What Is eBPF and What Are Its Use Cases?

Originally published by Tigera.

Written by Reza Ramezanpour, Tigera.

With the recent advancements in service delivery through containers, Linux has gained a lot of popularity in cloud computing by enabling digital businesses to expand easily regardless of their size or budget. These advancements have also brought a new wave of attack, which is challenging to address with the same tools we have been using for non-cloud-native environments. eBPF offers a new way to interact with the Linux kernel, allowing us to reexamine the possibilities that once were difficult to achieve.

In this post, I will go through a brief history of the steps that eBPF had to take to become the Swiss army knife inside the Linux kernel, and point out how it can be used to achieve security in a cloud-native environment. I will also share my understanding of what happens inside the kernel that prevents BPF programs from wreaking havoc on your operating system.

BPF history

In the early days of computing, Unix was a popular solution for capturing network traffic, and using CMU/Stanford packet filter (CSPF) to capture packets using 64KB PDP-11 was gaining popularity by the second. Without a doubt, this was a pioneering work and a leap forward for its time but like most solutions, it also created problems.

Massive demand for information and the old architecture of CSPF started to cause poor performance in newer machines, like the 16 MB Sun SPARCstation, leaving the world to search for a better option.

In 1922, Steven McCanne and Van Jacobson wrote a paper with eye-catching claims. They claimed that, by implementing BPF, capturing packets could be 10 to 100 times faster than CSPF. This could happen by applying kernel agents with the ability to discard unwanted packets as early as possible.

In 2014, Alexei Starovoitov extended BPF capabilities and started the eBPF movement. Today, eBPF extensions allow a developer to reach corners of the kernel that were previously impossible. eBPF offers capabilities beyond just capturing or filtering packets; it is better to refer to it as a virtual machine inside the kernel that can verify instructions and run them without changing the kernel source code or recompilation.

BPF security and use cases

It would be challenging to explain BPF without mentioning the Linux kernel. Linux is an interface that provides a solid and robust foundation for interacting with the underlying hardware. Usually, applications like web browsers run inside of the userspace, where they can issue system calls via a framework or a high-level programming language to communicate with the kernel.

BPF can be used in conjunction with the internal kernel events to probe, peek, or manipulate the operating system's behavior. Although experimenting with the kernel might sound like a recipe for disaster, BPF verifier ensures the safety of all BPF applications before running them inside the kernel.

The first verification step begins by mapping all the areas that an application needs to access and then determines the end of the BPF program because BPF programs are not permitted to run indefinitely as it can slow down the system performance.

Next, a dry-run execution takes place to validate the overall life cycle of the BPF program and saves a detailed history of each instruction used by the program, and returns it to the verifier.

These two procedures ensure your system never gets blocked by an endless loop, and a BPF program can not use an unpacking or any other method to compromise the system. Keep in mind that explaining the verifier in detail is out of the scope of this blog post, and these two steps are just a simple summarization of what it does.

If an application is deemed safe by the verifier, it will be passed to the kernel for execution.

Summary

The number of eBPF use cases is growing by the second, and a cloud-native environment is one of the most prominent candidates to reap the benefits.

I've shared what is interesting to me about eBPF, but in this vast landscape, there is much more to be discovered. If you’d like to learn more about eBPF technology and its use cases, I highly recommend that you check out this free eBPF course.

Read eBPF: When (and when not) to use it to learn more about what eBPF does well, and how it stacks up against standard Linux iptables.