What is the whole buzz around eBPF?
I’m going to be giving you the best perspective to understanding what exactly this technology is about and why it’s one of the best implementation out there.🤭
Okay Okay before you search for eBPF on google, I’d save you the stress of what you’re going to find 😂
Ofcourse this isn’t what I’m here to talk about, we ain’t playing no championships here😂. Alright enough playing around.
Upon hearing about eBPF, the very first question that popped into my mind was
What is eBPF?
I think even before I tell you what eBPF really is, I want you understand why there was even a need to build it in the first place, what exactly was the problem that was being solved?
Why eBPF?
Looking at this architecture, which i’m sure most of y’all already know is the architecture of the Linux (ofcourse it’s right there on the image 😂).
The Purpose of the Kernel is actually to act as bridge between the hardware and the software, majorly responsible for resource management such as CPU,Memory, I/O devices ensuring efficient allocation by providing a consistent API(system calls) that allows this to happen.
Hold on, it even gets interesting from here… 🤭
For the Kernel to efficiently perform it’s resource management duties, it comprises of layers and several subsystems which perform majority of configurations that are needed to get the job done, and each subsystems allows for some level of configuration to align with various needs or various users.
BUT there are certain behaviours that cannot be configured, which will require a change in the Kernel itself.🤯 (How will i make changes to such robust system without destroying something 😥, this is a regural DevOps engineer’s nightmare btw 😂)
Historically there were only 2 ways those change could happen.
- Native Support: This would mean you’d have to make changes to the Kernel source code and somehow find a way to convince the whole Linux Kernel community that this your change is required and the next best thing after Milkshake.🤣
You’d also have to wait for several years for the changes to reflect in the new kernel version to be released.
- Kernel Module: In this case you’d have to write a Kernel Module , always fixing and patch it up so it doesn’t break for every new Kernel release, and on top of that you stand a risk of corrupting your Linux kernel due to lack or security.
So now that we understand why there was a need for us to build eBPF.
What is eBPF?
eBPF is an efficient and secured virtual machine running eBPF bytecode that makes the Operating system programmable.
eBPF allows for reprogramming the behavior of the Linux kernel without requiring changes to kernel source code or loading a kernel module.
Seeing that this technology has great power, as it interacts and runs at the heart of many critical software infrastructure components (Imagine an artificial extension to your heart 😬).
Like the saying goes
“With more power, comes even greater responsibility.”
so there is a great need to ensure the safety of these programs running, and there are several layers to which this is done.
Required Privileges — Layer 1
Before the eBPF program is allowed to run on the kernel, there is a need to ensure the right privileged mode is set to run the program.
If unprivileged eBPF is enabled, unprivileged processes can load certain eBPF programs subject to a reduced functionality set and with limited access to the kernel.
eBPF Verifier — Layer 2
If a process is allowed to load an eBPF program, all programs still pass through the eBPF verifier. The eBPF verifier ensures the safety of the program itself. This means, for example:
- Programs are validated to ensure they always run to completion, e.g. an eBPF program may never block or sit in a loop forever. eBPF programs may contain so called bounded loops but the program is only accepted if the verifier can ensure that the loop contains an exit condition which is guaranteed to become true.
- Programs may not use any uninitialized variables or access memory out of bounds.
- Programs must fit within the size requirements of the system. It is not possible to load arbitrarily large eBPF programs.
- Program must have a finite complexity. The verifier will evaluate all possible execution paths and must be capable of completing the analysis within the limits of the configured upper complexity limit.
The safety of the eBPF program is determined in two steps.
- First step does DAG check to disallow loops and other CFG validation. In particular it will detect programs that have unreachable instructions. (though classic BPF checker allows them)
- Second step starts from the first insn and descends all possible paths. It simulates execution of every insn and observes the state change of registers and stack.
Hardening — Layer 3
Upon verification, due to what privilege was used to load the eBPF program i.e privilege or unprivileged mode. The eBPF runs through a hardening process
- Program execution protection: The kernel memory holding an eBPF program is protected and made read-only. If for any reason there seem to be some sort of tried manipulation, the kernel crashes!!! 😱
- Constant blinding: To avoid JIT spraying attacks, all constants are usually blinded. This in turn prevents injection of codes as a form of constants.
Further Reading
If you would like to learn more about eBPF, continue reading using the following additional materials:
Thank you for making it this far, I’m pretty sure you have learned quite a lot.😉
Now, remember, this article is not only for experts in the software space, even newbies could hop in and learn a lot and that is why I try to make everything clear both in layman and professional terms, so if you have any questions, shoot or you can also reach out to me on Twitter or find me on GitHub.
Thanks for reading ❤️, Do well to leave a clap if you learnt something👏
Please leave a comment if you have any thoughts about the topic — I am open to learning and knowledge explorations.
Hire me👀
Looking for an engineer to build and automate a cutting edge orchestration for your next application infrastructure/architecture to work remotely? Get in touch: addeybob@gmail.com
