Skip to main content

eBPF vs Kernel Extensions

In summary, eBPF offers several advantages over traditional kernel extensions, including improved safety, competitive performance, flexibility, dynamic loading capabilities, easier maintenance, and enhanced security controls.

The Operating System Kernel

The main purpose of the OS kernel is to abstract hardware or virtual hardware and provide a consistent API (system call), allowing applications to run and share resources. In order to achieve this, a wide set of subsystems and layers are maintained to distribute responsibilities. Each subsystem typically allows for some level of configuration to account for different needs of users. If a desired behavior cannot be configured, a kernel change is required, requiring one of the following:

  • Native Support
    • Change the kernel source code and convince the Linux kernel community that the change is required.
    • Wait several years for the new kernel version to become a commodity.
  • Kernel Module
    • Write a kernel module
    • Fix the module regularly, since every kernel release could break it
    • Risk corrupting your Linux kernel due to a lack of security boundaries

However, with eBPF there is a new option available, that allows you to reprogram the behavior of the Linux kernel without changing the kernel source code or loading a kernel module. In many ways, this is very similar to how JavaScript and other scripting languages unlocked the evolution of web applications which had become difficult or expensive to change.

Kernel Extensions - Traditional Approach to Runtime Monitoring

A Loadable Kernel Module or Kernel Extension is a piece of software that is loaded into an operating system's central component. Kernel extensions are used to provide functionality or hardware support that otherwise would not be a part of the kernel, and are often able to perform tasks or access parts of the operating system that normal software cannot.

In most operating systems, access to networking, file systems and system calls are restricted in order to maintain a stable and secure system. Kernel extensions are able to access these functions and systems because they run as part of the kernel and can be added to or removed from the base kernel.

Kernel extensions also have more authority than other programs, which can cause unique problems. For example, a poorly coded agent running as a kernel extension could cause the entire system to crash. For this reason, software developers often are encouraged to use kernel extensions as a last resort.

eBPF - Advantages

Here's a summary of the advantages of eBPF (extended Berkeley Packet Filter) over traditional kernel extensions (Loadable Kernel Modules or LKMs):

AdvantageseBPFKernel Extensions
SafetyeBPF programs run in a sandbox, preventing kernel / OS crashes and instability due to errors.Kernel extensions can crash the kernel if poorly written or unoptimized.
PerformanceeBPF programs are JIT-compiled, providing competitive performance.Kernel extensions can be fast if well-optimized but risk instability.
FlexibilityeBPF is flexible and versatile, suitable for various use cases, including networking and security.Kernel extensions are limited to specific kernel interfaces and require deep kernel knowledge.
Dynamic LoadingeBPF allows dynamic loading and unloading of programs without kernel restarts.Kernel extensions typically require a kernel restart to update or remove.
Maintenance and DebuggingeBPF is easier to maintain and debug due to user-mode development and modern tooling.Kernel extensions involve complex kernel-level development and debugging.
SecurityeBPF provides more fine-grained control over program behavior, enhancing security.Kernel extensions can potentially introduce security vulnerabilities.
ContainerseBPF provides the ability to extract all containers' network traffic from the host level at low overheadPotential inaccurate correlation of network traffic of running containers with actual sources and destinations