eBPF for Security: Evolution or Revolution?

More and more organizations and technologies are using eBPF for security. eBPF (extended Berkeley Packet Filter) is the new standard to program Linux kernel capabilities in a safe and efficient manner without requiring to change kernel source code or loading kernel modules. It has enabled a new generation of high performance tooling to be developed covering networking, security, and observability use cases. eBPF is a core and increasingly ubiquitous technology for networking, observability, and security. eBPF has been evolving in Linux kernels for a decade, it has matured as *the* way to secure workloads running on both Linux and also Windows– and it’s the increasing use cases and scope that is revolutionizing security across the cloud and the internet. When security and development pros use eBPF for security, they are doing so to answer these questions:

1. What happens after a project or product has been delivered?
2. How do we create an secure environment of continual improvement?
3. How do we make sure that our secure deployment or application stays secure?
4. How to we identify vulnerabilities and spot potential anomalies?

In this article we’ll explore how eBPF has grown in popularity among observability and security circles in recent years, and what the future looks like. 

• A brief history of eBPF
  • Where did eBPF come from?
  • How has eBPF evolved?
• How is eBPF used in security?
• The future of eBPF
• Learn more about eBPF

A brief history of eBPF 

eBPF was originally developed as a way to filter network packets in the Linux kernel.  eBPF has matured into a powerful tool for tracing and analysing system activity — but it is not just a packet filter anymore. eBPF is a technology that allows running sandboxed programs in the kernel, extending its capabilities without changing its source code or loading kernel modules. Brendan Gregg, a computer scientist at Intel, said:

eBPF is superpowers for Linux

Where did eBPF come from?

eBPF evolved from the classic Berkeley Packet Filter (BPF), which was introduced in 1993 as a way of filtering network packets in the kernel. In the beginning, the original BPF had a limited instruction set and only two 32-bit registers.  But since 2014, Alexei Starovoitov and Daniel Borkmann proposed an extended version of BPF (eBPF), which added ten 64-bit registers, new instructions, a call instruction, and a register passing convention, and a different encoding for the instructions. They also added an in-kernel verifier that checks the safety and validity of the programs before loading them into the kernel. The verifier ensures that the programs do not crash, hang, or interfere with the kernel negatively. The programs can also be either interpreted or JIT compiled for native execution performance.   

How has eBPF evolved?

in the past decade, eBPF has been enhanced with many additional features:

• maps
• tail calls
• helper functions
• program types
• hook points
• user space libraries.

eBPF has also attracted a large community of contributors and users from various domains and industries.  Linus Torvalds, the Linux OG, said of BPF (exchangeable with eBPF):

BPF has actually been really useful, and the real power of it is how it allows people to do specialized code that isn’t enabled until asked for. Things like tracing and statistics (and obviously network filters) are prime examples of things where people want to do

eBPF is now used extensively not just in technology but to drive a wide variety of use cases in areas such as Managed Security Operations:

• High-performance networking and load-balancing in modern data centres and cloud native environments.
• Extracting fine-grained security observability data at low overhead.
• Helping application developers trace applications.
• Providing insights for network performance monitoring and troubleshooting.
• Preventive application and container runtime security enforcement in cloud vulnerability management.

The possibilities are endless, and the innovation that eBPF is unlocking has only just begun. The image below is a high-level architectural overview of the current state of eBPF:     

How is eBPF used in security?

As alluded to in the previous paragraph, eBPF can be used for a wide range of tasks, from profiling system performance to detecting security threats. eBPF’s ability to trace system activity in real-time has made it particularly useful in the field of security where it can be used to identify unusual behaviour and potential attacks. There are two major technology areas where eBPF is used for security: applications and infrastructure. Check out the official eBPF website at https://ebpf.io/infrastructure/ and https://ebpf.io/applcations discover how eBPF is being applied to infrastructure and applications. 

The future of eBPF

While eBPF has evolved over the past decade, it is revolutionizing security. eBPF will be deployed in more security use cases, applications and infrastructure in the coming years. It will be considered as an essential skill for any security technologist. As threats become more sophisticated and attacks become more frequent, tools like eBPF will be essential for detecting and mitigating potential risks. Overall, eBPF represents an exciting development in the field of security, and one that is likely to have a significant impact in the years to come. 

Conclusion 

Once workloads are deployed they must be continuously secured. This is where eBPF shines. Originally developed as a way to filter network packets in the Linux kernel, eBPF has evolved into a powerful tool for tracing and analysing system activity. Its lightweight and highly customizable protocol makes it an attractive option for developers and security professionals alike.   As threats become more sophisticated, tools like eBPF will be essential for detecting and mitigating potential risks. The future of eBPF is promising, as new threats emerge presenting new use cases, as well as improvements in performance and functionality. Overall, eBPF represents an exciting development in the field of security, and one that is likely to have a significant impact in the years to come. Its ability to trace system activity in real-time has made it particularly useful in the field of security, where it can be used to identify unusual behaviour and potential attacks. 

Learn more about eBPF

• Getting started with eBPF lab.