BT

Facilitating the spread of knowledge and innovation in professional software development

Contribute

Topics

Choose your language

InfoQ Homepage News Microsoft at Work to Bring eBPF to Windows

Microsoft at Work to Bring eBPF to Windows

This item in japanese

Bookmarks

Microsoft has announced it is working on bringing eBPF to Windows 10 and Windows Server 2016 and later to support use cases such as denial-of-service protection and observability.

The ebpf-for-windows project aims to allow developers to use familiar eBPF toolchains and application programming interfaces (APIs) on top of existing versions of Windows. Building on the work of others, this project takes several existing eBPF open source projects and adds the "glue" to make them run on Windows.

eBPF is a collection of tools that aim to support networking, security, application profiling/tracing, and performance troubleshooting. eBPF was born to make it easier to implement such kind of solutions on top of the Linux kernel in a way that does not require rebuilding the kernel or loading kernel modules. The key for eBPF to make this possible is using a special sandboxed environment to run statically verified bytecode.

According to Microsoft, the benefits shown by eBPF on Linux have created an increasing interest in using it on other operating systems as well and in extending its use beyond the kernel to user-space services and daemons.

eBPF programs are written in various source languages and compiled to eBPF bytecode. On Windows, eBPF bytecode can be consumed using a library implementing the Libbpf APIs, which is also integrated in the netsh command-line tool.

As a first step, the library will attempt to verify the correctness of the generated bytecode.

If the bytecode passes all the verifier’s safety checks, the bytecode can be either loaded into the uBPF interpreter running in a Windows kernel-mode execution context or compiled by the uBPF just-in-time (JIT) compiler and have native code loaded into the kernel-mode execution context.

eBPF programs are executed when the kernel or an application passes a certain hook, which include system calls, function entry/exit, kernel tracepoints, network events, and others. eBPF programs cannot call anywhere into the kernel, since this would make them stricly depending on the version of the kernel. Instead, they use so called helper functions, a collection of functions providing access to specific kernel features.

In Microsoft's view, it should be possible to ensure source code compatibility for eBPF programs that use the same hooks and helper functions across Linux and Windows. Of course, a number of hooks and helper functions are strictly related to Linux, so they will not be applicable to Windows.

ePBF for Windows is still in early development and only two hooks are available at the moment, for eXpress data path (XDP) and socket binding. Microsoft plans to create more hooks and helper functions over time and calls for the contribution of the eBPF community.

We need your feedback

How might we improve InfoQ for you

Thank you for being an InfoQ reader.

Each year, we seek feedback from our readers to help us improve InfoQ. Would you mind spending 2 minutes to share your feedback in our short survey? Your feedback will directly help us continually evolve how we support you.

Take the Survey

Rate this Article

Adoption
Style

Hello stranger!

You need to Register an InfoQ account or or login to post comments. But there's so much more behind being registered.

Get the most out of the InfoQ experience.

Allowed html: a,b,br,blockquote,i,li,pre,u,ul,p

Community comments

Allowed html: a,b,br,blockquote,i,li,pre,u,ul,p

Allowed html: a,b,br,blockquote,i,li,pre,u,ul,p

BT

Is your profile up-to-date? Please take a moment to review and update.

Note: If updating/changing your email, a validation request will be sent

Company name:
Company role:
Company size:
Country/Zone:
State/Province/Region:
You will be sent an email to validate the new email address. This pop-up will close itself in a few moments.