Security News > 2021 > May > Microsoft's new project ports Linux eBPF to Windows 10, Server

Microsoft has launched a new open-source project that aims to add to Windows the benefits of eBPF, a technology first implemented in Linux that allows attaching programs in both kernel and user applications.

Microsoft's effort builds on the work of the eBPF community by adding a compatibility layer that turns existing eBPF open-source projects into submodules that can work on top of Windows 10 and Windows Server 2016 and later.

An architectural view of the project shows that an eBPF program can use toolchains to generate eBPF bytecode in a variety of languages so any application can use it and even be fed into the Windows Netsh command-line tool, with the help of a shared library.

As seen in the image above, Microsoft uses the PREVAIL eBPF verifier hosted in a user-mode protected process, and IO Visor's uBPF running in kernel-mode execution context, to check the legitimacy of the resulting bytecode and to execute an eBPF program on top of Windows.

"Similarly, the eBPF for Windows project exposes Libbpf APIs to provide source code compatibility for applications that interact with eBPF programs" - Microsoft.

The ebpf-for-windows project is still at the beginning and the long-term purpose is to "Bring the power of eBPF to Windows users" and to become part of the larger eBPF community that would also guide its development.

News URL

https://www.bleepingcomputer.com/news/security/microsofts-new-project-ports-linux-ebpf-to-windows-10-server/