|
| 1 | +--- |
| 2 | +title: eBPF |
| 3 | +status: Completed |
| 4 | +category: architecture |
| 5 | +--- |
| 6 | + |
| 7 | +## What it is |
| 8 | + |
| 9 | +eBPF, or extended Berkeley Packet Filter, is a technology that allows small, sandboxed programs or scripts to run in the kernel space of a Linux system without having to change the kernel's source code or load Linux kernel modules. |
| 10 | + |
| 11 | +A Linux system has two spaces: the kernel and the user space. |
| 12 | +The kernel represents the operating system's core and is the only part |
| 13 | +with unlimited access to the hardware. |
| 14 | + |
| 15 | +Applications reside in the user space, and when they need higher permissions, |
| 16 | +they send a request to the kernel. |
| 17 | +For applications that require more flexibility, such as direct hardware |
| 18 | +access, the kernel can be extended via what is known as the "Linux |
| 19 | +kernel modules" approach. This approach extends the kernel's default functionality, |
| 20 | + allowing applications deeper access to the underlying components. |
| 21 | + However, this approach also introduces security risks, making eBPF an attractive alternative. |
| 22 | + |
| 23 | +## Problem it addresses |
| 24 | +Typically, applications run in the user space, and if the application requires some privileges from the kernel (e.g., to access some hardware), |
| 25 | +it requests it from the kernel via a so-called "system call." |
| 26 | +In most cases, this approach works just fine. However, there are instances where developers require more flexibility for low-level system access. |
| 27 | +Observability, security, and networking features are good examples. |
| 28 | +To achieve that, we can use Linux kernel modules, extending the kernel base without modifying the kernel source code. |
| 29 | +While there are benefits to using Linux kernel modules, it also introduces security risks. |
| 30 | +Because they operate within the kernel space, Linux kernel modules can crash the kernel, and when the kernel crashes, so does the entire machine. |
| 31 | +Additionally, kernel modules have elevated privileges and direct access to system resources. And if not properly secured, attackers can exploit these. |
| 32 | + |
| 33 | +## How it helps |
| 34 | +eBPF provides a more controlled and contained environment for executing user-defined programs than Linux Kernel modules. |
| 35 | +It runs in a sandboxed environment within the kernel, providing isolation and mitigating risk. |
| 36 | +If a vulnerability or flaw is exploited in an eBPF program, its impact is generally limited to the sandboxed environment. |
| 37 | +Moreover, before an eBPF program can start running in the kernel, it has to pass some verifications. |
| 38 | +The verifier component checks the eBPF program for potential safety violations, |
| 39 | +such as out-of-bounds memory access, infinite loops, and unauthorized kernel functions. |
| 40 | +This way, it ensures the program won't enter an infinite loop and cause a kernel crash. |
| 41 | +These safety controls make eBPF a more secure option to run applications in the Linux kernel than the Linux kernel modules. |
0 commit comments