π€ AI Summary
This work addresses the limited optimization potential of eBPF programs due to the kernelβs single-pass JIT compilation strategy and the security risks associated with expanding the trusted computing base (TCB) through kernel modifications. The authors propose Kops, an interface that enables new eBPF operations without altering the kernel core, by coordinating a user-space compiler with a lightweight kernel module. Each operation comprises a verifier-checkable eBPF proof sequence and corresponding native instruction emission, decoupling proof validation from native code generation for the first time. This approach preserves a minimal TCB while enabling hardware-aware optimizations and optional whole-program native replacement for enhanced performance. Built upon eBPF verification, JIT infrastructure, Lean 4 formal verification, and x86-64/ARM64 instruction tuning, the implementation introduces seven EInsn native operations, achieving up to 24% speedup in microbenchmarks, 12% in real-world applications, and a 2.358Γ acceleration with full program replacement.
π Abstract
eBPF safely extends OS kernels in domains such as networking, observability, and security. The safety comes from an in-kernel compilation pipeline where a verifier checks every program, and a kernel just-in-time compiler (JIT) translates the verified bytecode to native code. The kernel keeps the JIT simple to stay trustworthy, translating one bytecode instruction at a time in a single pass. This single-pass design misses optimization opportunities, so eBPF runs up to twice as slow as natively compiled code in our characterization. Adding optimizations to the kernel JIT directly requires upstream acceptance and a long release cycle, enlarges the trusted computing base (TCB), and grows the per-architecture kernel code. To address this, we present Kops, an extension interface that lets userspace compilers and kernel modules introduce new operations without modifying the kernel core, while keeping a minimal trusted computing base (TCB). Each operation has two forms, a proof sequence of vanilla eBPF instructions that the existing verifier checks and a native emit of machine instructions that the JIT compiles. Because the verifier checks the proof sequence, the native emit is the only per-operation addition to the TCB. Hardware idioms are the lowest-hanging fruit for this interface. With Kops, we build EInsn, seven operations such as rotate and conditional select that CPUs execute as single instructions. Lean 4 proofs show that each native emit computes the same result as its proof sequence. On x86-64 and ARM64, EInsn speeds up eBPF microbenchmarks by up to 24% and production applications by up to 12%. The same interface also supports whole-program native replacement, reaching 2.358x at the cost of a larger TCB.