The ebpf-for-windows project aims to allow developers to use familiar eBPF toolchains and application programming interfaces (APIs) on top of existing versions of Windows. Building on the work of others, this project takes several existing eBPF open source projects and adds the “glue” to make them run on Windows.
eBPF is a collection of tools that aim to support networking, security, application profiling/tracing, and performance troubleshooting. eBPF was born to make it easier to implement such kind of solutions on top of the Linux kernel in a way that does not require rebuilding the kernel or loading kernel modules. The key for eBPF to make this possible is using a special sandboxed environment to run statically verified bytecode.
According to Microsoft, the benefits shown by eBPF on Linux have created an increasing interest in using it on other operating systems as well and in extending its use beyond the kernel to user-space services and daemons.
eBPF programs are written in various source languages and compiled to eBPF bytecode. On Windows, eBPF bytecode can be consumed using a library implementing the Libbpf APIs, which is also integrated in the
netsh command-line tool.
As a first step, the library will attempt to verify the correctness of the generated bytecode.
If the bytecode passes all the verifier’s safety checks, the bytecode can be either loaded into the uBPF interpreter running in a Windows kernel-mode execution context or compiled by the uBPF just-in-time (JIT) compiler and have native code loaded into the kernel-mode execution context.
eBPF programs are executed when the kernel or an application passes a certain hook, which include system calls, function entry/exit, kernel tracepoints, network events, and others. eBPF programs cannot call anywhere into the kernel, since this would make them stricly depending on the version of the kernel. Instead, they use so called helper functions, a collection of functions providing access to specific kernel features.
In Microsoft view, it should be possible to ensure source code compatibility for eBPF programs that use the same hooks and helper functions across Linux and Windows. Of course, a number of hooks and helper functions are strictly related to Linux, so they will not be applicable to Windows.
ePBF for Windows is still in early development and only two hooks are available at the moment, for eXpress data path) (XDP) and socket binding. Microsoft plans to create more hooks and helper functions over time and calls for the contribution of the eBPF community.