Fusing Linux’s eBPF with Windows

eBPF is now operable on other operating system other than Linux - Windows


History has it that on May 10, 2021, Microsoft announced the release of a new project that brings eBPF open source projects to Windows 10, Windows Server 2016, and eventual versions.

Linux eBPF on Windows
Linux eBPF on Windows
Key Facts
  1. 1

    Microsoft Windows becomes the 2nd operating system to host eBPF, the first being Linux.

  2. 2

    The ebpf-for-windows project's long-term blueprint is to bring IOVisor uBPF project and several existing eBPF projects to Windows.

  3. 3

    At the moment, socket binding and eXpress data path (XDP) remain the only two hooks available on eBPF for Windows


The acronym eBPF may come off as strange to some people, especially if they have been paying less attention to cloud native communities, Linux operating system-related posts. It has been the buzz on many conference schedules in recent years, and now it has its own conference.

Extended Berkeley Packet Filter (eBPF), also known as “God's Own Nectar,” is a popular, unique innovation that provides networking, application profiling, security, and performance troubleshooting.

eBPF debuted on December 19, 1992, developed by Steven McCanne and Van Jacobson. eBPF is an extension and a kernel-mode BPF; this started with Linux in its version 3.18. Since then, a significant amount of software and tools have taken their roots or essence around eBPF.

eBPF logo eBPF logo

The eBPF community recognizes the Linux Kernel as the first OS to implement its projects; many other operating systems have plans laid out to bring eBPF to their platforms.

Not only does eBPF nowadays stand out in network filtering, analysis, and management, it extends far beyond these utility reach. Process context tracing and system call filtering are some of the capabilities developers and operators enjoy with eBPF. It’s evolved into a versatile player that can be suitable for system profiling, collecting, programming tracing, and aggregating low-end personalized metrics. eBPF has made a name for itself; security programs like Tracee, Falco, and Cilium; Kubernetes-native programs like Hubble and Pixie, the Clang toolchain, and other toolchains.

In a blog post hosted by Dave Thaler, Partner Software Engineer, and Poorna Gaddehosur, colleague and Principal Software Engineer Lead at Microsoft, Microsoft stated that “The ebpf-for-windows project aims to allow developers to use familiar eBPF toolchains and application programming interfaces (APIs) on top of existing versions of Windows. Building on the work of others, this project takes several existing eBPF open source projects and adds the “glue” to make them run on Windows.”

The long-term blueprint starts with a new open source project that lines eBPF up for integration with Windows 10 and Windows Server 2016. Subsequently, the expansion will make other eBPF open source projects like the IOVisor uBPF project and the PREVAIL verifier compatible with Windows. eBPF programs go through refining in various languages before being compiled to eBPF bytecode.

The architecture of this project and related components. Image courtesy: https://github.com/Microsoft/ebpf-for-windows The architecture of this project and related components. Image courtesy: https://github.com/Microsoft/ebpf-for-windows

On Windows, this bytecode gets consumed utilizing a library that implements the Libbpf APIs, which is fused into a command-line tool.

There are only two hooks available in the ebpf-for-windows-project - XDP and socket bind. But with further development, more hooks, not just network hooks, will be added.

Get similar stories in your inbox weekly, for free

Is this news interesting? Share it with your followers

Latest stories

DevOps: Report on Devil's Practices by DORA

The report is drafted from a report release of the annual research and survey of …

Amazon Elasticsearch Gets a New Version With Name Deprecated

Accompanied by new advancements is Amazon OpenSearch, the same body of code as its predecessor, …

McAfee Partners With IBM Security to Deliver TD Synnex Security Solution

The MVISION platform and Security wing of IBM's partnership endgame are to extend increased protection …

Amazon MSK Connect Launched to Better Apache Kafka UX

Amazon follows up on its 2018 data streaming software, Amazon Managed Streaming for Apache Kafka, …

Cloud: Zone Redundant Storage Released on General Availability

The report is drafted from a press release of the Microsoft Azure team on the …

Security: IBM Traces Two-Thirds of Compromises to Misconfigured APIs

The report is drafted from a sweeping survey of dark web analysis and various X-Force …