Security, Academic Research, and Upstream Development Key Highlights
The eBPF Foundation has spent 2024 securing, promoting, and advancing the eBPF ecosystem in many key areas, this blog highlights and celebrates all of the work we have achieved together this year. The Foundation has published more original content for the benefit of the community than ever before, sponsored its first round of academic research, sponsored critical upstream development work, and increased its participation in industry events. Find out everything you may have missed in this year end summary.
Securing the eBPF Ecosystem
Last month at Cilium + eBPF Day at KubeCon North America, the eBPF Foundation released two important publications examining the security of eBPF: an eBPF Security Threat Model, as well as an eBPF Verifier Code Audit.
Conducted by ControlPlane under sponsorship of the eBPF Foundation, the Security Threat Model examined security guidance for deploying eBPF, and how to mitigate potential threats and vulnerabilities. Generally, the research found that eBPF is a highly secure technology thanks to built-in security features, including a verifier that ensures the safety of eBPF programs.
The eBPF Foundation also engaged NCC Group to conduct a security source code review of the eBPF Verifier. Overall, the code review found that the eBPF community has been highly effective in identifying bugs, and efficient in fixing them. The assessment also uncovered several code flaws. The most notable finding was a vulnerability enabling a privileged attacker to read and write arbitrary kernel memory (find_equal_scalars), which has already been addressed by the community. The report also made additional recommendations for improving security of the Verifier such as refactoring complex functions and adding details about what the Verifier enforces to documentation.
Promoting eBPF with Original Content Publications
Besides the Threat Model, the eBPF Foundation also published the first ever “State of eBPF” report, created in collaboration with Linux Foundation Research. The report explores the history of eBPF, and the impact it is having on infrastructure and application development. This is a qualitative research report which covers the evolution of eBPF, the revolution it created, what’s being built with it today, challenges in the ecosystem, and where it is heading next. The report provides valuable insight into how to make the most of what eBPF offers currently, plans for the future, and how stakeholders can get involved with the project to help it continue to improve. More than a dozen key maintainers and contributors to eBPF were interviewed for the report, along with analyzing publicly available repositories of eBPF-related projects.
Funding Academic Research
In August, the eBPF Foundation announced that it awarded five universities each a $50,000 unrestricted grant to perform research to benefit the eBPF community. Twenty-five proposals were submitted by 20 universities for technical projects to develop new features and improvements for eBPF. The five winners were selected after a detailed review of all proposals by the eBPF Steering Committee, which consists of lead maintainers in the eBPF ecosystem.
Summaries of the selected proposals and recipients (in alphabetical order by university) are:
- Learned Virtual Memory with eBPF, Dimitrios Skarlatos, Carnegie Mellon University
- Improving eBPF Complexity with a Hardware-backed Isolation Environment, Zhe Wang, Chinese Academy of Sciences Beijing
- Lazy Abstraction Refinement with Proof for an Enhanced Verifier, Zhendong Su, and Hao Sun, ETH Zürich
- Verified Path Exploration for eBPF Static Analysis, Srinivas Narayana and Santosh Nagarakatte, Rutgers University
- Efficient IO-Intensive μs-scale Applications using eBPF, Yueyang Pan, Kumar Kartikeya Dwivedi, Rishabh Iyer, and Sanidhya Kashyap, Swiss Federal Institute of Technology Lausanne (EPFL)
Summary reports of the results achieved across all five projects will be published in 2025, along with an RFP for the next year of funding to continue strengthening academic interest, research, and collaboration around eBPF.
Sponsoring Upstream Development
The eBPF Foundation sponsored upstream development by Bootlin to improve BPF test coverage and consolidate test cases into the BPF selftest core framework. This helps the BPF upstream kernel CI which is run for every incoming BPF kernel patch to have an extended coverage in order to catch potential regressions before a patch is applied. This work involves migrating stand alone BPF test cases not yet run by the CI into the expected formats and frameworks, ensuring they could be integrated seamlessly into CI workflows. Additionally, legacy kernel BPF samples are rewritten into CI test cases, preserving their utility while aligning them with modern testing practices.
Beyond BPF CI, another priority of Bootlin’s sponsored involvement is addressing the feature gap between x86-64 and ARM64 architectures to achieve full feature parity from a BPF JIT perspective. Although this work has not yet started, it represents a critical step for improving core infrastructure as the ecosystem at large is seeing an uptick of users on ARM64. By investing in these areas, the Foundation not only reinforced the reliability of eBPF but also laid the groundwork for faster integration cycles and greater confidence among developers and IT leaders who are deploying eBPF at scale.
Global Events
In March, the eBPF Foundation and Centre for Networked Intelligence organized the first eBPF Day India at the Indian Institute of Science in Bangalore, with support from Cisco CSR. The free event gathered both experienced practitioners and those new to eBPF to spread awareness about eBPF technology, discuss novel use cases, and spur discussions around how the research and developer community can leverage eBPF for current as well as future use cases.
The eBPF Foundation also supported the eBPF community by sponsoring and organizing important events in 2024 like Linux Storage, Filesystem, Memory Management & BPF Summit and Linux Plumbers Conference, as well as sponsoring Kernel Recipes.
Looking Ahead to 2025
The Foundation has significant plans ahead for 2025. From additional technical and security-focused publications to sponsoring even more academic research projects as well as continuing to support upstream development in critical areas. If you aren’t already involved in the community directly, we encourage you to learn about ways to participate and get involved today. Become a member today to have a say in the future direction of the Foundation and help support the success of eBPF and the ecosystem around it.