eBPF (often aliased BPF) is a technology that can run

sandboxed In computer security, a sandbox is a security mechanism for separating running programs, usually in an effort to mitigate system failures and/or software Vulnerability (computing), vulnerabilities from spreading. The isolation metaphor is taken ...

programs in a privileged context such as the

operating system An operating system (OS) is system software that manages computer hardware, software resources, and provides common services for computer programs. Time-sharing operating systems schedule tasks for efficient use of the system and may also in ...

kernel. It is used to safely and efficiently extend the capabilities of the kernel at runtime without requiring to change kernel

source code In computing, source code, or simply code, is any collection of code, with or without comments, written using a human-readable programming language, usually as plain text. The source code of a program is specially designed to facilitate the wo ...

or load kernel modules. Safety is provided through an in-kernel verifier which performs

static code analysis In computer science, static program analysis (or static analysis) is the analysis of computer programs performed without executing them, in contrast with dynamic program analysis, which is performed on programs during their execution. The term i ...

and rejects programs which crash, hang or otherwise interfere with the kernel negatively. Loaded programs which passed the verifier are either interpreted or in-kernel JIT compiled for native execution performance. The execution model is

event-driven Event driven may refer to: The term event-driven refers to a methodology that focuses on events and event dependencies. Examples include * Event-driven finite-state machine, finite-state machine where the transition from one state to another ...

and with few exceptions

run-to-completion Run-to-completion scheduling or nonpreemptive scheduling is a scheduling model in which each task runs until it either finishes, or explicitly yields control back to the scheduler. Run to completion systems typically have an event queue which is s ...

, meaning, programs can be attached to various hook points in the

kernel and are run upon triggering of an event. eBPF use cases include (but are not limited to) networking such as XDP,

tracing Tracing may refer to: Computer graphics * Image tracing, digital image processing to convert raster graphics into vector graphics * Path tracing, a method of rendering images of three-dimensional scenes such that the global illumination is faithf ...

and

security Security is protection from, or resilience against, potential harm (or other unwanted coercive change) caused by others, by restraining the freedom of others to act. Beneficiaries (technically referents) of security may be of persons and social ...

subsystems. Given eBPF's efficiency and flexibility opened up new possibilities to solve production issues, Brendan Gregg famously coined eBPF as "superpowers for Linux".

Linus Torvalds Linus Benedict Torvalds ( , ; born 28 December 1969) is a Finnish software engineer who is the creator and, historically, the lead developer of the Linux kernel, used by Linux distributions and other operating systems such as Android. He also c ...

expressed that "BPF has actually been really useful, and the real power of it is how it allows people to do specialized code that isn't enabled until asked for". Due to its success in Linux, the eBPF runtime has been ported to other operating systems such as

Windows Windows is a group of several proprietary graphical operating system families developed and marketed by Microsoft. Each family caters to a certain sector of the computing industry. For example, Windows NT for consumers, Windows Server for serv ...

History

Evolution from classic BPF

eBPF was built on top of the

Berkeley Packet Filter The Berkeley Packet Filter (BPF) is a technology used in certain computer operating systems for programs that need to, among other things, analyze network traffic. It provides a raw interface to data link layers, permitting raw link-layer packets ...

(cBPF). At the lowest level, it introduced the use of ten 64-bit registers (instead of two 32-bit long registers for cBPF), different jump semantics, a call instruction and corresponding register passing convention, new instructions, and a different encoding for these instructions. A number of additional features were subsequently added. The evolution of eBPF took many years and a large community of contributors, and is still ongoing. The table below summarizes some of the most significant milestones of this evolution:

Adoption

eBPF has been adopted by a number of large-scale production users, for example: *

Meta Meta (from the Greek μετά, '' meta'', meaning "after" or "beyond") is a prefix meaning "more comprehensive" or "transcending". In modern nomenclature, ''meta''- can also serve as a prefix meaning self-referential, as a field of study or ende ...

uses eBPF through their Katran layer 4 load-balancer for all traffic going to facebook.com *

Google Google LLC () is an American multinational technology company focusing on search engine technology, online advertising, cloud computing, computer software, quantum computing, e-commerce, artificial intelligence, and consumer electronics. ...

uses eBPF in GKE, developed and uses BPF LSM to replace audit and it uses eBPF for networking *

Cloudflare Cloudflare, Inc. is an American content delivery network and DDoS mitigation company, founded in 2009. It primarily acts as a reverse proxy between a website's visitor and the Cloudflare customer's hosting provider. Its headquarters are in San ...

uses eBPF for load-balancing and DDoS protection and security enforcement *

Netflix Netflix, Inc. is an American subscription video on-demand over-the-top streaming service and production company based in Los Gatos, California. Founded in 1997 by Reed Hastings and Marc Randolph in Scotts Valley, California, it offers a fil ...

uses eBPF for fleet-wide network observability and performance diagnosis *

Dropbox Dropbox is a file hosting service operated by the American company Dropbox, Inc., headquartered in San Francisco, California, U.S. that offers cloud storage, file synchronization, personal cloud, and Client (computing), client software. Dropb ...

uses eBPF through Katran for layer 4 load-balancing * Android uses eBPF for NAT46 and traffic monitoring *

Alibaba Ali Baba (character), Ali Baba is a character from the folk tale ''Ali Baba and the Forty Thieves''. Ali Baba or Alibaba may also refer to: Films * Ali Baba and the Forty Thieves (1902 film), ''Ali Baba and the Forty Thieves'' (1902 film), a F ...

uses eBPF for

Kubernetes Kubernetes (, commonly stylized as K8s) is an open-source container orchestration system for automating software deployment, scaling, and management. Google originally designed Kubernetes, but the Cloud Native Computing Foundation now maintains ...

Pod load-balancing * Datadog uses eBPF for

Pod networking and security enforcement *

Trip.com Trip.com is an international online travel agency. The website is owned by Trip.com Group (formerly Ctrip.com International, Ltd. in China), one of the world's largest online travel agencies with over 400 million users worldwide, and also the par ...

uses eBPF for

Pod networking *

Microsoft Microsoft Corporation is an American multinational technology corporation producing computer software, consumer electronics, personal computers, and related services headquartered at the Microsoft Redmond campus located in Redmond, Washing ...

ported eBPF and XDP to Windows * Seznam uses eBPF through Cilium for layer 4 load-balancing * CapitalOne uses eBPF for

Pod networking *

Apple An apple is an edible fruit produced by an apple tree (''Malus domestica''). Apple fruit tree, trees are agriculture, cultivated worldwide and are the most widely grown species in the genus ''Malus''. The tree originated in Central Asia, wh ...

uses eBPF for

Pod security *

Sky The sky is an unobstructed view upward from the surface of the Earth. It includes the atmosphere and outer space. It may also be considered a place between the ground and outer space, thus distinct from outer space. In the field of astronomy, ...

uses eBPF for

Pod networking *

Walmart Walmart Inc. (; formerly Wal-Mart Stores, Inc.) is an American multinational retail corporation that operates a chain of hypermarkets (also called supercenters), discount department stores, and grocery stores from the United States, headquarter ...

uses eBPF for layer 4 load-balancing *

Huawei Huawei Technologies Co., Ltd. ( ; ) is a Chinese multinational technology corporation headquartered in Shenzhen, Guangdong, China. It designs, develops, produces and sells telecommunications equipment, consumer electronics and various smar ...

uses eBPF through their DIGLIM secure boot system *

Ikea IKEA (; ) is a Dutch multinational conglomerate based in the Netherlands that designs and sells , kitchen appliances, decoration, home accessories, and various other goods and home services. Started in 1943 by Ingvar Kamprad, IKEA has been t ...

uses eBPF for

Pod networking

Logo

The bee is the official logo for eBPF. At the first eBPF Summit there was a vote taken and the bee

mascot A mascot is any human, animal, or object thought to bring luck, or anything used to represent a group with a common public identity, such as a school, professional sports team, society, military unit, or brand name. Mascots are also used as fi ...

was named "eBee". The logo has originally been created by Vadim Shchekoldin. Earlier unofficial eBPF mascots have existed in the past, but haven't seen widespread adoption.

Naming

There has been controversy around the naming of eBPF. The alias eBPF is often interchangeably used with BPF, for example by the Linux kernel community. eBPF and BPF is referred to as a technology name like

LLVM LLVM is a set of compiler and toolchain technologies that can be used to develop a front end for any programming language and a back end for any instruction set architecture. LLVM is designed around a language-independent intermediate represen ...

. eBPF evolved from the

as an extended version, but its use case outgrew networking, and today eBPF as a pseudo-acronym is preferred.

eBPF Foundation

The eBPF Foundation was created in August 2021 with the goal to expand the contributions being made to extend the powerful capabilities of eBPF and grow beyond Linux. Founding members include

, Isovalent,

and

. The purpose is to raise, budget and spend funds in support of various open source, open data and/or open standards projects relating to eBPF technologies to further drive the growth and adoption of the eBPF ecosystem. Since inception,

Red Hat Red Hat, Inc. is an American software company that provides open source software products to enterprises. Founded in 1993, Red Hat has its corporate headquarters in Raleigh, North Carolina, with other offices worldwide. Red Hat has become ass ...

Crowdstrike CrowdStrike Holdings, Inc. is an American cybersecurity technology company based in Austin, Texas. It provides cloud workload and endpoint security, threat intelligence, and cyberattack response services. The company has been involved in inves ...

, Tigera, DaoCloud, Datoms, FutureWei also joined.

Steering committee

With the creation of the eBPF Foundation, an eBPF

steering committee A committee or commission is a body of one or more persons subordinate to a deliberative assembly. A committee is not itself considered to be a form of assembly. Usually, the assembly sends matters into a committee as a way to explore them more ...

(BSC) was established in order to take care of the technical direction and vision of eBPF. Tasks include the collaboration among projects, defining the minimal requirements of eBPF runtimes, overseeing community events, maintaining eBPF technical

project lifecycle In systems engineering, information systems and software engineering, the systems development life cycle (SDLC), also referred to as the application development life cycle, is a process for planning, creating, testing, and deploying an informa ...

procedures, and communicating on behalf of the eBPF community. Active members include: * Alexei Starovoitov,

* Andrii Nakryiko,

* Brendan Gregg,

Intel Intel Corporation is an American multinational corporation and technology company headquartered in Santa Clara, California. It is the world's largest semiconductor chip manufacturer by revenue, and is one of the developers of the x86 seri ...

* Daniel Borkmann, Isovalent * Dave Thaler,

* Joe Stringer, Isovalent * KP Singh,

* Lorenz Bauer, formerly

There are currently no emeritus members.

eBPF standardization

Although eBPF is supported, to various degrees, on multiple platforms, there is no standard specification (as of January 2023) to formally define its components. However, there is currently some work in progress to define and publish a standard for the instruction set, under the auspices of the eBPF Foundation.

Security concerns

Due to the ease of programmability, eBPF has been used as a tool for implementing microarchitectural timing

side-channel attacks In computer security, a side-channel attack is any attack based on extra information that can be gathered because of the fundamental way a computer protocol or algorithm is Implementation#Computer science, implemented, rather than flaws in the d ...

such as

Spectre Spectre, specter or the spectre may refer to: Religion and spirituality * Vision (spirituality) * Apparitional experience * Ghost Arts and entertainment Film and television * ''Spectre'' (1977 film), a made-for-television film produced and writ ...

against vulnerable

microprocessors A microprocessor is a computer processor where the data processing logic and control is included on a single integrated circuit, or a small number of integrated circuits. The microprocessor contains the arithmetic, logic, and control circu ...

. While unprivileged eBPF implemented mitigations against transient execution attacks, unprivileged use has ultimately been disabled by the kernel community by default to protect from use against future hardware vulnerabilities.

Conferences

The eBPF community organises a number of technical workshops and conferences to discuss ongoing research, development efforts, and use cases around eBPF. They can broadly be categorised into user-focused conferences and more developer-focused conferences. User-focused conferences: * eBPF Summit, a user conference around eBPF production users and projects building upon eBPF * Cloud Native eBPF Day, a CNCF event co-located with KubeCon for the cloud native community Developer-focused conferences: * LSF/MM/BPF workshop, an annual technical workshop for the BPF Linux kernel community * BPF track at Linux Plumbers conference, a technical track for the BPF Linux kernel community and surrounding user space libraries and tooling

References

External links

eBPF.io - Introduction, tutorials & eBPF community resources

eBPF.foundation - Linux Foundation's eBPF Foundation site
Software

History

Evolution from classic BPF

Adoption

Logo

Naming

eBPF Foundation

Steering committee

eBPF standardization

Security concerns

Conferences

See also

References

Further reading

External links