Microsoft embraces Linux kernel's eBPF super-tool, extends it for Windows

This early-stage project is not a fork, Redmond insists


Microsoft on Monday launched an open source project to make a Linux kernel tool known as eBPF, short for Extended Berkeley Packet Filter, work on Windows.

Inspired by network packet filtering and capture software dubbed Berkeley Packet Filter, eBPF is a register-based virtual machine designed to run custom 64-bit RISC-like architecture via just-in-time compilation inside the Linux kernel. As such, eBPF programs are particularly well-situated for debugging and system analysis, such as tracing file system and registry calls.

eBPF's relationship with the Linux kernel has been likened to JavaScript's relationship with web pages – it allows Linux kernel behavior to be modified by loading an eBPF program that's executed, and without changing actual kernel source code or loading a kernel module.

Microsoft, having force fed Windows with Linux supplements in recent years, has moved on to embracing and extending Linux tooling. eBPF programs have proven useful on Linux for denial-of-service defense and system observability. And since there's been interest in adapting the technology to other operating systems, Microsoft has decided to give the software a shot at Windows.

"The ebpf-for-windows project aims to allow developers to use familiar eBPF toolchains and application programming interfaces (APIs) on top of existing versions of Windows," said Dave Thaler, partner software engineer at Microsoft, and Poorna Gaddehosur, principal software engineer lead at Microsoft, in a blog post. "Building on the work of others, this project takes several existing eBPF open source projects and adds the 'glue' to make them run on Windows."

Thaler and Gaddehosur say they're announcing the project while it's still in early stage development in order to promote collaboration with the eBPF community and to ensure compatibility on Windows.

They stress that they're not forking eBPF. Rather eBPF for Windows will rely on existing open source projects like the IOVisor uBPF project and the PREVAIL verifier to run eBPF programs on Windows using a Windows-specific hosting environment.

Windows devs will be able to use tools like clang to generate eBPF bytecode from source code that can be plugged into any application or used with the Windows netsh command line via a shared library that uses the Libbpf APIs. The library passes the eBPF bytecode through the PREVAIL static verifier within a Windows security environment that lets a kernel component trust a user-mode daemon signed with a trusted key. Approved bytecode can then be run.

The Microsoft engineers say the project aims to offer eBPF code compatibility using hooks and helpers that exist on both Linux and Windows.

"Linux provides many hooks and helpers, some of which are very Linux specific (using Linux internal data structs, for example) that would not be applicable to other platforms," they said. "Other hooks and helpers are generically applicable, and the intent is to support them for eBPF programs."

So far, two hooks – XDP and socket bind – have been added to handle events and communicate with helper APIs made available through the eBPF shim that wraps public Windows kernel APIs. There will be more in time, insist Thaler and Gaddehosur. ®


Other stories you might like

  • Verizon: Ransomware sees biggest jump in five years
    We're only here for DBIRs

    The cybersecurity landscape continues to expand and evolve rapidly, fueled in large part by the cat-and-mouse game between miscreants trying to get into corporate IT environments and those hired by enterprises and security vendors to keep them out.

    Despite all that, Verizon's annual security breach report is again showing that there are constants in the field, including that ransomware continues to be a fast-growing threat and that the "human element" still plays a central role in most security breaches, whether it's through social engineering, bad decisions, or similar.

    According to the US carrier's 2022 Data Breach Investigations Report (DBIR) released this week [PDF], ransomware accounted for 25 percent of the observed security incidents that occurred between November 1, 2020, and October 31, 2021, and was present in 70 percent of all malware infections. Ransomware outbreaks increased 13 percent year-over-year, a larger increase than the previous five years combined.

    Continue reading
  • Slack-for-engineers Mattermost on open source and data sovereignty
    Control and access are becoming a hot button for orgs

    Interview "It's our data, it's our intellectual property. Being able to migrate it out those systems is near impossible... It was a real frustration for us."

    These were the words of communication and collaboration platform Mattermost's founder and CTO, Corey Hulen, speaking to The Register about open source, sovereignty and audio bridges.

    "Some of the history of Mattermost is exactly that problem," says Hulen of the issue of closed source software. "We were using proprietary tools – we were not a collaboration platform before, we were a games company before – [and] we were extremely frustrated because we couldn't get our intellectual property out of those systems..."

    Continue reading
  • UK government having hard time complying with its own IR35 tax rules
    This shouldn't come as much of a surprise if you've been reading the headlines at all

    Government departments are guilty of high levels of non-compliance with the UK's off-payroll tax regime, according to a report by MPs.

    Difficulties meeting the IR35 rules, which apply to many IT contractors, in central government reflect poor implementation by Her Majesty's Revenue & Customs (HMRC) and other government bodies, the Public Accounts Committee (PAC) said.

    "Central government is spending hundreds of millions of pounds to cover tax owed for individuals wrongly assessed as self-employed. Government departments and agencies owed, or expected to owe, HMRC £263 million in 2020–21 due to incorrect administration of the rules," the report said.

    Continue reading

Biting the hand that feeds IT © 1998–2022