{"id":93553,"date":"2022-10-25T09:00:00","date_gmt":"2022-10-25T16:00:00","guid":{"rendered":""},"modified":"2024-06-19T10:50:29","modified_gmt":"2024-06-19T17:50:29","slug":"towards-debuggability-and-secure-deployments-of-ebpf-programs-on-windows","status":"publish","type":"post","link":"https:\/\/opensource.microsoft.com\/blog\/2022\/10\/25\/towards-debuggability-and-secure-deployments-of-ebpf-programs-on-windows\/","title":{"rendered":"Towards debuggability and secure deployments of eBPF programs on Windows"},"content":{"rendered":"\n

The eBPF for Windows runtime has introduced a new mode of operation, native code generation, which exists alongside the currently supported modes of operation for eBPF programs: JIT (just-in-time compilation) and an interpreter, with the administrator able to select the mode when a program is loaded. The native code generation mode involves loading Windows drivers that contain signed eBPF programs. Due to the risks associated with having an interpreter in the kernel address space, it was decided to only enable it for non-production signed builds. The JIT mode supports the ability to dynamically generate code, write them into kernel pages, and finally set the permissions on the page from read\/write to read\/execute.<\/p>\n\n\n\n

Enter Windows Hyper-V hypervisor, a type 1 hypervisor<\/a>, which has the Hypervisor-protected Code Integrity (HVCI) feature. It splits the kernel memory space into virtual trust levels (VTLs), with isolation enforced at the hardware level using virtualization extensions of the CPU. Most parts of the Windows\u2019 kernel and all drivers operate in VTL0, the lowest trusted level, with privileged operations being performed inside the Windows secure kernel operating in VTL1. During the boot process, the hypervisor verifies the integrity of the secure kernel using cryptographic signatures prior to launching it, after which the secure kernel verifies the cryptographic signature of each code page prior to enabling read\/execute permissions on the page. The signatures are validated using keys obtained from X.509 certificates that chain up to a Microsoft trusted root certificate. The net effect of this policy is that if HVCI is enabled, it is no longer possible to inject dynamically generated code pages into the kernel, which prevents the use of JIT mode. <\/p>\n\n\n\n

Similarly, Windows uses cryptographic signatures to restrict what code can be executed in the kernel. In keeping with these principles, eBPF for Windows has introduced a new mode of execution that an administrator can choose to use that maintains the integrity of the kernel and provides the safety promises of eBPF: native code generation. The process starts with the existing tool chains, whereby eBPF programs are compiled into eBPF bytecode and emitted as ELF object files. The examples below assume the eBPF-for-Windows NuGet package<\/a> has been unpacked to c:\\ebpf and that the command is being executed from within a Developer Command Prompt<\/strong> for VS 2019. <\/p>\n\n\n\n

How to use native code generation<\/h2>\n\n\n\n

Hello_world.c:<\/h3>\n\n\n\n

\/\/ Copyright (c) Microsoft Corporation
\/\/ SPDX-License-Identifier: MIT<\/p>\n\n\n

\n#include \"bpf_helpers.h\"SEC(\"bind\")\nint\nHelloWorld()\n{\nbpf_printk(\"Hello World!\");\nreturn 0;\n}\n<\/pre><\/div>\n\n\n
Compile to eBP<\/code>F<\/h3>\n\n\n
\n>clang -target bpf -O2 -Werror -Ic:\/ebpf\/include -c hello_world.c -o out\/hello_world.o\n>llvm-objdump -S out\/hello_world.o\n<\/pre><\/div>\n\n\n
eBPF bytecode<\/h3>\n\n\n
\nb7 01 00 00 72 6c 64 21 r1 = 560229490\n63 1a f8 ff 00 00 00 00 *(u32 *)(r10 - 8) = r1\n18 01 00 00 48 65 6c 6c 00 00 00 00 6f 20 57 6f r1 = 8022916924116329800 ll\n7b 1a f0 ff 00 00 00 00 *(u64 *)(r10 - 16) = r1\nb7 01 00 00 00 00 00 00 r1 = 0\n73 1a fc ff 00 00 00 00 *(u8 *)(r10 - 4) = r1\nbf a1 00 00 00 00 00 00 r1 = r10\n07 01 00 00 f0 ff ff ff r1 += -16\nb7 02 00 00 0d 00 00 00 r2 = 13\n85 00 00 00 0c 00 00 00 call 12\nb7 00 00 00 00 00 00 00 r0 = 0\n95 00 00 00 00 00 00 00 exit\n<\/pre><\/div>\n\n\n
The next step involves a new tool introduced specifically to support this scenario: bpf2c. This tool parses the supplied ELF file, extracting the list of maps and stored programs before handing off the byte code to the eBPF verifier, which proves that eBPF byte code is effectively sandboxed and constrained to terminate within a set number of instructions. The tool then performs a per-instruction translation of the eBPF byte code into the equivalent C statements and emits skeleton code used to perform relocation operations at run time. For convenience, the NuGet package also contains a PowerShell script that invokes bpf2c and then uses MSBuild to produce the final Portable Executable (PE) image, (an image format used by Windows). As an aside, the process of generating the native image is decoupled from the process of developing the eBPF program, making it a deployment time decision rather than a development time one.<\/p>\n\n\n
\n> powershell c:\\ebpf\\bin\\Convert-BpfToNative.ps1 hello_world.o\nC:\\Users\\user\\hello_world\\out>powershell c:\\ebpf\\bin\\Convert-BpfToNative.ps1 hello_world.o\nMicrosoft (R) Build Engine version 16.9.0+57a23d249 for .NET Framework\nCopyright (C) Microsoft Corporation. All rights reserved.\n\nBuild started 5\/17\/2022 9:38:43 AM.\nProject \"C:\\Users\\user\\hello_world\\out\\hello_world.vcxproj\" on node 1 (default targets).\nDriverBuildNotifications:\n  Building 'hello_world_km' with toolset 'WindowsKernelModeDriver10.0' and the 'Desktop' target platform.\n  Using KMDF 1.15.\n\nDone Building Project \"C:\\Users\\user\\hello_world\\out\\hello_world.vcxproj\" (default targets).\n\n\nBuild succeeded.\n    0 Warning(s)\n    0 Error(s)\n\nTime Elapsed 00:00:03.57\n\n> type hello_world_driver.c\n\/\/ Snip \u2013 Removed boiler plate driver code and map setup.\nstatic uint64_t\nHelloWorld(void* context)\n{\n    \/\/ Prologue\n    uint64_t stack[(UBPF_STACK_SIZE + 7) \/ 8];\n    register uint64_t r0 = 0;\n    register uint64_t r1 = 0;\n    register uint64_t r2 = 0;\n    register uint64_t r3 = 0;\n    register uint64_t r4 = 0;\n    register uint64_t r5 = 0;\n    register uint64_t r10 = 0;\n\n    r1 = (uintptr_t)context;\n    r10 = (uintptr_t)((uint8_t*)stack + sizeof(stack));\n\n    \/\/ EBPF_OP_MOV64_IMM pc=0 dst=r1 src=r0 offset=0 imm=560229490\n    r1 = IMMEDIATE(560229490);\n    \/\/ EBPF_OP_STXW pc=1 dst=r10 src=r1 offset=-8 imm=0\n    *(uint32_t*)(uintptr_t)(r10 + OFFSET(-8)) = (uint32_t)r1;\n    \/\/ EBPF_OP_LDDW pc=2 dst=r1 src=r0 offset=0 imm=1819043144\n    r1 = (uint64_t)8022916924116329800;\n    \/\/ EBPF_OP_STXDW pc=4 dst=r10 src=r1 offset=-16 imm=0\n    *(uint64_t*)(uintptr_t)(r10 + OFFSET(-16)) = (uint64_t)r1;\n    \/\/ EBPF_OP_MOV64_IMM pc=5 dst=r1 src=r0 offset=0 imm=0\n    r1 = IMMEDIATE(0);\n    \/\/ EBPF_OP_STXB pc=6 dst=r10 src=r1 offset=-4 imm=0\n    *(uint8_t*)(uintptr_t)(r10 + OFFSET(-4)) = (uint8_t)r1;\n    \/\/ EBPF_OP_MOV64_REG pc=7 dst=r1 src=r10 offset=0 imm=0\n    r1 = r10;\n    \/\/ EBPF_OP_ADD64_IMM pc=8 dst=r1 src=r0 offset=0 imm=-16\n    r1 += IMMEDIATE(-16);\n    \/\/ EBPF_OP_MOV64_IMM pc=9 dst=r2 src=r0 offset=0 imm=13\n    r2 = IMMEDIATE(13);\n    \/\/ EBPF_OP_CALL pc=10 dst=r0 src=r0 offset=0 imm=12\n    r0 = HelloWorld_helpers[0].address(r1, r2, r3, r4, r5);\n    if ((HelloWorld_helpers[0].tail_call) && (r0 == 0))\n        return 0;\n    \/\/ EBPF_OP_MOV64_IMM pc=11 dst=r0 src=r0 offset=0 imm=0\n    r0 = IMMEDIATE(0);\n    \/\/ EBPF_OP_EXIT pc=12 dst=r0 src=r0 offset=0 imm=0\n    return r0;\n}\n<\/pre><\/div>\n\n\n
As illustrated here each eBPF instruction is translated into an equivalent C statement, with eBPF registers being emulated using stack variables named R0 to R10.<\/p>\n\n\n\n
Lastly, the tool adds a set of boilerplate code that handles the interactions with the I\/O Manager required to load the code into the Windows kernel, with the result being a single C file. The Convert-BpfToNative.ps1 script then invokes the normal Windows Driver Kit (WDK) tools to compile and link the eBPF program into its final PE image. Once the developer is ready to deploy their eBPF program in a production environment that has HVCI enabled, they will need to get their driver signed via the normal driver signing process. For a production workflow, one could imagine a service that consumes the ELF file (the eBPF byte code), securely verifies that it is safe, generates the native image, and signs it before publishing it for deployment. This could then be integrated into the existing developer workflows.<\/p>\n\n\n\n
The eBPF for Windows runtime has been enlightened to support these eBPF programs hosted in Windows drivers, resulting in a developer experience that closely mimics the behavior of eBPF programs that use JIT. The result is a pipeline that looks like this:<\/p>\n\n\n
\"Workflow<\/figure>\n\n\n\n
The net effect is to introduce a new statically sandboxed model for Windows Drivers, with the resulting driver being signed using standard Windows driver signing mechanisms. While this additional step does increase the time needed to deploy an eBPF program, some customers have determined that the tradeoff is justified by the ability to safely add eBPF programs to systems with HVCI enabled.<\/p>\n\n\n\n
Diagnostics and eBPF programs<\/h2>\n\n\n\n
One of the key pain points of developing eBPF programs is making sure they pass verification. The process of loading programs once they have been compiled, potentially on an entirely different system, gives rise to a subpar developer experience. As part of adding support for native code generation, eBPF for Windows has integrated the verification into the build pipeline, so that developers get build-time feedback when an eBPF program fails verification.<\/p>\n\n\n\n
Using a slightly more complex eBPF program as an example, the developer gets a build-time error when the program fails verification:<\/p>\n\n\n\n
eBPF C code<\/h3>\n\n\n
\"Visual<\/figure>\n\n\n\n
This then points the developer to line 96 of the source code, where they can see that the start time variable could be NULL.<\/p>\n\n\n\n
As with all other instances of code, eBPF programs can have bugs. While the verifier can prove that code is safe, it is unable to prove code is correct. One approach that was pioneered by the Linux community is the use of logging built around the bpf_printk<\/strong> style macro, which permits developers to insert trace statements into their eBPF programs to aid diagnosability. To both maintain compatibility with the Linux eBPF ecosystem as well as being a useful mechanism, eBPF for Windows has adopted a similar approach. One of the key differences is how these events are implemented, with Linux using a file-based approach and Windows using Event Tracing for Windows (ETW). ETW has a long history within Windows and a rich ecosystem of tools that can be used to capture and process traces.<\/p>\n\n\n
\"Command<\/figure>\n\n\n\n
A second useful tool that is now available to developers using native-code generation is the ability to perform source-level debugging of eBPF programs. If the eBPF program is compiled with BTF data, the bpf2c<\/strong> tool will translate this in addition to the instructions and emit the appropriate pragmas containing the original file name and line numbers (with plans to extend this to allow the debugger to show eBPF local variables in the future). These are then consumed by the Windows Developer Kit tools and encoded into the final driver and symbol files, which the debugger can use to perform source-level debugging. In addition, these same symbol files can then be used by profiling tools to determine hot spots within eBPF programs and areas where performance could be improved.<\/p>\n\n\n
\"Windows<\/figure>\n\n\n\n
Learn more<\/h2>\n\n\n\n
The introduction of support for a native image generation enhances eBPF For Windows in three areas:<\/p>\n\n\n\n
    \n
  1. A new mode of execution permits eBPF programs to be deployed on previously unsupported systems.<\/li>\n\n\n\n
  2. A mechanism for offline verification and signing of eBPF programs.<\/li>\n\n\n\n
  3. The ability for developers to perform source-level debugging of their eBPF programs.<\/li>\n<\/ol>\n\n\n\n
    While support will continue for the existing JIT mode, this change gives developers and administrators flexibility in how programs are deployed. Separating the process of native image generation from the development of the eBPF program places the decision on how to deploy an eBPF program in the hands of the administrator and unburdens the developer from deployment time concerns.<\/p>\n","protected":false},"excerpt":{"rendered":"
    eBPF for Windows native code generation is a new mode of execution that maintains the integrity of the kernel and provides the safety promises of eBPF.<\/p>\n","protected":false},"author":5562,"featured_media":95484,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"msxcm_post_with_no_image":false,"ep_exclude_from_search":false,"_classifai_error":"","_classifai_text_to_speech_error":"","footnotes":""},"post_tag":[227],"content-type":[340],"topic":[2244,2252],"programming-languages":[],"coauthors":[1966],"class_list":["post-93553","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","tag-windows","content-type-tutorials-and-demos","topic-devops","topic-tools","review-flag-1593580428-734","review-flag-1593580415-931","review-flag-1593580419-521","review-flag-1-1593580432-963","review-flag-2-1593580437-411","review-flag-4-1593580448-609","review-flag-5-1593580453-725","review-flag-6-1593580457-852","review-flag-7-1593580463-151","review-flag-8-1593580468-572","review-flag-9-1593580473-997","review-flag-new-1593580248-669"],"yoast_head":"\nSecure deployment and debuggability with eBPF for Windows | Microsoft Open Source Blog<\/title>\n<meta name=\"description\" content=\"eBPF for Windows native code generation is a new mode of execution that maintains the integrity of the kernel and provides the safety promises of eBPF.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/opensource.microsoft.com\/blog\/2022\/10\/25\/towards-debuggability-and-secure-deployments-of-ebpf-programs-on-windows\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Secure deployment and debuggability with eBPF for Windows | Microsoft Open Source Blog\" \/>\n<meta property=\"og:description\" content=\"eBPF for Windows native code generation is a new mode of execution that maintains the integrity of the kernel and provides the safety promises of eBPF.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/opensource.microsoft.com\/blog\/2022\/10\/25\/towards-debuggability-and-secure-deployments-of-ebpf-programs-on-windows\/\" \/>\n<meta property=\"og:site_name\" content=\"Microsoft Open Source Blog\" \/>\n<meta property=\"article:published_time\" content=\"2022-10-25T16:00:00+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2024-06-19T17:50:29+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/opensource.microsoft.com\/blog\/wp-content\/uploads\/2024\/06\/STB13_Allen_01.png\" \/>\n\t<meta property=\"og:image:width\" content=\"1170\" \/>\n\t<meta property=\"og:image:height\" content=\"640\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/png\" \/>\n<meta name=\"author\" content=\"Alan Jowett\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@OpenAtMicrosoft\" \/>\n<meta name=\"twitter:site\" content=\"@OpenAtMicrosoft\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Alan Jowett\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"7 min read\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/opensource.microsoft.com\\\/blog\\\/2022\\\/10\\\/25\\\/towards-debuggability-and-secure-deployments-of-ebpf-programs-on-windows\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/opensource.microsoft.com\\\/blog\\\/2022\\\/10\\\/25\\\/towards-debuggability-and-secure-deployments-of-ebpf-programs-on-windows\\\/\"},\"author\":[{\"@id\":\"https:\\\/\\\/opensource.microsoft.com\\\/blog\\\/author\\\/alan-jowett\\\/\",\"@type\":\"Person\",\"@name\":\"Alan Jowett\"}],\"headline\":\"Towards debuggability and secure deployments of eBPF programs on Windows\",\"datePublished\":\"2022-10-25T16:00:00+00:00\",\"dateModified\":\"2024-06-19T17:50:29+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/opensource.microsoft.com\\\/blog\\\/2022\\\/10\\\/25\\\/towards-debuggability-and-secure-deployments-of-ebpf-programs-on-windows\\\/\"},\"wordCount\":1330,\"publisher\":{\"@id\":\"https:\\\/\\\/opensource.microsoft.com\\\/blog\\\/#organization\"},\"image\":{\"@id\":\"https:\\\/\\\/opensource.microsoft.com\\\/blog\\\/2022\\\/10\\\/25\\\/towards-debuggability-and-secure-deployments-of-ebpf-programs-on-windows\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/opensource.microsoft.com\\\/blog\\\/wp-content\\\/uploads\\\/2024\\\/06\\\/STB13_Allen_01.webp\",\"keywords\":[\"Windows\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/opensource.microsoft.com\\\/blog\\\/2022\\\/10\\\/25\\\/towards-debuggability-and-secure-deployments-of-ebpf-programs-on-windows\\\/\",\"url\":\"https:\\\/\\\/opensource.microsoft.com\\\/blog\\\/2022\\\/10\\\/25\\\/towards-debuggability-and-secure-deployments-of-ebpf-programs-on-windows\\\/\",\"name\":\"Secure deployment and debuggability with eBPF for Windows | Microsoft Open Source Blog\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/opensource.microsoft.com\\\/blog\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/opensource.microsoft.com\\\/blog\\\/2022\\\/10\\\/25\\\/towards-debuggability-and-secure-deployments-of-ebpf-programs-on-windows\\\/#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/opensource.microsoft.com\\\/blog\\\/2022\\\/10\\\/25\\\/towards-debuggability-and-secure-deployments-of-ebpf-programs-on-windows\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/opensource.microsoft.com\\\/blog\\\/wp-content\\\/uploads\\\/2024\\\/06\\\/STB13_Allen_01.webp\",\"datePublished\":\"2022-10-25T16:00:00+00:00\",\"dateModified\":\"2024-06-19T17:50:29+00:00\",\"description\":\"eBPF for Windows native code generation is a new mode of execution that maintains the integrity of the kernel and provides the safety promises of eBPF.\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/opensource.microsoft.com\\\/blog\\\/2022\\\/10\\\/25\\\/towards-debuggability-and-secure-deployments-of-ebpf-programs-on-windows\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/opensource.microsoft.com\\\/blog\\\/2022\\\/10\\\/25\\\/towards-debuggability-and-secure-deployments-of-ebpf-programs-on-windows\\\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/opensource.microsoft.com\\\/blog\\\/2022\\\/10\\\/25\\\/towards-debuggability-and-secure-deployments-of-ebpf-programs-on-windows\\\/#primaryimage\",\"url\":\"https:\\\/\\\/opensource.microsoft.com\\\/blog\\\/wp-content\\\/uploads\\\/2024\\\/06\\\/STB13_Allen_01.webp\",\"contentUrl\":\"https:\\\/\\\/opensource.microsoft.com\\\/blog\\\/wp-content\\\/uploads\\\/2024\\\/06\\\/STB13_Allen_01.webp\",\"width\":1170,\"height\":640},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/opensource.microsoft.com\\\/blog\\\/2022\\\/10\\\/25\\\/towards-debuggability-and-secure-deployments-of-ebpf-programs-on-windows\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/opensource.microsoft.com\\\/blog\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Towards debuggability and secure deployments of eBPF programs on Windows\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/opensource.microsoft.com\\\/blog\\\/#website\",\"url\":\"https:\\\/\\\/opensource.microsoft.com\\\/blog\\\/\",\"name\":\"Microsoft Open Source Blog\",\"description\":\"Open dialogue about openness at Microsoft \u2013 open source, standards, interoperability\",\"publisher\":{\"@id\":\"https:\\\/\\\/opensource.microsoft.com\\\/blog\\\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/opensource.microsoft.com\\\/blog\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/opensource.microsoft.com\\\/blog\\\/#organization\",\"name\":\"Microsoft Open Source Blog\",\"url\":\"https:\\\/\\\/opensource.microsoft.com\\\/blog\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/opensource.microsoft.com\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"https:\\\/\\\/opensource.microsoft.com\\\/blog\\\/wp-content\\\/uploads\\\/2019\\\/08\\\/Microsoft-Logo.png\",\"contentUrl\":\"https:\\\/\\\/opensource.microsoft.com\\\/blog\\\/wp-content\\\/uploads\\\/2019\\\/08\\\/Microsoft-Logo.png\",\"width\":259,\"height\":194,\"caption\":\"Microsoft Open Source Blog\"},\"image\":{\"@id\":\"https:\\\/\\\/opensource.microsoft.com\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\"},\"sameAs\":[\"https:\\\/\\\/x.com\\\/OpenAtMicrosoft\"]}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Secure deployment and debuggability with eBPF for Windows | Microsoft Open Source Blog","description":"eBPF for Windows native code generation is a new mode of execution that maintains the integrity of the kernel and provides the safety promises of eBPF.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/opensource.microsoft.com\/blog\/2022\/10\/25\/towards-debuggability-and-secure-deployments-of-ebpf-programs-on-windows\/","og_locale":"en_US","og_type":"article","og_title":"Secure deployment and debuggability with eBPF for Windows | Microsoft Open Source Blog","og_description":"eBPF for Windows native code generation is a new mode of execution that maintains the integrity of the kernel and provides the safety promises of eBPF.","og_url":"https:\/\/opensource.microsoft.com\/blog\/2022\/10\/25\/towards-debuggability-and-secure-deployments-of-ebpf-programs-on-windows\/","og_site_name":"Microsoft Open Source Blog","article_published_time":"2022-10-25T16:00:00+00:00","article_modified_time":"2024-06-19T17:50:29+00:00","og_image":[{"width":1170,"height":640,"url":"https:\/\/opensource.microsoft.com\/blog\/wp-content\/uploads\/2024\/06\/STB13_Allen_01.png","type":"image\/png"}],"author":"Alan Jowett","twitter_card":"summary_large_image","twitter_creator":"@OpenAtMicrosoft","twitter_site":"@OpenAtMicrosoft","twitter_misc":{"Written by":"Alan Jowett","Est. reading time":"7 min read"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/opensource.microsoft.com\/blog\/2022\/10\/25\/towards-debuggability-and-secure-deployments-of-ebpf-programs-on-windows\/#article","isPartOf":{"@id":"https:\/\/opensource.microsoft.com\/blog\/2022\/10\/25\/towards-debuggability-and-secure-deployments-of-ebpf-programs-on-windows\/"},"author":[{"@id":"https:\/\/opensource.microsoft.com\/blog\/author\/alan-jowett\/","@type":"Person","@name":"Alan Jowett"}],"headline":"Towards debuggability and secure deployments of eBPF programs on Windows","datePublished":"2022-10-25T16:00:00+00:00","dateModified":"2024-06-19T17:50:29+00:00","mainEntityOfPage":{"@id":"https:\/\/opensource.microsoft.com\/blog\/2022\/10\/25\/towards-debuggability-and-secure-deployments-of-ebpf-programs-on-windows\/"},"wordCount":1330,"publisher":{"@id":"https:\/\/opensource.microsoft.com\/blog\/#organization"},"image":{"@id":"https:\/\/opensource.microsoft.com\/blog\/2022\/10\/25\/towards-debuggability-and-secure-deployments-of-ebpf-programs-on-windows\/#primaryimage"},"thumbnailUrl":"https:\/\/opensource.microsoft.com\/blog\/wp-content\/uploads\/2024\/06\/STB13_Allen_01.webp","keywords":["Windows"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/opensource.microsoft.com\/blog\/2022\/10\/25\/towards-debuggability-and-secure-deployments-of-ebpf-programs-on-windows\/","url":"https:\/\/opensource.microsoft.com\/blog\/2022\/10\/25\/towards-debuggability-and-secure-deployments-of-ebpf-programs-on-windows\/","name":"Secure deployment and debuggability with eBPF for Windows | Microsoft Open Source Blog","isPartOf":{"@id":"https:\/\/opensource.microsoft.com\/blog\/#website"},"primaryImageOfPage":{"@id":"https:\/\/opensource.microsoft.com\/blog\/2022\/10\/25\/towards-debuggability-and-secure-deployments-of-ebpf-programs-on-windows\/#primaryimage"},"image":{"@id":"https:\/\/opensource.microsoft.com\/blog\/2022\/10\/25\/towards-debuggability-and-secure-deployments-of-ebpf-programs-on-windows\/#primaryimage"},"thumbnailUrl":"https:\/\/opensource.microsoft.com\/blog\/wp-content\/uploads\/2024\/06\/STB13_Allen_01.webp","datePublished":"2022-10-25T16:00:00+00:00","dateModified":"2024-06-19T17:50:29+00:00","description":"eBPF for Windows native code generation is a new mode of execution that maintains the integrity of the kernel and provides the safety promises of eBPF.","breadcrumb":{"@id":"https:\/\/opensource.microsoft.com\/blog\/2022\/10\/25\/towards-debuggability-and-secure-deployments-of-ebpf-programs-on-windows\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/opensource.microsoft.com\/blog\/2022\/10\/25\/towards-debuggability-and-secure-deployments-of-ebpf-programs-on-windows\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/opensource.microsoft.com\/blog\/2022\/10\/25\/towards-debuggability-and-secure-deployments-of-ebpf-programs-on-windows\/#primaryimage","url":"https:\/\/opensource.microsoft.com\/blog\/wp-content\/uploads\/2024\/06\/STB13_Allen_01.webp","contentUrl":"https:\/\/opensource.microsoft.com\/blog\/wp-content\/uploads\/2024\/06\/STB13_Allen_01.webp","width":1170,"height":640},{"@type":"BreadcrumbList","@id":"https:\/\/opensource.microsoft.com\/blog\/2022\/10\/25\/towards-debuggability-and-secure-deployments-of-ebpf-programs-on-windows\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/opensource.microsoft.com\/blog\/"},{"@type":"ListItem","position":2,"name":"Towards debuggability and secure deployments of eBPF programs on Windows"}]},{"@type":"WebSite","@id":"https:\/\/opensource.microsoft.com\/blog\/#website","url":"https:\/\/opensource.microsoft.com\/blog\/","name":"Microsoft Open Source Blog","description":"Open dialogue about openness at Microsoft \u2013 open source, standards, interoperability","publisher":{"@id":"https:\/\/opensource.microsoft.com\/blog\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/opensource.microsoft.com\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/opensource.microsoft.com\/blog\/#organization","name":"Microsoft Open Source Blog","url":"https:\/\/opensource.microsoft.com\/blog\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/opensource.microsoft.com\/blog\/#\/schema\/logo\/image\/","url":"https:\/\/opensource.microsoft.com\/blog\/wp-content\/uploads\/2019\/08\/Microsoft-Logo.png","contentUrl":"https:\/\/opensource.microsoft.com\/blog\/wp-content\/uploads\/2019\/08\/Microsoft-Logo.png","width":259,"height":194,"caption":"Microsoft Open Source Blog"},"image":{"@id":"https:\/\/opensource.microsoft.com\/blog\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/x.com\/OpenAtMicrosoft"]}]}},"msxcm_animated_featured_image":null,"bloginabox_display_generated_audio":false,"distributor_meta":false,"distributor_terms":false,"distributor_media":false,"distributor_original_site_name":"Microsoft Open Source Blog","distributor_original_site_url":"https:\/\/opensource.microsoft.com\/blog","push-errors":false,"_links":{"self":[{"href":"https:\/\/opensource.microsoft.com\/blog\/wp-json\/wp\/v2\/posts\/93553","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/opensource.microsoft.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/opensource.microsoft.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/opensource.microsoft.com\/blog\/wp-json\/wp\/v2\/users\/5562"}],"replies":[{"embeddable":true,"href":"https:\/\/opensource.microsoft.com\/blog\/wp-json\/wp\/v2\/comments?post=93553"}],"version-history":[{"count":1,"href":"https:\/\/opensource.microsoft.com\/blog\/wp-json\/wp\/v2\/posts\/93553\/revisions"}],"predecessor-version":[{"id":95740,"href":"https:\/\/opensource.microsoft.com\/blog\/wp-json\/wp\/v2\/posts\/93553\/revisions\/95740"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/opensource.microsoft.com\/blog\/wp-json\/wp\/v2\/media\/95484"}],"wp:attachment":[{"href":"https:\/\/opensource.microsoft.com\/blog\/wp-json\/wp\/v2\/media?parent=93553"}],"wp:term":[{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/opensource.microsoft.com\/blog\/wp-json\/wp\/v2\/post_tag?post=93553"},{"taxonomy":"content-type","embeddable":true,"href":"https:\/\/opensource.microsoft.com\/blog\/wp-json\/wp\/v2\/content-type?post=93553"},{"taxonomy":"topic","embeddable":true,"href":"https:\/\/opensource.microsoft.com\/blog\/wp-json\/wp\/v2\/topic?post=93553"},{"taxonomy":"programming-languages","embeddable":true,"href":"https:\/\/opensource.microsoft.com\/blog\/wp-json\/wp\/v2\/programming-languages?post=93553"},{"taxonomy":"author","embeddable":true,"href":"https:\/\/opensource.microsoft.com\/blog\/wp-json\/wp\/v2\/coauthors?post=93553"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}