The ebpf-for-windows project aims to enable developers to use familiar eBPF toolchains and application programming interfaces (APIs) in addition to existing versions of Windows. Building on the work of others, this project takes several existing open source eBPF projects and adds the “glue” to make them work on Windows.
eBPF is a set of tools to support networking, security, application profiling / tracing, and performance troubleshooting. eBPF was born to make it easier to implement these kinds of solutions on the Linux kernel in a way that does not require rebuilding the kernel or loading kernel modules. The key for eBPF to make this possible is to use a special sandbox environment to run statically verified bytecode.
According to Microsoft, the benefits of eBPF in Linux have sparked growing interest in its use on other operating systems as well and to extend its use beyond the kernel to services and user space daemons.
EBPF programs are written in various source languages ââand compiled into eBPF bytecode. Under Windows, the eBPF bytecode can be used using a library implementing the Libbpf API, which is also integrated into the
netsh command line tool.
First, the library will try to verify the correctness of the generated bytecode.
If the bytecode passes all security checks of the verifier, the bytecode can either be loaded into the uBPF the interpreter running in a Windows kernel-mode execution context or compiled by the uBPF just-in-time (JIT) compiler and native code is loaded into the kernel-mode execution context.
EBPF programs are executed when the kernel or an application passes a certain hook, which includes system calls, function input / output, kernel tracepoints, network events, etc. EBPF programs cannot call anywhere in the kernel, as this would make them strictly dependent on the kernel version. Instead, they use what’s called helper functions, a set of functions that give access to specific kernel functionality.
In the Microsoft view, it should be possible to ensure source code compatibility for eBPF programs that use the same hooks and helper functions on Linux and Windows. Of course, a number of hooks and helper functions are strictly Linux related, so they won’t be applicable to Windows.
ePBF for Windows is still in early development and only two hooks are available at the moment, for EXpress data path) (XDP) and socket binding. Microsoft plans to create more hooks and helper functions over time and calls for input from the eBPF community.