The State of eBPF: Exploring eBPF Evolution, Use Cases, Challenges and Future
March 12, 2024

Thomas Graf
eBPF Foundation

eBPF is a technology that allows users to run custom programs inside the Linux kernel, which changes the behavior of the kernel and makes execution up to 10x faster and more efficient for key parts of what makes our computing lives work. That includes observability, which enables engineers to see where a system is going wrong and find fixes faster; networking, which involves everything from how fast emails move to how fast computation occurs; to security, which keeps our digital lives and infrastructure safer from cyber threats.

The eBPF Foundation has released a publication titled The State of eBPF, a qualitative research report that covers the evolution of eBPF, the revolution it created, what's being built with it today, challenges, and where the technology is heading. The report provides valuable insight into how to make the most of what eBPF offers currently, plans for the future, and how stakeholders can get involved with the project to help eBPF continue to improve. Read on for key insights from the report to learn more about eBPF and how it can impact the way you develop applications.

About eBPF

The innovation of eBPF means companies need less hardware to achieve better performance and they consume less power to perform the same functionality. That makes operations more cost efficient, energy efficient, and sustainable, which is increasingly required to meet shareholder, consumer and community expectations.

eBPF was Linux only until recently. In 2021, Microsoft created the eBPF for Windows project to allow eBPF programs to run on top of the Windows OS. This laid the groundwork for eBPF to be standardized as an industry-wide infrastructure language. With a unified underlying infrastructure, companies can innovate however they want on top without risk of becoming locked in to one OS or the other.

This lack of vendor lock-in — from the browser to the database to the cloud — has historically spurred increased innovation, competition in terms of cost and performance, and is a bedrock tenet of the open source ethos that drives both Linux and eBPF.

eBPF is like a virtual machine in the Linux kernel. With eBPF, a developer writes eBPF instructions to run small specialized programs. They go to an eBPF "verifier," which checks to make sure the program is safe to add to the kernel and won't introduce bugs or crash the kernel. The program is JIT-compiled into machine code that gets executed and attached to event targets, which means the program is activated by an event, such as a file opening.

eBPF Adoption

For more than five years, eBPF has been operating on millions of devices and servers worldwide. Most people are already impacted by what companies do with it — and they probably don't know it.

Many of the US hyperscalers — Meta, Google, Netflix — use eBPF in production. Every Android phone uses eBPF to monitor traffic. Every single packet that goes in and out of a Facebook datacenter is touched by eBPF. Companies in myriad industries, including software, cloud services, financial services, telco, media and entertainment, ecommerce, consulting, and security, are increasingly using eBPF technology to do more, faster, saving time and money and increasing performance. 

Of course hyperscalers and big companies have what most companies do not have: teams of software engineers. To spread eBPF into more enterprises, open source software projects arose to make the technology consumable out-of-the box.

Here's a breakdown of three major use cases, for eBPF in production:

eBPF Use Case 1: Observability

For many companies, observability is where eBPF first took off and has had its biggest impact. With greater observability in distributed systems that might involve tens, hundreds, or thousands of servers, companies can more easily and fully know where the system is spending its time. They can see for example, where bottlenecks are occurring, how fast CPUs are working, where they're spinning cycles, and where to find, more quickly, what piece of code may be malfunctioning. By attaching eBPF programs to events like a file opening, users get metrics that provide amazing visibility into what's happening in the system.

eBPF Use Case 2: Networking

Networking is a great example of how eBPF adds speed and performance. Many parts of the Linux networking stack were written decades ago when IPs and port ranges could be tracked on spreadsheets rather than changing with every container. eBPF enables programmers to rewrite the networking stack, only leverage the needed parts, or skip it completely to save time and processing power. By bypassing things that are not needed or rewriting functionality based on new methods of building software, networking performance dramatically improves.

eBPF Use Case 3: Security

eBPF enables enhanced observability making it easier to spot and prevent security attacks, including those within the kernel as well as throughout Kubernetes and cloud native environments. eBPF also pushes security enforcement policies into distributed environments so they get implemented in real time. If a vulnerability occurs in the kernel, for instance, fast fixes can occur via eBPF without altering the kernel code, allowing for security updates on the fly.

While eBPF is already widely deployed, it is still at the beginning of the large wave of innovation it will unlock.

No doubt, eBPF will become an essential layer in the new cloud native infrastructure stack, impacting the observability, performance, reliability, networking, and security of all applications. Platform engineers will cobble together eBPF-powered infrastructure building blocks to create platforms that developers then deploy software on. These platforms will add business logic to the mix, replacing aging Linux kernel internals that cannot keep up with today's digital and, increasingly, cloud native world. 

Thomas Graf is Governing Board Chair of the eBPF Foundation
Share this

Industry News

April 11, 2024

Check Point® Software Technologies Ltd. announced new email security features that enhance its Check Point Harmony Email & Collaboration portfolio: Patented unified quarantine, DMARC monitoring, archiving, and Smart Banners.

April 11, 2024

Automation Anywhere announced an expanded partnership with Google Cloud to leverage the combined power of generative AI and its own specialized, generative AI automation models to give companies a powerful solution to optimize and transform their business.

April 11, 2024

Jetic announced the release of Jetlets, a low-code and no-code block template, that allows users to easily build any technically advanced integration use case, typically not covered by alternative integration platforms.

April 10, 2024

Progress announced new powerful capabilities and enhancements in the latest release of Progress® Sitefinity®.

April 10, 2024

Buildkite signed a multi-year strategic collaboration agreement (SCA) with Amazon Web Services (AWS), the world's most comprehensive and broadly adopted cloud, to accelerate delivery of cloud-native applications across multiple industries, including digital native, financial services, retail or any enterprise undergoing digital transformation.

April 10, 2024

AppViewX announced new functionality in the AppViewX CERT+ certificate lifecycle management automation product that helps organizations prepare for Google’s proposed 90-day TLS certificate validity policy.

April 09, 2024

Rocket Software is addressing the growing demand for integrated security, compliance, and automation in software development with its latest release of Rocket® DevOps, formerly known as Aldon®.

April 09, 2024

Wind River announced the latest release of Wind River Studio Developer, an edge-to-cloud DevSecOps platform that accelerates development, deployment, and operation of mission-critical systems.

April 09, 2024

appCD announced its generative infrastructure from code solution now supports Azure Kubernetes Service (AKS).

April 09, 2024

Synopsys announced the availability of Black Duck® Supply Chain Edition, a new software composition analysis (SCA) offering that enables organizations to mitigate upstream risk in their software supply chains.

April 09, 2024

DataStax announced innovative integrations with API extensions to Google Cloud’s Vertex AI Extension and Vertex AI Search, offering developers an easier time leveraging their own data.

April 08, 2024

Parasoft introduced C/C++test CT, a comprehensive solution tailored for large teams engaged in the development of safety- and security-critical C and C++ products.

April 08, 2024

Endor Labs announced a strategic partnership with GuidePoint Security.

April 08, 2024

Hasura announced the V3 of its platform, providing on-demand API composability with a new domain-centric supergraph modeling framework, a distributed supergraph execution engine and a rich and extensible ecosystem of open source connectors to address the challenges faced during integration of data and APIs.

April 04, 2024

DataStax has entered into a definitive agreement to acquire AI startup, Logspace, the creators of Langflow, an open source visual framework for building retrieval-augmented generation (RAG) applications.1