Microsoft Launches Open Source Project to Port eBPF to Windows
Is it possible to run Linux eBPF (extended Berkeley Packet Filter) on Windows? If you're using Windows Subsystem for Linux (WSL) 2.0, the answer is of course yes. With WSL, you're running a Linux kernel on top of Windows 10. But can eBPF run in a Windows-native way? That's a consultation that can't be done. However, this situation will soon change. Microsoft announced on May 10 that it has launched an open-source project to enable eBPF to run on Windows 10, Windows Server 2016, and later versions.
This is a project to develop eBPF for Windows. With this eBPF, Windows developers will be able to use the eBPF toolchain and APIs on existing versions of Windows. This is not an easy story. Still, it should be possible by building on the work done by others. The project aims to add "glue" to several existing eBPF-related open source projects so that they can run on Windows.
Is there such a need? Linux developers probably know the answer, but Windows developers may not yet. Below is the description.
First, the whole story begins with a firewall program called BPF (Berkeley Packet Filter), which was created nearly 30 years ago. It is based on a design that performs network packet capture and filtering on a virtual register machine. This was a useful program. But over time, Linux realized that updating BPF to eBPF for modern processors and allowing user-supplied programs to run inside the kernel would be much more powerful. Alexei Starovoitov, kernel developer and software engineer at Facebook, noticed. And with the inclusion of eBPF in version 3.15 of the Linux kernel, programmers quickly began using it in all sorts of programs.
eBPF is still very powerful today for filtering, analyzing and managing networks, but it's also being used for many other tasks. eBPF is also used for system call filtering and process context tracing. In short, it's a utility knife for programming tracing, system profiling, and low-level custom metric collection and aggregation. At a higher level, eBPF is therefore the foundation for security programs such as Cilium, Falco, and Tracee, as well as Kubernetes monitoring programs such as Hubble and Pixie, and toolchains such as Clang. ing.
This project is not about forking eBPF at all. It's just a matter of adding a Windows-specific hosting environment for eBPF.
Most importantly, it allows Windows developers to use eBPF programs, bringing compatibility at the source code level across Windows and Linux. Some are done using the Libbpf API.
Some of the eBPF code uses Linux-specific internal data structures, so of course there are cases where it cannot be used from Windows. However, many other APIs and hooks could be shared across platforms. Linux developers have a lot of power with eBPF. Now Windows developers will have that power too.
This article is an article from overseas Red Ventures edited by Asahi Interactive for Japan.