Microsoft has published an implementation of the eBPF subsystem for Windows that allows you to run arbitrary handlers that work at the operating system kernel level. eBPF provides a bytecode interpreter built into the kernel that allows you to create user-space loadable network operations handlers, control access, and monitor systems. eBPF has been included in the Linux kernel since release 3.18 and allows you to process incoming/outgoing network packets, forward packets, control bandwidth, intercept system calls, access control and perform tracing. Thanks to the use of JIT compilation, bytecode is translated into machine instructions on the fly and executed with the performance of compiled code. The source code for eBPF for Windows is open source under the MIT license.
eBPF for Windows can be used with existing eBPF tools and provides a generic API that is used for Linux eBPF applications. Among other things, the project allows compiling code written in C into eBPF bytecode using the regular Clang-based eBPF compiler and running eBPF handlers already created for Linux on top of the Windows kernel, providing a special compatibility layer and supporting the standard Libbpf API for compatibility with applications that interact with eBPF programs. This includes layers that provide Linux-like hooks for XDP (eXpress Data Path) and socket bind, abstracting access to the network stack and Windows network drivers. Of the plans, it is noted to provide full compatibility at the source code level with typical Linux eBPF handlers.
The key difference in the implementation of eBPF for Windows is the use of an alternative bytecode verifier, originally proposed by VMware employees and researchers from Canadian and Israeli universities. The verifier runs in a separate isolated process in user space and is used before executing BPF programs to detect errors and block possible malicious activity.
eBPF for Windows uses a static analysis method based on Abstract Interpretation for verification, which, compared to the eBPF for Linux verifier, has a lower false positive rate, supports loop analysis, and provides good scalability. The method takes into account many typical execution patterns obtained from the analysis of existing eBPF programs.
After verification, the bytecode is passed to a kernel-level interpreter or passed through a JIT compiler, followed by execution of the resulting machine code with kernel rights. To isolate eBPF handlers at the kernel level, the HVCI (HyperVisor-enforced Code Integrity) mechanism is used, which uses virtualization tools to protect processes in the kernel and provides verification of the integrity of the code being executed by digital signature. The limitation of HVCI is the ability to verify only interpreted eBPF programs and the impossibility of using it in conjunction with JIT (the choice is provided - either performance or additional protection).
Source: opennet.ru