| Title | : | eBPF: Extending a running operating system kernel with safety guarantees |
| Speaker | : | NG Srinivas (IIT Madras) |
| Details | : | Wed, 15 Oct, 2025 4:00 PM @ CS25 |
| Abstract: | : | Extended Berkeley Packet Filter (eBPF) has emerged as a powerful method to extend the capabilities of the Linux operating system kernel. eBPF allows users to write code in high-level languages (like C or Rust) and attach them for event-triggered execution at specific execution hooks in the kernel. Among many others, examples of prominent hooks include the network device driver, process scheduler, and the system call dispatcher. To ensure the safe execution of a user-developed eBPF program within the kernel, Linux uses an in-kernel static code analyzer. The analyzer allows a program to execute within the kernel only if it can formally prove that the program is crash-free, always accesses memory within safe bounds, and avoids leaking sensitive kernel data for any input. eBPF has found production-grade deployment is all the hyperscalars as well as several major computing organizations, with some companies anecdotally running dozens of programs on every single server in their fleet. Typical use cases include fleet-wide observability and profiling, flexible and efficient container networking, high-speed connection load balancing, and system call security. This talk will introduce eBPF in concept, provide an overview of the eBPF static code analyzer---the cornerstone of safe kernel software extensibility, and show a short demonstration with real eBPF programs. Time permitting, I will introduce recent research from my group on foundational scientific questions surrounding this technology. |
