weBPF: Making eBPF Multi-Tenant Compatible
eBPF is a popular Linux kernel API that enables the extension of the kernel with custom functionality. It can be used to monitor user space applications [1], enforce custom security policies [2], and, most importantly to us, it is able to intercept, alter, and redirect network traffic [3, 4]. Because eBPF runs right in the kernel, many applications show significant performance benefits over traditional approaches.
Extending the Linux kernel with custom functionality is not new, though. In fact, the Linux kernel heavily relies on loadable kernel modules (LKMs) to implement, e.g., device drivers. However, eBPF is much simpler to use and becomes more powerful with every release.
But eBPF has one major limitation: it is not multi-tenant compatible, making it impractical to use in VMs. More specifically, if you deploy an eBPF program on the guest kernel, then you get no performance benefits. If you deploy an eBPF program to the host kernel, then you get access to other tenants’ resources.
This thesis examines the requirements for making eBPF, particularly the networking applications, multi-tenant compatible. The ultimate goal is to design an architecture that enables safe and efficient offloading of eBPF programs to the host kernel.
Milestones
- Get familiar with eBPF and what it is being used for in industry/academia.
- Implement a proof-of-concept system that handles one or two such use cases.
- Benchmark your architecture under various loads.
Requirements
- Experience with low-level programming or network programming
- Programming languages: C and Rust
- Critical and independent thinking
References
- Falco
- Why is the kernel community replacing iptables with BPF?
- HEELS: A Host-Enabled eBPF-Based Load Balancing Scheme
- Electrode: Accelerating Distributed Protocols with eBPF
Supervisors
