eBPF summit 2022 Watch Recordings

Dynamically program the kernel for efficient networking, observability, tracing, and security

Project LandscapeWhat is eBPF
eBPF diagram
  • Programs are verified to safely execute
  • Hook anywhere in the kernel to modify functionality
  • JIT compiler for near native execution speed
  • Add OS capabilities at runtime

Organizations in every industry use eBPF in production

  • Google

    Google uses eBPF for security auditing, packet processing, and performance monitoring.

  • Netflix

    Netflix uses eBPF at scale for network insights.

  • Android

    Android uses eBPF to monitor network usage, power, and memory profiling.

  • S&P Global

    S&P Global uses eBPF through Cilium for networking across multiple clouds and on-prem.

  • Shopify

    Shopify uses eBPF through Falco for intrusion detection.

  • Cloudflare

    Cloudflare uses eBPF for network security, performance monitoring, and network observability.

More case studies

Why eBPF?

What is eBPF

  • Performance

    eBPF drastically improves processing by being JIT compiled and running directly in the kernel.

  • Security

    eBPF programs are verified to not crash the kernel and can only be modified by privileged users.

  • Flexibility

    Modify or add functionality and use cases to the kernel without having to restart or patch it.

eBPF has resulted in a new generation of tooling that allows developers to easily diagnose problems, innovate quickly, and extend operating system functionality.
Mark RussinovichChief Technology Officer at Microsoft Azure, 2021

What’s possible with eBPF?

  • Networking

    Networking

    Speed packet processing without leaving kernel space. Add additional protocol parsers and easily program any forwarding logic to meet changing requirements.

  • Observability

    Observability

    Collection and in-kernel aggregation of custom metrics with generation of visibility events and data structures from a wide range of possible source without having to export samples.

  • Tracing & Profiling

    Tracing & Profiling

    Attach eBPF programs to trace points as well as kernel and user application probe points giving powerful introspection abilities and unique insights to troubleshoot system performance problems.

  • Security

    Security

    Combine seeing and understanding all system calls with a packet and socket-level view of all networking to create security systems operating on more context with a better level of control

eBPF Community Talks

BPF and Spectre: Mitigating transient execution attacks

Daniel Borkmann, IsovalentAug 20, 2021

BPF Internals

Brendan Gregg, NetflixJun 9, 2021

Advanced BPF kernel features for the container age

Daniel Borkmann, IsovalentFeb 9, 2021

The Future of eBPF based Networking and Security

Thomas Graf, IsovalentNov 8, 2020

BPF as a Fundamentally Better Dataplane

Daniel Borkmann, IsovalentNov 8, 2020

BPF at Facebook

Alexei Starovoitov, FacebookDec 19, 2019

How to Make Linux Microservice-Aware with Cilium and eBPF

Thomas Graf, IsovalentMar 6, 2019