Seonglae ChoExtended Berkely Packet Filter
Programs that run in an in-kernel, Provable security virtual machine. It enables the dynamic insertion of powerful security, visibility, and networking control logic into the Linux kernel. The user space communicates with the eBPF program through the bpf() system call.
It basically provides runtime configurable kernel functionality like high-performance networking, multi-cluster and multi-cloud capabilities, advanced load balancing, transparent encryption, extensive network security capabilities, transparent observability.
- Process can install multiple BPF filters and once installed, filter cannot be removed, can only be added. (all run on every syscall)
- If program forks, child inherits all filters and if program calls
execve, all filters are preserved.
- The input of BPF is syscall number, syscall args., architecture.
eBPF Notion
eBPF Usages
eBPF - Introduction, Tutorials & Community Resources
Building on the foundation of seeing and understanding all system calls and combining that with a packet and socket-level view of all networking operations allows for revolutionary new approaches to securing systems. While aspects of system call filtering, network-level filtering, and process context tracing have typically been handled by completely independent systems, eBPF allows for combining the visibility and control of all aspects to create security systems operating on more context with better level of control.
https://ebpf.io/
[Linux] eBPF(Extended Berkeley Packet Filter)란?
요약 - bpf() 시스템 콜을 통해서 유저 스페이스와 eBPF 프로그램이 통신할 수 있습니다. eBPF란 무엇인가? Android 에서 Android에서는 부팅 시 eBPF 프로그램을 로드하여 커널 기능을 확장하는 eBPF 로더 및 라이브러리가 포함되어 있습니다. eBPF로더는 커널, 모니터링 또는 디버깅에서 통계를 수집하는데 사용할 수 있습니다. eBPF 정보 eBPF는 사용자 제공 eBPF 프로그램을 실행하는 커널 내 가상머신입니다.
https://i5i5.tistory.com/401
![[Linux] eBPF(Extended Berkeley Packet Filter)란?](https://img1.daumcdn.net/thumb/R800x0/?scode=mtistory2&fname=https%3A%2F%2Fblog.kakaocdn.net%2Fdn%2FzSsjV%2Fbtq5SShTObh%2FjjkD1NF4sro00lFoHp64Gk%2Fimg.png)