Microsoft on Monday launched an open source project to make a Linux kernel tool known as eBPF, short for Extended Berkeley Packet Filter, work on Windows.
Inspired by network packet filtering and capture software dubbed Berkeley Packet Filter, eBPF is a register-based virtual machine designed to run custom 64-bit RISC-like architecture via just-in-time compilation inside the Linux kernel. As such, eBPF programs are particularly well-situated for debugging and system analysis, such as tracing file system and registry calls.
Microsoft, having force fed Windows with Linux supplements in recent years, has moved on to embracing and extending Linux tooling. eBPF programs have proven useful on Linux for denial-of-service defense and system observability. And since there’s been interest in adapting the technology to other operating systems, Microsoft has decided to give the software a shot at Windows.
“The ebpf-for-windows project aims to allow developers to use familiar eBPF toolchains and application programming interfaces (APIs) on top of existing versions of Windows,” said Dave Thaler, partner software engineer at Microsoft, and Poorna Gaddehosur, principal software engineer lead at Microsoft, in a blog post. “Building on the work of others, this project takes several existing eBPF open source projects and adds the ‘glue’ to make them run on Windows.”
Thaler and Gaddehosur say they’re announcing the project while it’s still in early stage development in order to promote collaboration with the eBPF community and to ensure compatibility on Windows.
They stress that they’re not forking eBPF. Rather eBPF for Windows will rely on existing open source projects like the IOVisor uBPF project and the PREVAIL verifier to run eBPF programs on Windows using a Windows-specific hosting environment.
Windows devs will be able to use tools like clang to generate eBPF bytecode from source code that can be plugged into any application or used with the Windows netsh command line via a shared library that uses the Libbpf APIs. The library passes the eBPF bytecode through the PREVAIL static verifier within a Windows security environment that lets a kernel component trust a user-mode daemon signed with a trusted key. Approved bytecode can then be run.
The Microsoft engineers say the project aims to offer eBPF code compatibility using hooks and helpers that exist on both Linux and Windows.
“Linux provides many hooks and helpers, some of which are very Linux specific (using Linux internal data structs, for example) that would not be applicable to other platforms,” they said. “Other hooks and helpers are generically applicable, and the intent is to support them for eBPF programs.”
So far, two hooks – XDP and socket bind – have been added to handle events and communicate with helper APIs made available through the eBPF shim that wraps public Windows kernel APIs. There will be more in time, insist Thaler and Gaddehosur. ®