eBPF on Windows

A fun detail of this work is that it uses a formal-methods-based verifier (designed outside of Microsoft) that accepts a wider range of programs than does the Linux verifier, which is itself kind of nightmare fuel.<p><a href="https:&#x2F;&#x2F;vbpf.github.io&#x2F;assets&#x2F;prevail-paper.pdf" rel="nofollow">https:&#x2F;&#x2F;vbpf.github.io&#x2F;assets&#x2F;prevail-paper.pdf</a><p>The verifier in this paper also has some biting limitations; for instance, you can&#x27;t resize a packet in it, because they don&#x27;t account for pointer invalidation. I wonder whether they&#x27;ve since implemented these verifier features, since they&#x27;d be problematic for compatibility otherwise.<p>Additionally, the PREVAIL paper explicitly doesn&#x27;t verify program termination, which is kind of a dealbreaker for kernel BPF.

Here is a recent comment from Dropbox engineers about the state of tracing tooling on Linux compared to Windows: <a href="https:&#x2F;&#x2F;dropbox.tech&#x2F;infrastructure&#x2F;boosting-dropbox-upload-speed#debugging-with-microsoft" rel="nofollow">https:&#x2F;&#x2F;dropbox.tech&#x2F;infrastructure&#x2F;boosting-dropbox-upload-...</a><p>Is their assessment correct? If so, how comes that we got DTrace in 2019 and now eBPF ported to Windows? Are they trying to consolidate all tooling into one platform?

Wow, I&#x27;m really stoked to see this!<p>This could be a game-changer for the infosec community in particular - now, if you want to get into internals, such as tracing file system and registry calls, you&#x27;ve got to write drivers. And drivers are very tricky to write, and it&#x27;s very easy to miss corner cases - which can result in the dreaded BSOD. Plus, drivers need to go through a verification and signing process by Microsoft.<p>Having access to that capability from user-mode, <i>without</i> having to write drivers... that would be amazing.

Great news, I&#x27;m looking forward to analyzing performance on Windows with BPF! Given that PerfView and WPA also got flame graphs it&#x27;ll start to feel like home. :-)

I wonder how long until I can run cilium on my mixed node kubernetes clusters!

I admittedly have only an extremely cursory knowledge of these sort of technologies, but how does eBPF compare to NDIS filters and WFP filters? Biggest reason I could imagine for this is easier portability of existing eBPF applications.

I wonder what kind of performance this gets when compared with running eBPF since eBPF was written with performance in mind from the start.

Is there any analogue of seccomp in windows that can be used with BPF?

And that is, kids, how MS Windows piece-by-piece was slowly transformed into a Linux distro.

Pretty cool, but let&#x27;s not fool ourselves. Recall history or why Microsoft is doing this. This is a long-term strategy.<p><a href="https:&#x2F;&#x2F;en.wikipedia.org&#x2F;wiki&#x2F;Embrace,_extend,_and_extinguish" rel="nofollow">https:&#x2F;&#x2F;en.wikipedia.org&#x2F;wiki&#x2F;Embrace,_extend,_and_extinguis...</a>

Microsoft is really being bold about adopting open tech to improve either it’s bottom line (Azure now runs more Linux VMs than Windows ones) and now with eBPF. Truly a new and different Microsoft.