eBPF: Redefining the Boundaries of Security, Networking, and Observability

eBPF is extended packet filter that is used to run custom code in the Kernel. Its used for monitoring and security tooling . But as I looked more into this the capabilities are much more than that.Lets see why .. 

Everything goes through the Kernel ! 

All the apps , irrespective of if its a docker container , host program or AWS lambda needs to run in the Kernel . Anything to do with the Network , Files , Processes and Memory are handled by the Kernel . So it provides a single point to add a global capability rather than in the application or a specific to implementation e.g k8s service mesh 

How does it run ? 

Runs in user space , eBPF has helper functions to integrate with kernel . kprobe ( Kernel Probe) allows to attach the custom functionality to System calls

How does program Interface ? 

Helper functions facilitated by kernel probe helps to read data back . Data structures such as BPF maps and Hash table maps are also used to store data that can be also used for integrating with other BPF programs 

How is it powerful ? 

No need to restart , redeploy the apps . You get the benefits immediately 

Where else its used ? 

Katran uses it for high performance load balancer . Used by FB since 2017 https://engineering.fb.com/2018/05/22/open-source/open-sourcing-katran-a-scalable-network-load-balancer/ ) on a side note , the service mesh model used by Containers may not be performant as it needs to access network layer often . 

K8s using side cars may not cover all the applications in organization . eBPF can solve the problem since everything needs to go through the 

Where else it can be used ? 

Used for Monitoring , Security tooling and High performance networking . It can be much more effective in reducing the number of calls when compared to sidecars used in container security . 

Root User?

Need to have sudo access to setup and run the eBPF modules.New permissions introduced in kernel 5.3 for specific permissions with respect to running eBPF 

• CAP_BPF 
• CAP_PERFMON 
• CAP_NET_ADMIN 

 Perfmon and bpd are required for tracking NetAdmin and Bpf privileges are required for networking 

What about Kernel upgrades?

Kernel upgrades are usually backward compatible , and don't change that often . Also the latest versions add more capabilities to eBPF . 

SecComp 

Secure computing is a module that is used to run the kernel in a strict and restrictive mode . It a utility powered by eBPF that limits the set of instructions that can be performed by kernel . This allows the user to run untrusted code 

Systracking 

Falco is setup in all kernels and has configs that are used to enable and configure the eBPF programs. User will be able to leverage the capabilities without using the eBPF code . LSM hooks LSM hooks can also be used to track the system calls. As the linux upgrades are backward compatible And not much has been altered over the years .Its relatively safe to use the hooks for security tooling 

More reading eBPF 

A Beginner's Guide to eBPF Programming with Go 

https://www.youtube.com/watch?v=uBqRv8bDroc&t=885s

eBPF  and Kubernetes: Little Helper Minions for Scaling Microservices https://www.youtube.com/watch?v=99jUcLt3rSk 

XDP  -https://en.wikipedia.org/wiki/Express_Data_Path