Microsoft wants to extend eBPF from the Linux kernel to Windows

After the Windows Subsystem for Linux (WSL), which has been well received by the various users of the operating system, Microsoft decided to borrow another important technology from the Linux community, eBPF (Berkeley Extended Packet Filter) and bring it to Windows.

The company said it would not be a fork of eBPF, Yes, this will be used in existing projects, including the IOVisor uBPF project and the PREVAIL verifier, to run eBPF APIs and programs on their own operating systems, including Windows 10 and Windows Server 2016 (or higher).

Over the past five years, Microsoft, which at the beginning of this millennium still saw Linux as the cancer of the computer industry, has become one of the biggest contributors to kernel development.

With WSL, he paved the way for multiple applications on Windows, allowing system administrators and programmers to use Linux tools and services directly from Windows without having to virtualize anything else or build complex infrastructures.

Now Microsoft chooses to add eBPF to Windows, as This is a technology well known for its programmability and agility, especially to extend the kernel of an operating system, for use cases such as protection against DoS attacks and observability.

It is a registry-based virtual machine designed to run on a 64-bit custom RISC architecture via JIT compilation on the Linux kernel. As such, eBPF programs are particularly well suited for system debugging and analysis, such as file system monitoring and log calls.

The relationship of eBPF to the Linux kernel has been compared to the relationship of JavaScript to web pages, allows modifying the behavior of the Linux kernel by loading a running eBPF program, without modifying the kernel source code or loading a kernel module.

eBPF represents one of the biggest Linux kernel innovations of the last decade. And because there was some interest in adapting the technology to other operating systems, Microsoft decided to give Windows software a try. The project, called ebpf-for-windows, is open source and available on GitHub.

"The ebpf-for-windows project aims to enable developers to use the familiar eBPF toolchains and application programming interfaces (APIs) in existing versions of Windows," explained Dave Thaler in a Monday blog post, Microsoft Associate Software Engineer, and Poorna Gaddehosur, Microsoft Senior Software Engineer.

"Based on the work of others, this project takes several existing open source eBPF projects and adds the middle layer to run on top of Windows."

The company doesn't call it an eBPF fork. Therefore, Windows developers will be able to use tools like clang to generate the bytecode.

eBPF of the source code that can be inserted into any application or used with the Windows netsh command line. According to the company, this is done through a shared library that uses the Libbpf APIs.

The library passes the EBPF bytecode through the PREVAIL in a Windows security environment that allows a kernel component to trust a user-mode daemon signed with a trusted key.

Microsoft engineers say the project aims to provide support for eBPF code using hooks and helpers that exist on both Linux and Windows.

"Linux provides many links and helpers, some of which are very Linux-specific (using internal Linux data structures, for example) that would not be applicable to other platforms," ​​they said.

Finally If you are interested in knowing more about it, you can check the details In the following link. While for those who are interested in being able to take a look at the eBPF repository on GitHub, they can do so from the following link.

The content of the article adheres to our principles of editorial ethics. To report an error click here!.

Be the first to comment

Leave a Comment

Your email address will not be published. Required fields are marked with *



  1. Responsible for the data: Miguel Ángel Gatón
  2. Purpose of the data: Control SPAM, comment management.
  3. Legitimation: Your consent
  4. Communication of the data: The data will not be communicated to third parties except by legal obligation.
  5. Data storage: Database hosted by Occentus Networks (EU)
  6. Rights: At any time you can limit, recover and delete your information.