By Sanjay Nagaraj, Co-Founder & CTO of Traceable AI
You might hear the term “eBPF” mentioned when chatting to DevOps and DevSecOps folks about network, infrastructure or security management. eBPF (extended Berkeley Packet Filter) is based on a Linux kernel technology and opens the possibilities of monitoring and other capabilities to be done on top of the operating systems used mostly for the cloud. As developers continue to learn to utilize eBPF capabilities, the potential to radically advance infrastructure, application and security tools is immense. This definitely is the case as it relates to API security.
What is eBPF?
eBPF is a technology with origins in the Linux kernel that has been shipped since 2014, which was also when the first Kubernetes commit was made. In contrast to most of the developer code that is written in user space, employing eBPF necessitates writing code in the kernel, which has clear benefits in terms of performance and resource usage.
Teams that work in high-performance environments frequently use eBPF. For instance, Facebook has roughly 40 eBPF programs active on every server with an additional 100 eBPF programs spawned and terminated as needed, compared to Netflix, which has about 15 eBPF applications operating on each server instance.
The Value of eBPF
eBPF is crucial for businesses that are seeking high-performance security requirements. Think of it as a [web]space telescope that offers businesses performance benefits while providing previously unattainable views into their APIs.
Three areas in how eBPF brings value include:
-Non-invasive observability of system and workloads
-Efficient virtual networking
-Enables innovation around the core of the operating system – vast untapped potential
Why is eBPF Important?
Two areas where eBPF really shines regarding API security are observability and monitoring:
1) Observability – When filtering network packets, eBPF was first applied to improve observability and security. It has, however, evolved into a means of making the use of user-supplied code safer, more practical and more effective over time. eBPF is presently utilized in numerous applications due to its growing popularity. The use of eBPF enables major cloud providers like Netflix, Facebook, AWS, Google, and Microsoft to offer new cloud tools and capabilities. To get the application data, eBPF helps with:
- Metrics
- Tracing
- Logs
- Exception
2) Monitoring – Deep API traffic data, such as request/response headers and bodies/payloads, can be displayed using the eBPF-based data collection for both North-South and East-West traffic. Because it operates at the kernel level, this data collecting is out-of-ban, non-intrusive, quick, and extremely efficient. Additionally, this high eBPF efficiency produces a nearly negligible overhead (difference in latency of less than 1ms) on instrumented applications.
How Does it Work?
With the help of eBPF, programmers can run code in the kernel’s privileged environment and see how the kernel responds to specified triggers such as system calls, network events, kernel tracepoints and function entries. The ability for user space applications to read and respond to data from kernel activities is effectively enabled by eBPF in this case. eBPF ensures the safety of the kernel and other processes running on it by requiring validation before it runs programs in a kernel sandbox. The eBPF framework is already widely used, particularly in cloud-based applications and is native to all contemporary Linux kernels and is also accessible in Windows.
Advantages of eBPF
The biggest advantage of eBPF comes from its ability to pull deep data from the application environment. When this is combined with the right security solution can give a 360-degree view of observability and visibility into all API activity. This provides visibility into how an API is working. This allows unprecedented insight into security incidents, which can assist in prevention by seeing where issues might arise. Another advantage is how APIs can be built on top of eBPF, which can more easily achieve isolation of services when under attack.
The list of innovations will expand and change as eBPF continues to draw more extensive and mainstream attention and as the industry learns more about how to build value on top of it. Infrastructure, application, and security management will have a bright and exciting future thanks to eBPF. That is why we must continue to leverage eBPF to increase the effectiveness and efficiency of API security. End of article.
About the Author
Sanjay Nagaraj is Co-Founder & CTO of Traceable AI and an entrepreneur and a silicon valley engineering leader.
Sanjay believes in building products and teams that are obsessed with customer’s success. Prior to co-founding Traceable, he was VP Engineering for AppDynamics/Cisco. At AppDynamics he was responsible for product teams for Application Performance Management and Database Monitoring products. He was responsible for scaling teams across different geographic locations. The innovation that he and his team built was critical in helping DevOps teams to lead the digital transformation at many of fortune 100 companies. The customer obsession of his team and the products at AppDynamics he was responsible for generated over half a billion dollars in revenue during his tenure.
As a senior engineering leader, he has been building complex enterprise software solutions for over 20 years. Sanjay received his BS in Computer Science from University of Mysore. Prior to AppDynamics, Sanjay worked at various companies including Hyperion Solutions (Oracle) and Philips. Sanjay is an inventor credited with 10+ US Patents.
https://www.traceable.ai/