What is eBPF?#

eBPF is a revolutionary technology with origins in the Linux kernel that can run sandboxed programs in a privileged context such as the operating system kernel. It is used to safely and efficiently extend the capabilities of the kernel without requiring to change kernel source code or load kernel modules.

Extended Berkeley Packet Filter (eBPF) stands as a transformative technology in the Linux kernel, enabling dynamic execution of sandboxed programs within the kernel. This breakthrough allows developers to extend privileged kernel functionalities safely and efficiently without modifying kernel source code or loading external modules.

The Evolution of eBPF

Originating from packet filtering, eBPF's application has broadened to encompass a wide array of system functions, including advanced networking features, observability tools, and security mechanisms. It operates by allowing user-space applications to run specific programs in response to events, with the kernel ensuring safety and performance through a verification process and Just-In-Time (JIT) compilation.

Architecture and Execution Model#

eBPF introduces an execution environment within the Linux kernel that processes bytecode for user-defined programs. These programs can be attached to various events and kernel points, executing logic that enhances system capabilities in real-time.


eBPF Programs#

eBPF programs are pieces of code written usually in a subset of C, compiled into eBPF bytecode, and executed by the eBPF runtime in the kernel in response to specific events.
Programs can attach to various hooks such as system calls (via tracepoints, kprobes, and uprobes), networking events (XDP - eXpress Data Path, tc - traffic control), and security checks (LSM - Linux Security Modules), and more.
Use Cases:
Custom packet filtering, system call monitoring, network packet manipulation, and application behavior tracking.

eBPF Maps#

Key-value stores that exist in kernel space, allowing data sharing between eBPF programs and between user space and eBPF programs. They are a critical component for stateful processing in eBPF applications.
Arrays, hash maps, per-CPU arrays, LRU maps, and more, each serving different data storage and access patterns.
Use Cases:
Storing configuration data for eBPF programs, aggregating metrics from network traffic or system events, and implementing complex data structures for runtime decision-making.

eBPF Verifier#

A security mechanism that ensures the safety and stability of eBPF programs before they are executed within the kernel. It checks for issues such as infinite loops, unsafe memory accesses, and other potential vulnerabilities.
Use Cases:
Preventing malicious or erroneous eBPF programs from compromising the kernel's integrity, ensuring only valid and safe eBPF bytecode is executed.

JIT (Just-In-Time) Compiler#

Converts eBPF bytecode into native machine instructions for the host CPU, optimizing the execution of eBPF programs for performance.
Use Cases:
Enhancing the performance of eBPF programs to achieve near-native execution speed, crucial for high-frequency events like packet processing or system call monitoring.

Try it out#

Find the right journey and explore the eBPF hands-on labs at your own pace!

Getting Started with eBPF
As a first approach to eBPF, this lab builds on examples from the What is eBPF? book by Liz Rice.
Learning eBPF Tutorial
This lab is a companion to the Learning eBPF book by Liz Rice. It will take you through a step by step discovery of the features of eBPF.

eBPF in Action#

Enhanced networking speed and efficiency.
Performance monitoring and troubleshooting.
Prevent threats and enforce policies in real-time.

Use Cases#


Packet Processing
eBPF enables the efficient handling of high-throughput network packets directly within the kernel, supporting use cases from dynamic routing and firewalling to network address translation (NAT) without the need for traditional, less flexible kernel modules.
Load Balancing
Implementing sophisticated load-balancing algorithms with eBPF allows for distributing incoming network traffic across multiple backend services or servers based on load, improving resource utilization and response times.
Network Monitoring
eBPF can be used to collect detailed network performance metrics in real-time, facilitating the analysis of traffic patterns, bandwidth usage, and pinpointing network bottlenecks.


Application Performance Monitoring (APM)
Leveraging eBPF for tracing function calls and measuring execution times provides insights into application behavior and performance, enabling developers to optimize code and improve application efficiency.
System-Level Profiling
With eBPF, aggregate system-wide metrics such as CPU usage, disk I/O, and memory access patterns, helping in identifying system-level performance issues and optimizing resource allocation.
Event Logging and Tracing
eBPF's ability to intercept and log a wide range of system events, from syscall invocations to network socket operations, offers a granular view into the system's operational state, crucial for debugging and security auditing.


Observe Every Process
Observe privileged processes and container executions, kubectl exec audit trails, namespace and privilege escalations, system call activity, network observability with DNS/TLS/HTTP protocol support, file integrity monitoring, and much more.
Runtime Enforcement
eBPF allows for the dynamic enforcement of security policies at the kernel level, including access controls, process sandboxing, and network segmentation, applying protective runtime policies without needing system reboots or configuration changes.
File Integrity Monitoring
eBPF programs can monitor access to and modification of critical system files and directories, alerting administrators to unauthorized changes that could indicate a breach or a configuration drift.