I-Microsoft ishicilele ukuqaliswa kwe-eBPF subsystem ye-Windows, ekuvumela ukuthi uqalise izibambi ngokuzenzakalelayo ezisebenza ezingeni le-kernel yesistimu yokusebenza. I-eBPF inikeza umhumushi we-bytecode owakhiwe ku-kernel, okwenza kube nokwenzeka ukudala izibambi zokusebenza kwenethiwekhi ezilayishwe endaweni yomsebenzisi, ukulawula ukufinyelela nokuqapha ukusebenza kwezinhlelo. I-eBPF ifakiwe ku-Linux kernel kusukela ekukhululweni kwe-3.18 futhi ikuvumela ukuthi uphathe amaphakethe enethiwekhi angenayo/aphumayo, ukudlulisa iphakethe, ukuphathwa komkhawulokudonsa, ukunqamula ucingo lwesistimu, ukulawula ukufinyelela kanye nokulandela umkhondo. Ngenxa yokusetshenziswa kokuhlanganiswa kwe-JIT, i-bytecode ihunyushwa ngokuphazima kweso ukuya emiyalweni yomshini futhi isetshenziswe ngokusebenza kwekhodi ehlanganisiwe. I-eBPF ye-Windows ingumthombo ovulekile ngaphansi kwelayisense ye-MIT.
I-eBPF ye-Windows ingasetshenziswa ngamathuluzi e-eBPF akhona futhi inikeza i-API ejwayelekile esetshenziselwa izinhlelo zokusebenza ze-eBPF ku-Linux. Phakathi kwezinye izinto, iphrojekthi ikuvumela ukuthi uhlanganise ikhodi ebhalwe ngo-C ibe yi-eBPF bytecode usebenzisa isihlanganisi se-eBPF esisekelwe ku-Clang futhi usebenzise izibambi ze-eBPF esezakhelwe i-Linux ngaphezulu kwe-Windows kernel, ihlinzeka ngongqimba olukhethekile oluhambisanayo futhi isekela i-Libbpf ejwayelekile. I-API yokusebenzisana nezinhlelo zokusebenza ezisebenzisana nezinhlelo ze-eBPF. Lokhu kufaka phakathi izendlalelo ezihlinzeka ngamahhuku afana ne-Linux e-XDP (i-eXpress Data Path) kanye ne-socket bind, ukufinyelela okufingqiwe kusitaki senethiwekhi nezishayeli zenethiwekhi ye-Windows. Izinhlelo zihlanganisa ukuhlinzeka ngokuhambisana kweleveli yekhodi yomthombo ngokugcwele namaphrosesa ajwayelekile e-Linux eBPF.
Umehluko oyinhloko phakathi kokuqaliswa kwe-eBPF ye-Windows ukusetshenziswa kwesinye isiqinisekisi se-bytecode, ekuqaleni esasihlongozwe abasebenzi be-VMware nabacwaningi abavela emanyuvesi aseCanada nase-Israel. Isiqinisekisi sisebenza ngenqubo ehlukile, ehlukanisiwe endaweni yomsebenzisi futhi sisetshenziswa ngaphambi kokusebenzisa izinhlelo ze-BPF ukuze sihlonze amaphutha futhi sivimbe imisebenzi enonya engenzeka.
Ukuze kuqinisekiswe, i-eBPF ye-Windows isebenzisa indlela yokuhlaziya emile esekelwe ku-Abstract Interpretation, okuthi, uma kuqhathaniswa nesiqinisekisi se-eBPF se-Linux, ibonise izinga eliphansi elingelona iqiniso, isekela ukuhlaziywa kwe-loop, futhi inikeza ukukala okuhle. Indlela ibheka amaphethini wokwenza amaningi ajwayelekile atholwe ekuhlaziyweni kwezinhlelo ezikhona ze-eBPF.
Ngemva kokuqinisekisa, i-bytecode idluliselwa kumhumushi ogijima ezingeni le-kernel, noma idlule ku-JIT compiler, okulandelwa ukukhishwa kwekhodi yomshini ewumphumela enamalungelo e-kernel. Ukuze kuhlukaniswe izibambi ze-eBPF ezingeni le-kernel, kusetshenziswa indlela ye-HVCI (HyperVisor-enforced Code Integrity), esebenzisa amathuluzi e-virtualization ukuvikela izinqubo ku-kernel futhi inikeza isiqinisekiso sobuqotho bekhodi ekhiphayo kusetshenziswa isiginesha yedijithali. Umkhawulo we-HVCI ukuthi ingaqinisekisa kuphela izinhlelo ze-eBPF ezihunyushiwe futhi ayikwazi ukusetshenziswa ngokuhambisana ne-JIT (unokukhetha ukusebenza noma ukuphepha okwengeziwe).
Source: opennet.ru