eBPF Linux Kernel Technology

eBPF (extended Berkeley Packet Filter) is a revolutionary technology in the Linux kernel that allows running sandboxed programs directly in the kernel space without requiring kernel modules or kernel recompilation. Originally introduced as the Berkeley Packet Filter (BPF) in 1992 by Steven McCanne and Van Jacobson at Lawrence Berkeley Laboratory for efficient packet capture in tools like tcpdump, eBPF was significantly extended by Alexei Starovoitov at Facebook (Meta) in 2014 (kernel 3.15+), adding maps, helpers, a new VM instruction set, and the ability to attach to many kernel hook points beyond just networking. Key features: safe kernel execution: eBPF programs undergo static analysis by the verifier (in the kernel), which ensures type safety, bounds checking, bounded execution time (no loops in classic mode), and safe memory access, guaranteeing that eBPF programs cannot crash or hang the kernel. Just-In-Time (JIT) compilation: eBPF bytecode is JIT-compiled to native machine code for near-zero overhead execution. Hook points: eBPF programs can attach to numerous kernel points including system calls (tracepoints), kernel functions (kprobes), user-space functions (uprobes), network interfaces (XDP, TC), socket operations, cgroups, perf events, and Linux Security Module (LSM) hooks. Maps: shared data structures between eBPF programs and user space, supporting hash maps, arrays, per-CPU maps, ring buffers, and LRU caches. Use cases: observability (tracing system calls, CPU profiling, disk I/O latency via tools like bpftrace and BCC), networking (high-performance packet processing via XDP, load balancing via katran, firewalling via cilium), security (runtime threat detection via Falco, Tetragon, system call auditing). Toolchain: clang/LLVM, libbpf C library, bpftrace, BCC, and CO-RE (Compile Once - Run Everywhere). The eBPF Foundation governs the specification. Used by Cilium, Cloudflare, Meta, Netflix, and Google.