Originating in the Linux kernel, eBPF technology has generated a lot of buzz recently. The pun is intended, as eBee is the official eBPF* mascot.
In the case of eBPF, the excitement may be justified. Using eBPF allows developers to execute code sandboxed within the operating system kernel without making changes to the kernel itself or loading kernel modules, providing a safer path to custom capability. There is tremendous potential for use cases in security, observability, and networking.
In my quest to better understand the promise and potential of eBPF technology and its many applications, I spent some time virtually attending the recent 2022 eBPF summit, which was livestreamed on YouTube with a supporting Slack community for real-time conversations. This clever hybrid approach is something I’d recommend to other open source communities looking to host a live virtual event on a budget, as it bypasses the need for an expensive virtual event platform and allows for more asynchronous participation.
I was drawn to the group of lightning talks devoted to eBPF for security that streamed on Day 2 of the conference. This series of short presentations provides a quick, bird’s-eye view of interesting projects and implementations using eBPF for different security solutions.
Three Highlights from the Summit
Securing the IoT with eBPF and Rust* - Giovanni Alberto Falcione
The growing number of connected Internet of Things (IOT) devices opens a wider threat landscape, and the opportunity for rapid spread of discovered vulnerabilities from your fridge to your heart monitor. eBPF offers solutions for IoT security observability in its portability and safety over kernel modules, and granular access to processes can provide robust data and analysis of exactly what a device is doing in real time. Falcione, Chief Product Officer at Exein, offers a snapshot of Pulsar, a framework for security observability, written in Rust, attempting to harness some of these capabilities.
Applied eBPF for Cross-Platform Security Research - Dinesh Venkatesan
Venkatesan, who works at Microsoft, outlines a use case targeted at security researchers who wish to record raw data related to syscalls to create insights after a specific incident. This demo shows eBPF’s potential for analysis of malware and ransomware.
eBPF: Innovations in Cloud Native - Daniel Borkmann
This in-depth presentation explores a long list of innovations and use cases for eBPF in cloud native environments, including faster development and feedback cycles. Borkmann, who works at open source software startup Cilium, looks forward to future potential but doesn’t shy away from challenges in meeting future goals, including some around attestation and signing, which relate to software supply chain security.
A Throwback to Last Year
While the next presentation I’d like to point out was from the 2021 eBPF Summit, it’s worth mentioning here because it’s a great intro for eBPF newbies looking to try out eBPF tools. In the past I’ve had to play the role of systems administrator out of necessity, so diving into an intro to performance observation using eBPF felt like an accessible place to start. This video from Intel’s own Brendan Gregg is the beginner-friendly video you’ve been searching for.
Performance Wins with BPF: Getting Started - Brendan Gregg, keynote.
More to Come
eBPF technology appears to be gaining traction among technologists in many areas, and in particular for in security and observability. The community site at ebpf.io is a good next step in your exploration. There you will find links to tutorials, books, articles, and talks to start your own eBPF quest.