EBPF

Loaded programs which passed the verifier are either interpreted or in-kernel just-in-time compiled (JIT compiled) for native execution performance. The execution model is event-driven and with few exceptions run-to-completion, meaning, programs can be attached to various hook points in the operating system kernel and are run upon triggering of an event. eBPF use cases include (but are not limited to) networking such as XDP, tracing and security subsystems. Given eBPF's efficiency and flexibility opened up new possibilities to solve production issues, Brendan Gregg famously dubbed eBPF "superpowers for Linux".{{cite web|url=https://www.brendangregg.com/blog/2016-03-05/linux-bpf-superpowers.html|title=Linux BPF Superpowers|date=5 March 2016|website=Brendan Gregg's Blog|access-date=1 July 2022}} Linus Torvalds said, "BPF has actually been really useful, and the real power of it is how it allows people to do specialized code that isn't enabled until asked for".{{cite web|url=https://www.zdnet.com/article/linus-torvalds-talks-about-coming-back-to-work-on-linux/|title=Linus Torvalds talks about coming back to work on Linux|date=23 October 2018|website=zdnet Interview with Linus Torvalds|access-date=1 July 2022}} Due to its success in Linux, the eBPF runtime has been ported to other operating systems such as Windows.

eBPF evolved from the classic Berkeley Packet Filter (cBPF, a retroactively-applied name). At the most basic level, it introduced the use of ten 64-bit registers (instead of two 32-bit long registers for cBPF), different jump semantics, a call instruction and corresponding register passing convention, new instructions, and a different encoding for these instructions.{{cite web|url=https://www.kernel.org/doc/html/v6.1/bpf/classic_vs_extended.html|title=Classic BPF vs eBPF|date=March 2014|website=LWN|access-date=6 January 2023}}

eBPF maps are efficient key/value stores that reside in kernel space and can be used to share data among multiple eBPF programs or to communicate between a user space application and eBPF code running in the kernel. eBPF programs can leverage eBPF maps to store and retrieve data in a wide set of data structures. Map implementations are provided by the core kernel. There are various types,{{Cite web |title=bpf.h - include/uapi/linux/bpf.h - Linux source code v5.15.86 - Bootlin |url=https://elixir.bootlin.com/linux/v5.15.86/source/include/uapi/linux/bpf.h#L878 |access-date=2024-08-01 |website=elixir.bootlin.com}} including hash maps, arrays, and ring buffers.

In practice, eBPF maps are typically used for scenarios such as a user space program writing configuration information to be retrieved by an eBPF program, an eBPF program storing state for later retrieval by another eBPF program (or a future run of the same program), or an eBPF program writing results or metrics into a map for retrieval by a user space program that will present results.{{Cite book |last=Rice |first=Liz |url=https://www.worldcat.org/title/on1353981026 |title=Learning eBPF: programming the Linux Kernel for enhanced observability, networking, and security |date=2023 |publisher=O'Reilly Media |isbn=978-1-0981-3512-6 |edition=First |location=Sebastopol, CA |oclc=on1353981026}}

The eBPF virtual machine runs within the kernel and takes in a program in the form of eBPF bytecode instructions which are converted to native machine instructions that run on the CPU. Early implementations of eBPF saw eBPF bytecode interpreted, but this has now been replaced with a Just-in-Time (JIT) compilation process for performance and security-related reasons.

The eBPF virtual machine consists of eleven 64-bit registers with 32-bit subregisters, a program counter and a 512-byte large BPF stack space. These general purpose registers keep track of state when eBPF programs are executed.{{Cite web |title=BPF Architecture — Cilium 1.16.0 documentation |url=https://docs.cilium.io/en/stable/bpf/architecture/ |access-date=2024-08-01 |website=docs.cilium.io}}  

Tail calls can call and execute another eBPF program and replace the execution context, similar to how the execve() system call operates for regular processes. This basically allows an eBPF program to call another eBPF program. Tail calls are implemented as a long jump, reusing the same stack frame. Tail calls are particularly useful in eBPF, where the stack is limited to 512 bytes. During runtime, functionality can be added or replaced atomically, thus altering the BPF program’s execution behavior. A popular use case for tail calls is to spread the complexity of eBPF programs over several programs. Another use case is for replacing or extending logic by replacing the contents of the program array while it is in use. For example, to update a program version without downtime or to enable/disable logic.{{Cite web |title=Tail calls - eBPF Docs |url=https://ebpf-docs.dylanreimerink.nl/linux/concepts/tail-calls/ |access-date=2024-08-04 |website=ebpf-docs.dylanreimerink.nl}}

It is generally considered good practice in software development to group common code into a function encapsulating logic for reusability. Prior to Linux kernel 4.16 and LLVM 6.0, a typical eBPF C program had to explicitly direct the compiler to inline a function resulting in a BPF object file that had duplicate functions. This restriction was lifted, and mainstream eBPF compilers now support writing functions naturally in eBPF programs. This reduces the generated eBPF code size making it friendlier to a CPU instruction cache.

The verifier is a core component of eBPF, and its main responsibility is to ensure that an eBPF program is safe to execute. It performs a static analysis of the eBPF bytecode to guarantee its safety. The verifier analyzes the program to assess all possible execution paths. It steps through the instructions in order and evaluates them. The verification process starts with a depth-first search through all possible paths of the program, the verifier simulates the execution of each instruction using abstract interpretation,{{cite conference |last1=Shachnai |first1=Matan |first2=Harishankar |last2=Vishwanathan |first3=Srinivas |last3=Narayana |first4=Santosh |last4=Nagarakatte |title=Fixing Latent Unsound Abstract Operators in the eBPF Verifier of the Linux Kernel |publisher=Springer Nature Switzerland |isbn=978-3-031-74776-2 |book-title=Static Analysis |pages=386-406 |doi=10.1007/978-3-031-74776-2_15 |url=https://people.cs.rutgers.edu/~sn349/papers/sas24-preprint.pdf |access-date=2 February 2025}} tracking the state of registers and stack if any instruction could lead to an unsafe state, verification fails. This process continues until all paths have been analyzed or a violation is found. Depending on the type of program, the verifier checks for violations of specific rules. These rules can include checking that an eBPF program always terminates within a reasonable amount of time (no infinite loops or infinite recursion), checking that an eBPF program is not allowed to read arbitrary memory because being able to arbitrary read memory could allow a program leak sensitive information, checking that network programs are not allowed to access memory outside of packet bounds because adjacent memory could contain sensitive information, checking that programs are not allowed to deadlock, so any held spinlocks must be released and only one lock can be held at a time to avoid deadlocks over multiple programs, checking that programs are not allowed to read uninitialized memory.  This is not an exhaustive list of the checks the verifier does, and there are exceptions to these rules. An example is that tracing programs have access to helpers that allow them to read memory in a controlled way, but these program types require root privileges and thus do not pose a security risk.

Over time the eBPF verifier has evolved to include newer features and optimizations, such as support for bounded loops, dead-code elimination, function-by-function verification, and callbacks.

eBPF programs use the memory and data structures from the kernel. Some structures can be modified between different kernel versions, altering the memory layout. Since the Linux kernel is continuously developed, there is no guarantee that the internal data structures will remain the same across different versions. CO-RE is a fundamental concept in modern eBPF development that allows eBPF programs to be portable across different kernel versions and configurations. It addresses the challenge of kernel structure variations between different Linux distributions and versions. CO-RE comprises BTF (BPF Type Format) - a metadata format that describes the types used in the kernel and eBPF programs and provides detailed information about struct layouts, field offsets, and data types. It enables runtime accessibility of kernel types, which is crucial for BPF program development and verification. BTF is included in the kernel image of BTF-enable kernels. Special relocations are emitted by the compiler (e.g., LLVM). These relocations capture high-level descriptions of what information the eBPF program intends to access. The [https://github.com/libbpf/libbpf libbpf] library adapts eBPF programs to work with the data structure layout on the target kernel where they run, even if this layout is different from the kernel where the code was compiled. To do this, libbpf needs the BPF CO-RE relocation information generated by Clang as part of the compilation process. The compiled eBPF program is stored in an ELF (Executable and Linkable Format) object file. This file contains BTF-type information and Clang-generated relocations. The ELF format allows the eBPF loader (e.g., libbpf) to process and adjust the BPF program dynamically for the target kernel.{{Cite web |title=BPF CO-RE - eBPF Docs |url=https://ebpf-docs.dylanreimerink.nl/concepts/core/ |access-date=2024-08-07 |website=ebpf-docs.dylanreimerink.nl}}

The alias eBPF is often interchangeably used with BPF,{{cite book|author = Brendan Gregg|date = December 2019|title = BPF Performance Tools| publisher=Addison-Wesley |isbn = 978-0136554820}} for example by the Linux kernel community. eBPF and BPF is referred to as a technology name like LLVM. eBPF evolved from the machine language for the filtering virtual machine in the Berkeley Packet Filter as an extended version, but as its use cases outgrew networking, today "eBPF" is preferentially interpreted as a pseudo-acronym.

The bee is the official logo for eBPF. At the first eBPF Summit there was a vote taken and the bee mascot was named "eBee".{{cite web|url=https://cilium.io/blog/2020/10/29/ebpf-summit-day-2|title=eBPF Summit Day Two|date=October 2020|website=cilium.io|access-date=1 July 2022}}{{cite web|url=https://ebpf.io/what-is-ebpf#what-is-the-bee-named|title=What is the bee named?|website=ebpf.io|access-date=1 July 2022}} The logo has originally been created by Vadim Shchekoldin. Earlier unofficial eBPF mascots have existed in the past,{{cite web|url=https://www.brendangregg.com/blog/2015-05-15/ebpf-one-small-step.html|title=eBPF: One Small Step|website=Brendan Gregg's Blog|date=May 2015|access-date=1 July 2022}} but have not seen widespread adoption.

The eBPF Foundation was created in August 2021 with the goal to expand the contributions being made to extend the powerful capabilities of eBPF and grow beyond Linux. Founding members include Meta, Google, Isovalent, Microsoft and Netflix. The purpose is to raise, budget, and spend funds in support of various open source, open data and/or open standards projects relating to eBPF technologies{{cite web|url=https://ebpf.foundation/charter/|title=eBPF Foundation Charter|date=June 2021|website=ebpf.foundation|access-date=16 August 2022}} to further drive the growth and adoption of the eBPF ecosystem. Since inception, Red Hat, Huawei, Crowdstrike, Tigera, DaoCloud, Datoms, FutureWei also joined.{{cite web|url=https://ebpf.foundation/governance/|title=eBPF Foundation Governance|date=August 2022|website=ebpf.foundation|access-date=16 August 2022}}

eBPF has been adopted by a number of large-scale production users, for example:

• Meta uses eBPF through their Katran layer 4 load-balancer for all traffic going to facebook.com{{cite web|url=https://engineering.fb.com/2018/05/22/open-source/open-sourcing-katran-a-scalable-network-load-balancer/|title=Open-sourcing Katran, a scalable network load balancer|date=May 2018|website=fb.com|access-date=16 August 2022}}{{cite web|url=https://www.youtube.com/watch?v=ZYBXZFKPS28|title=BPF at Facebook|date=December 2019|website=youtube.com|access-date=16 August 2022}}{{cite web|url=https://lpc.events/event/11/contributions/950/|title=From XDP to socket|date=September 2021|website=lpc.events|access-date=16 August 2022}}{{cite web|url=https://lpc.events/event/2/contributions/109/|title=XDP 1.5 Years In Production. Evolution and Lessons Learned.|date=November 2018|website=lpc.events|access-date=16 August 2022}}
• Google uses eBPF in GKE, developed and uses BPF LSM to replace audit and it uses eBPF for networking{{cite web|url=https://cloud.google.com/blog/products/containers-kubernetes/bringing-ebpf-and-cilium-to-google-kubernetes-engine|title=New GKE Dataplane V2 increases security and visibility for containers|date=May 2021|website=cloud.google.com|access-date=16 August 2022}}{{cite web|url=https://www.youtube.com/watch?v=OBFYMBHrstI|title=eCHO episode 29: BPF LSM with KP Singh|date=November 2021|website=youtube.com|access-date=16 August 2022}}{{cite web|url=https://www.youtube.com/watch?v=URm_q9ylxBk|title=BPF security auditing at Google - Brendan Jackman/KP Singh|date=November 2021|website=youtube.com|access-date=16 August 2022}}{{cite web|url=https://legacy.netdevconf.info/0x14/session.html?talk-replacing-HTB-with-EDT-and-BPF|title=Replacing HTB with EDT and BPF|date=July 2020|website=netdevconf.info|access-date=16 August 2022}}
• Cloudflare uses eBPF for load-balancing and DDoS protection and security enforcement{{cite web|url=https://blog.cloudflare.com/cloudflare-architecture-and-how-bpf-eats-the-world/|title=Cloudflare architecture and how BPF eats the world|date=May 2019|website=blog.cloudflare.com|access-date=16 August 2022}}{{cite web|url=https://blog.cloudflare.com/its-crowded-in-here/|title=It's crowded in here!|date=October 2019|website=blog.cloudflare.com|access-date=16 August 2022}}{{cite web|url=https://blog.cloudflare.com/tubular-fixing-the-socket-api-with-ebpf/|title=Production ready eBPF, or how we fixed the BSD socket API|date=February 2022|website=blog.cloudflare.com|access-date=16 August 2022}}{{cite web|url=https://blog.cloudflare.com/live-patch-security-vulnerabilities-with-ebpf-lsm/|title=Live-patching security vulnerabilities inside the Linux kernel with eBPF Linux Security Module|date=June 2022|website=blog.cloudflare.com|access-date=16 August 2022}}{{cite web|url=https://blog.cloudflare.com/unimog-cloudflares-edge-load-balancer/|title=Unimog - Cloudflare's edge load balancer|date=September 2020|website=blog.cloudflare.com|access-date=16 August 2022}}
• Netflix uses eBPF for fleet-wide network observability and performance diagnosis{{cite web|url=https://netflixtechblog.com/how-netflix-uses-ebpf-flow-logs-at-scale-for-network-insight-e3ea997dca96|title=How Netflix uses eBPF flow logs at scale for network insight|date=June 2021|website=netflixtechblog.com|access-date=16 August 2022}}{{cite web|url=https://netflixtechblog.com/extending-vector-with-ebpf-to-inspect-host-and-container-performance-5da3af4c584b|title=Extending Vector with eBPF to inspect host and container performance|date=February 2019|website=netflixtechblog.com|access-date=16 August 2022}}
• Dropbox uses eBPF through Katran for layer 4 load-balancing{{cite web|url=https://dropbox.tech/infrastructure/dropbox-traffic-infrastructure-edge-network|title=Dropbox traffic infrastructure: Edge network|date=October 2018|website=dropbox.tech|access-date=16 August 2022}}
• Android uses eBPF for NAT46 and traffic monitoring{{cite web|url=https://source.android.com/docs/core/datausage/ebpf-traffic-monitor|title=eBPF Traffic Monitoring|date=August 2022|website=source.android.com|access-date=16 August 2022}}{{cite web|url=https://source.android.com/docs/core/architecture/kernel/bpf|title=Extending the Kernel with eBPF|date=August 2022|website=source.android.com|access-date=16 August 2022}}{{cite web|url=https://www.spinics.net/lists/bpf/msg58444.html|title=[PATCH v5 1/3] selftests: bpf: add test for bpf_skb_change_proto|date=April 2022|access-date=16 August 2022}}
• Samsung Galaxy uses eBPF for Networking solutions {{cite web|url=https://www.youtube.com/watch?v=unnVlwyevmU|title=BPF for Android: How we leverage BPF for our networking solutions - Madhan Raj Kanagarathinam|date=February 2024|website=www.youtube.com|access-date=19 February 2022}}
• Yahoo! Inc uses eBPF through Cilium for layer 4 load balancing{{Citation |title=Software L4 Load Balancing for Kubernetes Services at Yahoo! – Karthikeyan Thangaraj, Verizon Media | date=19 August 2021 |url=https://www.youtube.com/watch?v=-C86fBMcp5Q |access-date=2024-02-03 |language=en}}
• LinkedIn uses eBPF for infrastructure observability{{Cite web |title=Skyfall: eBPF agent for infrastructure observability |url=https://www.linkedin.com/blog/engineering/infrastructure/skyfall-ebpf-agent-for-infrastructure-observability |access-date=2024-02-03 |website=www.linkedin.com |language=en}}
• Alibaba uses eBPF for Kubernetes Pod load-balancing{{cite web|url=https://www.alibabacloud.com/blog/how-does-alibaba-cloud-build-high-performance-cloud-native-pod-networks-in-production-environments_596590|title=How Does Alibaba Cloud Build High-Performance Cloud-Native Pod Networks in Production Environments?|date=September 2020|website=alibabacloud.com|access-date=16 August 2022}}
• Datadog uses eBPF for Kubernetes Pod networking and security enforcement{{cite web|url=https://datadogon.datadoghq.com/episodes/datadog-on-ebpf/|title=Datadog on eBPF|date=February 2021|website=datadogon.datadoghq.com|access-date=16 August 2022}}{{cite web|url=https://www.sstic.org/media/SSTIC2021/SSTIC-actes/runtime_security_with_ebpf/SSTIC2021-Article-runtime_security_with_ebpf-fournier_afchain_baubeau.pdf|title=Runtime Security Monitoring with eBPF|date=February 2021|website=sstic.org|access-date=16 August 2022}}{{cite web|url=https://www.youtube.com/watch?v=6mTVuZUHLBg|title=Our eBPF Journey at Datadog - Laurent Bernaille & Tabitha Sable, Datadog|date=November 2020|website=youtube.com|access-date=16 August 2022}}
• Trip.com uses eBPF for Kubernetes Pod networking{{cite web|url=https://cilium.io/blog/2020/02/05/how-trip-com-uses-cilium/|title=User Story - How Trip.com uses Cilium|date=February 2020|website=cilium.io|access-date=16 August 2022}}{{cite web|url=https://arthurchiao.art/blog/trip-stepping-into-cloud-native-networking-era/|title=Trip.com: Stepping into Cloud Native Networking Era with Cilium+BGP|date=November 2020|website=arthurchiao.art|access-date=16 August 2022}}
• Shopify uses eBPF for intrusion detection through Falco{{Citation |title=Keynote: Open Source Intrusion Detection for Containers at Shopify - Shane Lawrence & Kris Nóva | date=4 September 2020 |url=https://www.youtube.com/watch?v=6pVci31Mb6Q |access-date=2024-02-09 |language=en}}
• DoorDash uses eBPF through BPFAgent for kernel level monitoring{{Cite news |last=Rogers |first=Patrick |date=2023-08-15 |title=BPFAgent: eBPF for Monitoring at DoorDash - DoorDash Engineering Blog |url=https://doordash.engineering/2023/08/15/bpfagent-ebpf-for-monitoring-at-doordash/ |access-date=2024-02-09 |work=DoorDash Engineering Blog |language=en-US}}
• Microsoft ported eBPF and XDP to Windows{{cite web|url=https://cloudblogs.microsoft.com/opensource/2021/05/10/making-ebpf-work-on-windows/|title=Making eBPF work on Windows|date=May 2021|website=cloudblogs.microsoft.com|access-date=16 August 2022}}{{cite web|url=https://cloudblogs.microsoft.com/opensource/2022/02/22/getting-linux-based-ebpf-programs-to-run-with-ebpf-for-windows/|title=Getting Linux based eBPF programs to run with eBPF for Windows|date=February 2022|website=cloudblogs.microsoft.com|access-date=16 August 2022}}{{cite web|url=https://cloudblogs.microsoft.com/opensource/2021/11/29/progress-on-making-ebpf-work-on-windows/|title=Progress on making eBPF work on Windows|date=November 2019|website=cloudblogs.microsoft.com|access-date=16 August 2022}}
• Seznam uses eBPF through Cilium for layer 4 load-balancing{{cite web|url=https://cilium.io/blog/2022/04/12/cilium-standalone-L4LB-XDP/|title=Cilium Standalone Layer 4 Load Balancer XDP|date=July 2022|website=cilium.io|access-date=16 August 2022}}
• DigitalOcean uses eBPF and XDP to rate limit access to internal services in their virtual network{{Citation |title=Rate limiting access to internal services in a virtual network – Nick Bouliane, DigitalOcean | date=19 August 2021 |url=https://www.youtube.com/watch?v=gcHxfhDT-I4 |access-date=2024-02-04 |language=en}}
• CapitalOne uses eBPF for Kubernetes Pod networking{{cite web|url=https://www.youtube.com/watch?v=hwOpCKBaJ-w|title=Building a Secure and Maintainable PaaS - Bradley Whitfield, Capital One|date=November 2020|website=youtube.com|access-date=16 August 2022}}
• Bell Canada uses eBPF to moderize telco networking with SRv6{{Citation |title=Why eBPF is changing the telco networking space – Daniel Bernier, Bell Canada | date=31 August 2021 |url=https://www.youtube.com/watch?v=fNtG0iHYne4 |access-date=2024-02-09 |language=en}}
• Elastic_NV uses eBPF for code profiling as part of their observability offering {{Citation |title=Elastic Universal Profiling |url=https://www.elastic.co/observability/universal-profiling |access-date=2024-02-26 |language=en}}
• Apple uses eBPF for Kubernetes Pod security{{cite web|url=https://www.youtube.com/watch?v=ZBlJSr6XkN8|title=Think eBPF for Kernel Security Monitoring - Falco at Apple- Eric Sage & Melissa Kilby, Apple|date=October 2021|website=youtube.com|access-date=16 August 2022}}
• Sky uses eBPF for Kubernetes Pod networking{{cite web|url=https://www.youtube.com/watch?v=u-4naOMfs_w|title=eBPF & Cilium at Sky – Sebastian Duff, Anthony Comtois, Jospeh [sic] Samuel, Sky|date=August 2021|website=youtube.com|access-date=16 August 2022}}
• Walmart uses eBPF for layer 4 load-balancing{{cite web|url=https://www.youtube.com/watch?v=Fu4L8ewcO70|title=Running and orchestrating multiple XDP and TC programs – Brian Merrell, Walmart|date=August 2021|website=youtube.com|access-date=16 August 2022}}{{cite web|url=https://www.youtube.com/watch?v=thmAcyix8FM|title=High Performance Load Balancing @Walmart – Kanthi Pavuluri & Karan Dalal, Walmart|date=August 2021|website=youtube.com|access-date=16 August 2022}}
• Huawei uses eBPF through their DIGLIM secure boot system{{cite web|url=https://www.youtube.com/watch?v=iA7T4MAqKUc|title=DIGLIM eBPF: secure boot at application level with minimal changes to distros - Roberto Sassu|date=August 2022|website=youtube.com|access-date=16 August 2022}}
• Ikea uses eBPF for Kubernetes Pod networking{{cite web|url=https://www.youtube.com/watch?v=sg-F_R-ZVNc|title=IKEA Private Cloud, eBPF Based Networking, Load Balancing, and Observability with... Karsten Nielsen|date=May 2022|website=youtube.com|access-date=16 August 2022}}
• The New York Times uses eBPF for networking{{Citation |title=Panel Discussion: Is There Actually a Byte Behind All the Buzz? eBPF in Production! | date=28 October 2022 |url=https://www.youtube.com/watch?v=qmrHONqsV2M |access-date=2024-02-09 |language=en}}
• Red Hat uses eBPF at scale for load balancing and tracing in their private cloud
• Palantir Technologies uses eBPF to debug networking problems in large scale Kubernetes clusters{{Citation |title=Using user-space tracing to solve DNS problems – Andrius Grabauskas, Palantir | date=19 August 2021 |url=https://www.youtube.com/watch?v=0RDp1IPxbg0 |access-date=2024-02-09 |language=en}}

Due to the ease of programmability, eBPF has been used as a tool for implementing microarchitectural timing side-channel attacks such as Spectre against vulnerable microprocessors.{{cite web|url=https://googleprojectzero.blogspot.com/2018/01/reading-privileged-memory-with-side.html|title=Reading privileged memory with a side-channel|website=googleprojectzero.blogspot.com|date=3 January 2018 |access-date=16 August 2022}} While unprivileged eBPF implements mitigations against Spectre v1, v2, and v4 for x86-64,{{cite web|url=https://popl22.sigplan.org/details/prisc-2022-papers/11/BPF-and-Spectre-Mitigating-transient-execution-attacks|title=BPF and Spectre: Mitigating transient execution attacks|website=popl22.sigplan.org|access-date=16 August 2022}}{{cite conference |url=https://arxiv.org/pdf/2405.00078 |access-date=2 February 2025 |doi=10.1145/3678890.3678907 |doi-access=free |first1=Luis |last1=Gerhorst |first2=Henriette |last2=Herzog |first3=Peter |last3=Wägemann |first4=Maximilian |last4=Ott |first5=Rüdiger |last5=Kapitza |first6=Timo |last6=Hönig |title=VeriFence: Lightweight and Precise Spectre Defenses for Untrusted Linux Kernel Extensions |book-title=Proceedings of the 27th International Symposium on Research in Attacks, Intrusions and Defenses (RAID '24) |publisher=Association for Computing Machinery |pages=644–659 |chapter=2.2 Spectre Defenses of Linux BPF|arxiv=2405.00078 }} unprivileged use has ultimately been disabled by the kernel community by default to protect users of unsupported architectures and limit the impact of future hardware vulnerabilities.{{cite web|url=https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=8a03e56b253e9691c90bc52ca199323d71b96204|title=bpf: Disallow unprivileged bpf by default|website=kernel.org|access-date=16 August 2022}} On x86-64, Spectre v1 is mitigated through a combination of branchless bounds-enforcement (e.g., masking instructions) and the verification of speculative execution paths. Spectre v4 is mitigated exclusively through speculation barriers (i.e., lfence) and Spectre v2 is mitigated through retpoline when available{{cite web|url=https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/arch/x86/net/bpf_jit_comp.c?h=v6.13&id=ffd294d346d185b70e28b1a28abe367bbfe53c04#n652 |title=emit_indirect_jump() in arch/x86/net/bpf_jit_comp.c of Linux v6.13 |website=kernel.org |access-date=2 February 2025}} or speculation barriers. These mitigations prevent sensitive information owned by the kernel (e.g., kernel addresses) from being leaked by malicious eBPF programs, but are not designed to prevent innocuous eBPF programs from accidentally leaking sensitive information they own/process (e.g., cryptographic keys stored as numbers).

• Express Data Path

{{Reflist|30em}}

• {{cite book |author=Gregg |first=Brendan |date=December 2019 |title=BPF Performance Tools |publisher=Addison-Wesley |isbn=978-0136554820 |author-link=Brendan Gregg}}
• {{cite book

| author = David Calavera, Lorenzo Fontana

| date = December 2019

| title = Linux Observability With BPF

| publisher = O'Reilly Media, Incorporated

| isbn = 978-1492050209

}}

• {{cite book |author=Gregg |first=Brendan |date=December 2020 |title=Systems Performance, Second edition |publisher=Addison-Wesley |isbn=978-0136820154 |author-link=Brendan Gregg}}
• {{cite book |author=Rice |first=Liz |date=April 2022 |title=What Is eBPF? |isbn=978-1492097259 |author-link=OpenUK}}
• {{cite book |author=Rice |first=Liz |date=April 2023 |title=Learning eBPF: Programming the Linux Kernel for Enhanced Observability, Networking, and Security |publisher=O'Reilly Media |isbn=978-1098135126 |author-link=OpenUK}}
• {{Cite IETF |title=BPF Instruction Set Architecture (ISA) |rfc=9669 |editor-last= Thaler |editor-first=Dave |date=October 2024 |publisher=IETF |access-date=2024-01-05 |doi=10.17487/RFC9669}}

• [https://ebpf.io/ eBPF.io - Introduction, tutorials & eBPF community resources]
• [https://ebpf.foundation/ eBPF.foundation - Linux Foundation's eBPF Foundation site]
• [https://github.com/eunomia-bpf/bpf-developer-tutorial eBPF Developer Tutorial: Learning eBPF Step by Step with Examples]
• [https://www.youtube.com/watch?v=Wb_vD3XZYOA eBPF documentary - Documentary on the beginnings of eBPF]

Category:Free software programmed in C

Category:Free system software

Category:Software using the GNU General Public License

Category:Software using the MIT license