No More Blue Fridays - eBPF

In the future, computers will not crash due to bad software updates, even those updates that involve kernel code. In the future, these updates will push eBPF code.

For Linux systems, the company behind this outage was already in the process of adopting eBPF, which is immune to such crashes. Once Microsoft's eBPF support for Windows becomes production-ready, Windows security software can be ported to eBPF as well. These security agents will then be safe and unable to cause a Windows kernel crash.

Hozzászólások

Mikor picit utánaolvastam a Falconnak Linux-on kernel és user mode integrálása van (ezekszerint csak lesz, vagy van, de mozdulnak eBPF felé?).

https://chat.openai.com/?model=gpt-4o

please explain me what is "eBPF" for linux and windows machines

### What is eBPF?

**eBPF (extended Berkeley Packet Filter)** is a powerful technology in the Linux kernel that allows users to run sandboxed programs in the kernel space without changing kernel source code or loading kernel modules. Initially designed for network packet filtering, eBPF has evolved into a general-purpose infrastructure for running custom programs inside the kernel, enabling high-performance monitoring, tracing, and even in-kernel application logic.

### Key Features of eBPF:

1. **Safe Execution:** eBPF programs run in a sandboxed environment, ensuring they do not compromise the stability or security of the kernel.
2. **Flexibility:** eBPF programs can be dynamically loaded and unloaded at runtime.
3. **Performance:** eBPF can execute custom logic at the kernel level with minimal overhead.
4. **Extensibility:** It allows extending kernel functionality without the need for writing kernel modules or modifying the kernel.

### Use Cases of eBPF:

1. **Networking:** Packet filtering, load balancing, traffic control.
2. **Security:** Intrusion detection, monitoring, and enforcement of security policies.
3. **Performance Monitoring:** System observability, performance profiling, and debugging.
4. **Tracing:** Dynamic tracing of kernel and application events.

### eBPF on Linux

eBPF is natively supported in the Linux kernel starting from version 3.18, with significant enhancements in subsequent versions. On Linux, eBPF programs can be loaded into the kernel using tools like `tc` for networking, `bpftrace` for tracing, and `xdp` for high-performance packet processing. The `libbpf` library and tools like `bpftool` are used to manage eBPF programs.

### eBPF on Windows

Microsoft has introduced eBPF for Windows to bring similar capabilities to the Windows ecosystem. The goal is to leverage eBPF's flexibility and performance benefits in Windows environments. eBPF for Windows is still in the early stages of development, but it aims to enable users to write eBPF programs that can run on Windows systems for networking, security, and observability purposes.

### Comparison Between Linux and Windows Implementations:

- **Linux:**
  - Native support in the kernel.
  - Mature ecosystem with tools like `bpftrace`, `bcc`, and `bpftool`.
  - Widely used for networking, security, and performance monitoring.

- **Windows:**
  - Emerging support, inspired by the success on Linux.
  - Focuses initially on networking and security use cases.
  - Integration with Windows networking stack and potential future expansion.

### Conclusion

eBPF is a transformative technology that enhances the capabilities of the operating system kernel in both Linux and Windows environments. By allowing safe, high-performance, and flexible execution of custom programs in the kernel, eBPF opens up new possibilities for system observability, security, and networking. While it is more mature on Linux, its development on Windows indicates a broadening adoption of this powerful technology across different platforms.