Microsoft has prepared an implementation of eBPF for Windows

Microsoft unveiled recently through a post the implementation of the eBPF subsystem for Windows which allows you to run arbitrary drivers that run at the kernel level of the operating system.

eBPF provides a built-in bytecode interpreter in the kernel to create user-space-laden network drivers, access control, and system monitoring. eBPF has been included in the Linux kernel since version 3.18 and allows you to process incoming / outgoing network packets, forward packets, control bandwidth, intercept system calls, control access, and track.

Through JIT compilation, byte code is translated into machine instructions on the fly and runs with the performance of the compiled code. EBPF for Windows is open source under the MIT license.

Today we are pleased to announce a new open source project from Microsoft to make eBPF work on Windows 10 and Windows Server 2016 and later. The ebpf-for-windows project aims to enable developers to use familiar eBPF toolchains and application programming interfaces (APIs) on top of existing versions of Windows. Based on the work of others, this project takes several existing open source eBPF projects and adds the "glue" to make them run on Windows.

eBPF for Windows can be used with existing eBPF tools and provides a generic API that is used for eBPF applications on Linux.

En particular, the project allows you to compile code written in C into bytecode eBPF using the standard Clang-based eBPF compiler and run eBPF drivers already built for Linux on top of the Windows kernel, which provides a special compatibility layer and supports the standard Libbpf API for compatibility with applications that interact with eBPF programs.

This includes middle layers that provide Linux-like bindings for XDP (eXpress Data Path) and socket bindings that summarize access to the Windows network stack and network drivers. Plans aim to provide full source-level support for generic Linux eBPF drivers.

The key difference in implementing eBPF for Windows is the use of an alternate bytecode checker, originally proposed by VMware employees and researchers from Canadian and Israeli universities.

The verifier is started in a separate isolated process in user space and is used before the execution of BPF programs to detect errors and block possible malicious activity.

For validation, eBPF for Windows uses the abstract interpretation static analysis method, what, Compared to eBPF verifier for Linux, it demonstrates a lower false positive rate, supports loop analysis and provides good scalability. The method takes into account many typical performance patterns obtained from the analysis of existing eBPF programs.

eBPF is a well-known but revolutionary technology that provides programmability, extensibility, and agility. eBPF has been applied to use cases such as denial of service protection and observability.

Over time, a significant ecosystem of tools, products, and expertise has been built around eBPF. Although support for eBPF was first implemented in the Linux kernel, there has been a growing interest in allowing eBPF to be used in other operating systems and also to extend daemons and user-mode services in addition to the kernel.

After verification, the bytecode is passed to the kernel level interpreter, or it is passed through the JIT compiler, followed by running the resulting machine code with kernel rights. To isolate the eBPF drivers at the kernel level, the HVCI (HyperVisor Enhanced Code Integrity) mechanism is used, which uses virtualization tools to protect processes in the kernel and ensures that the integrity of the executed code is digitally signed.

One limitation of HVCI is the ability to check only interpreted eBPF programs and the inability to use them in conjunction with JIT (you have a choice: additional performance or protection).

Finally if you are interested in knowing more about it, you can consult the following link.

The content of the article adheres to our principles of editorial ethics. To report an error click here!.

Be the first to comment

Leave a Comment

Your email address will not be published. Required fields are marked with *



  1. Responsible for the data: AB Internet Networks 2008 SL
  2. Purpose of the data: Control SPAM, comment management.
  3. Legitimation: Your consent
  4. Communication of the data: The data will not be communicated to third parties except by legal obligation.
  5. Data storage: Database hosted by Occentus Networks (EU)
  6. Rights: At any time you can limit, recover and delete your information.