powerful capabilities of eBPF and grow beyond Linux. Founding members include
Meta Meta (from the Greek μετά, '' meta'', meaning "after" or "beyond") is a prefix meaning "more comprehensive" or "transcending". In modern nomenclature, ''meta''- can also serve as a prefix meaning self-referential, as a field of study or ende ...
,
Google Google LLC () is an American multinational technology company focusing on search engine technology, online advertising, cloud computing, computer software, quantum computing, e-commerce, artificial intelligence, and consumer electronics. ...
, Isovalent,
Microsoft Microsoft Corporation is an American multinational technology corporation producing computer software, consumer electronics, personal computers, and related services headquartered at the Microsoft Redmond campus located in Redmond, Washing ...
and
Netflix Netflix, Inc. is an American subscription video on-demand over-the-top streaming service and production company based in Los Gatos, California. Founded in 1997 by Reed Hastings and Marc Randolph in Scotts Valley, California, it offers a fil ...
. The purpose is to raise, budget and spend funds in support of various open source, open data and/or open standards projects relating to eBPF technologies to further drive the growth and adoption of the eBPF ecosystem. Since inception,
Red Hat Red Hat, Inc. is an American software company that provides open source software products to enterprises. Founded in 1993, Red Hat has its corporate headquarters in Raleigh, North Carolina, with other offices worldwide. Red Hat has become ass ...
,
Huawei Huawei Technologies Co., Ltd. ( ; ) is a Chinese multinational technology corporation headquartered in Shenzhen, Guangdong, China. It designs, develops, produces and sells telecommunications equipment, consumer electronics and various smar ...
,
Crowdstrike CrowdStrike Holdings, Inc. is an American cybersecurity technology company based in Austin, Texas. It provides cloud workload and endpoint security, threat intelligence, and cyberattack response services. The company has been involved in inves ...
, Tigera, DaoCloud, Datoms, FutureWei also joined.


Steering committee

With the creation of the eBPF Foundation, an eBPF
steering committee A committee or commission is a body of one or more persons subordinate to a deliberative assembly. A committee is not itself considered to be a form of assembly. Usually, the assembly sends matters into a committee as a way to explore them more ...
(BSC) was established in order to take care of the technical direction and vision of eBPF. Tasks include the collaboration among projects, defining the minimal requirements of eBPF runtimes, overseeing community events, maintaining eBPF technical
project lifecycle In systems engineering, information systems and software engineering, the systems development life cycle (SDLC), also referred to as the application development life cycle, is a process for planning, creating, testing, and deploying an informa ...
procedures, and communicating on behalf of the eBPF community. Active members include: * Alexei Starovoitov,
Meta Meta (from the Greek μετά, '' meta'', meaning "after" or "beyond") is a prefix meaning "more comprehensive" or "transcending". In modern nomenclature, ''meta''- can also serve as a prefix meaning self-referential, as a field of study or ende ...
* Andrii Nakryiko,
Meta Meta (from the Greek μετά, '' meta'', meaning "after" or "beyond") is a prefix meaning "more comprehensive" or "transcending". In modern nomenclature, ''meta''- can also serve as a prefix meaning self-referential, as a field of study or ende ...
* Brendan Gregg,
Intel Intel Corporation is an American multinational corporation and technology company headquartered in Santa Clara, California. It is the world's largest semiconductor chip manufacturer by revenue, and is one of the developers of the x86 seri ...
* Daniel Borkmann, Isovalent * Dave Thaler,
Microsoft Microsoft Corporation is an American multinational technology corporation producing computer software, consumer electronics, personal computers, and related services headquartered at the Microsoft Redmond campus located in Redmond, Washing ...
* Joe Stringer, Isovalent * KP Singh,
Google Google LLC () is an American multinational technology company focusing on search engine technology, online advertising, cloud computing, computer software, quantum computing, e-commerce, artificial intelligence, and consumer electronics. ...
* Lorenz Bauer, formerly
Cloudflare Cloudflare, Inc. is an American content delivery network and DDoS mitigation company, founded in 2009. It primarily acts as a reverse proxy between a website's visitor and the Cloudflare customer's hosting provider. Its headquarters are in San ...
There are currently no emeritus members.


eBPF standardization

Although eBPF is supported, to various degrees, on multiple platforms, there is no standard specification (as of January 2023) to formally define its components. However, there is currently some work in progress to define and publish a standard for the instruction set, under the auspices of the eBPF Foundation.


Security concerns

Due to the ease of programmability, eBPF has been used as a tool for implementing microarchitectural timing
side-channel attacks In computer security, a side-channel attack is any attack based on extra information that can be gathered because of the fundamental way a computer protocol or algorithm is Implementation#Computer science, implemented, rather than flaws in the d ...
such as
Spectre Spectre, specter or the spectre may refer to: Religion and spirituality * Vision (spirituality) * Apparitional experience * Ghost Arts and entertainment Film and television * ''Spectre'' (1977 film), a made-for-television film produced and writ ...
against vulnerable
microprocessors A microprocessor is a computer processor where the data processing logic and control is included on a single integrated circuit, or a small number of integrated circuits. The microprocessor contains the arithmetic, logic, and control circu ...
. While unprivileged eBPF implemented mitigations against transient execution attacks, unprivileged use has ultimately been disabled by the kernel community by default to protect from use against future hardware vulnerabilities.


Conferences

The eBPF community organises a number of technical workshops and conferences to discuss ongoing research, development efforts, and use cases around eBPF. They can broadly be categorised into user-focused conferences and more developer-focused conferences. User-focused conferences: * eBPF Summit, a user conference around eBPF production users and projects building upon eBPF * Cloud Native eBPF Day, a CNCF event co-located with KubeCon for the cloud native community Developer-focused conferences: * LSF/MM/BPF workshop, an annual technical workshop for the BPF Linux kernel community * BPF track at Linux Plumbers conference, a technical track for the BPF Linux kernel community and surrounding user space libraries and tooling


See also

*
Express Data Path XDP (eXpress Data Path) is an eBPF-based high-performance data path used to send and receive network packets at high rates by bypassing most of the operating system networking stack. It is merged in the Linux kernel since version 4.8. This imple ...


References


Further reading

* * * *{{cite book , author = Liz Rice , date = April 2022 , title = What Is eBPF? , isbn = 978-1492097259


External links


eBPF.io - Introduction, tutorials & eBPF community resources

eBPF.foundation - Linux Foundation's eBPF Foundation site
Software