+4 votes
in Security by (242k points)
BPF? What is Berkeley Packet Filter?

1 Answer

+5 votes
by (1.6m points)
Best answer

How does the Berkeley Packet Filter work?
Berkeley Filter Advantages
Program filters with BPF
The eBPF Security Checker


BPF? What is Berkeley Packet Filter?

The Berkeley Packet Filter (BPF) or Berkeley Filter can be useful for all Unix-like operating systems such as Linux. The main task of this? Virtual machine for special purposes? developed in 1992 is to filter data packets from networks and integrate them into the kernel of the operating system. The BPF forms a security layer interface of the data unit or programs. These security layers have the function of guaranteeing the reliable transmission of data packets and regulating access to these packets.

If one of these data packets reaches the recipient, the BPF reads the data from the security layers of the packet and looks for errors. In this way, the recipient can resolve them. It also allows you to compare the data with the filter definitions and thus accept or reject a packet that is not considered relevant. This can save a lot of computing power..

  1. How does the Berkeley Packet Filter work?
  2. Berkeley Filter Advantages
  3. Program filters with BPF
  4. The eBPF Security Checker

How does the Berkeley Packet Filter work?

To perform its functions, the Berkeley Packet Filter was integrated as a machine code interpreter within a virtual machine. As a result, the BPF executes instructions in a predefined format . As an interpreter, Berkeley Filter reads the source files, parses them, and executes their instructions successively. Translate the instructions into machine code to allow direct execution.

Berkeley Filter uses system calls ( SysCalls) , which are calls to specific system functions, ready to be used, to make requests to the operating system kernel, also called the kernel. This is responsible for verifying the access rights before confirming or rejecting the request. Among the roughly 330 Linux SysCalls are the following:

  • read - Read permission, with which a file can be read
  • write - Write permission, to write to a file
  • open - Permission to open files or devices
  • close - Permission for files or devices
  • stat - Retrieve the status of a file

As the BPF is in constant development, today it functions as a universal and virtual machine directly at the core of the operating system, where all the processing and organization of data takes place. With many new features, the filter is known as Extended BPF or by its abbreviation eBPF. With this, you can run any intermediate code (bytecode) safely and at runtime ( just in time compilation ) directly in the operating kernel. Extended BPF works in the operating kernel within a sandbox and is therefore protected. This sandbox, also known as a sandbox , helps minimize the risk that the system will negatively affect the logic of the operating kernel..


The Berkeley Filter can operate in both kernel mode (maximum access to machine resources) and user mode (limited access to machine resources).

Berkeley Filter Advantages

EBPF lets you filter data packets to prevent irrelevant data from slowing down your PC's performance. Thus, unusable or faulty data records can be rejected or repaired from the start. In addition, Extended BPF provides increased security with system calls by allowing you to easily measure performance or track system calls..

In 2007 the implementation of BPF was extended with the Zero Copy buffer extensions . These extensions allow device drivers to save received data packets directly into the program without having to copy the data first.

Program filters with BPF

In user mode, individual filters can be defined for the Berkeley Filter interface at any time. Previously, the corresponding codes were written by hand and translated into a BPF byte code. Nowadays, thanks to the Clang LLVM Compiler, bytecodes can be compiled directly.

The operating kernel libraries also contain sample programs that simplify the definition of eBPF programs. There are also several helper functions that will make your task easier.

The eBPF Security Checker

The implementation of the system calls in the kernel is always some risks associated with safety and stability. Before an eBPF system call is loaded, it must pass a series of checks:

  1. First, the system checks if the system call has ended and does not contain loops. This could cause kernel failure. The program's control flow chart verifies that there are no unreachable instructions that are not loaded later.
  2. Before and after an instruction is executed, the status of the eBPF system call is checked . This ensures that the Extended BPF only operates within the allowed ranges and does not access data outside of the sandbox. For this, it is not necessary to check each route individually. Usually it is enough to check some of them.
  3. Finally, the SysCall type is also configured . This step is important to restrict which kernel functions can be called and what data structures can be accessed from SysCall. In this way, you can use system calls that directly access network packets.

The types of SYSCALL have these four functions about: where you can attach the program, which functions help the kernel can be accessed if direct access to the packet data network or not, and what type of object passes with priority on a system call.

Currently, the following eBPF SysCall types are supported by the kernel: