The Berkeley Packet Filter (BPF) or Berkeley Filter is relevant for all Unix-like operating systems, such as Linux. The main task of the special-purpose virtual machine, developed in 1992, is to filter data packets from networks and embed them in the kernel. The BPF provides an interface with security layers for data content or programs. The security layers are responsible for ensuring the reliable transmission of data packets and regulating access to these packets.
When a recipient receives such a data packet, the BPF reads the security layer data from the packet and looks for errors, for example. This enables the recipient to resolve any errors. What’s more, it can compare the data with filter definitions and accept or discard a packet depending on whether or not it is classified as relevant. This can save a lot of computing capacity.
In order to perform its functions, the Berkeley Packet Filter was embedded as an interpreter in machine language as part of a virtual machine. As a result, the BPF executes a predefined format of instructions. In its role as interpreter, the Berkeley Filter reads the source files, analyzes them and runs instruction by instruction. In turn, it translates the instructions into machine codes, thereby enabling direct execution.
Using SysCalls – i.e. by calling up special, operational system functions – the Berkeley Filter sends requests to the kernel. This checks the access rights before confirming or denying the request. The around 330 Linux SysCalls include the following:
Thanks to ongoing development, BPF now operates as a universal, virtual machine directly in the kernel, where the entire organization of processes and data occurs. With its many new features, the filter is known as Extended BPF – or eBPF for short. It can securely run any applied intermediate language (byte code) during runtime (just-in-time compilation) directly in the kernel. The Extended BPF runs within an isolated environment in the kernel and is therefore executed under protection. This environment model – known as a sandbox – helps to reduce the risk that the system has an adverse effect on the kernel logic.
The Berkeley Filter can run both in kernel mode (maximum access to the computer’s resources) and in user mode (restricted access to computing resources).
Using the eBPF, you can filter data packets and prevent irrelevant data from slowing down your PC performance. Unusable or erroneous datasets can be rejected or repaired straight away. Moreover, the Extended BPF provides increased security with the SysCalls; you can easily measure your performance with the system calls or track processes.
The BPF implementation was expanded with “zero copy buffer extensions” in 2007. Thanks to these extensions, device drivers can save collected data packets directly in the program without first having to copy the data.
In user mode, you can define individual filters for the Berkeley Filter interface at any time. The relevant codes were previously written manually and translated into a BPF byte code. Nowadays, the LLVM Clang Compiler makes it possible to translate byte codes directly.
Example programs are also stored in the kernel libraries which simplify the process of defining eBPF programs. Various help functions make working with filters easier.
Executing system calls in the kernel is always associated with certain security and stability risks. Before an eBPF SysCall loads, it has to go through a series of checks:
The SysCall types generally handle four functions: where the program can be attached, which kernel help functions can be called, whether network packet data can be accessed directly or indirectly and which object type is transmitted as a priority in a system call.
The following eBPF SysCall types are currently supported by the kernel:
There are many claims about Linux. Is it more secure than Windows? Or is it just more complicated? Although they are widespread in the server area, open source systems haven’t really made their way to PCs. What actually lies behind the cost-effective alternative? Is using a Linux operating system right for you? We’ve got the answers to these questions and more.
If you operate or rent your own server, it is your responsibility to protect it against failures and external access. You can immediately begin to set the foundation for this when configuring the server, if you have the necessary administrative rights. The correct settings can work wonders, especially with encrypted remote connections via SSH protocol, and greatly increase security.
Under Linux, all actions that you can carry out with the mouse and window system via the graphical user interface can also be performed using program calls in the terminal – provided you know the appropriate command and how to use it according to the correct syntax. To make working in the terminal easier, we provide you with an overview of basic Linux commands with detailed descriptions and...
DevSecOps is the optimal approach for achieving faster software development, without having to make any cutbacks to security. Security packages are directly integrated into the development process. We’ll explain its pros and cons and clarify the various possibilities for using the system.
Provide powerful and reliable service to your clients with a web hosting package from IONOS.
