▲ 0 r/devops

The eBPF Re-Platforming Thesis: An Investor’s Due Diligence Guide

eBPF Foundation released their investor due diligence report and there are three key parts that align with what I'm seeing in the market.

First is the idea that kernel-level programmability is the strategic control point for infrastructure software and hardware. From the report "The companies that own that kernel layer and build upward into analytics, policy management, and workflow integration are structurally positioned to displace incumbents who cannot replicate kernel-level access through any amount of engineering effort."

The second is the company evaluation matrix on page 12 where the kernel space logic and sensor depth gives a technical moat while the user space logic creates enterprise workflows. The best companies will combine deep kernel integration with workflows that solve real operational problems.

Finally, so far, there have been three waves of acquisitions from Feature & Sensor Upgrades to Platform & Community Land Grabs to AI & Runtime Security Consolidation. Each wave has brought different outcome multiples. I think the security wave is actually just beginning in the post-Mythos world

u/xmull1gan — 7 days ago
▲ 6 r/eBPF

The eBPF Re-Platforming Thesis: An Investor’s Due Diligence Guide

eBPF is shifting billions in software and hardware infrastructure spend. eBPF Foundation just released a report that gives a framework on how to evaluate these companies.

The kernel space logic and sensor depth gives a technical moat while the user space logic creates enterprise workflows. Looking at these two together gives you a sense of how competitive the company is in the market.

It also covers the three waves of acquisitions we have seen so far from Feature & Sensor Upgrades to Platform & Community Land Grabs to AI & Runtime Security Consolidation and the exit outcomes for each.

The eBPF Re-Platforming Thesis An Investor’s Due Diligence Guide

u/xmull1gan — 7 days ago

The eBPF Re-Platforming Thesis: A Technical Due Diligence Framework for Infrastructure Software

eBPF is shifting billions in software and hardware infrastructure spend. eBPF Foundation just released a report that gives a framework on how to evaluate these companies.

The kernel space logic and sensor depth gives a technical moat while the user space logic creates enterprise workflows. Looking at these two together gives you a sense of how competitive the company is in the market.

It also covers the three waves of acquisitions we have seen so far from Feature & Sensor Upgrades to Platform & Community Land Grabs to AI & Runtime Security Consolidation and the exit outcomes for each.

The eBPF Re-Platforming Thesis An Investor’s Due Diligence Guide

reddit.com
u/xmull1gan — 7 days ago
▲ 27 r/eBPF

Cloudflare mitigates Copy-Fail in two days with eBPF

Kind of crazy to look at the graph in this blog. CVE drops on 04/29, they develop a patch on 4/30, and deploy it across all of their servers on 05/01. Obviously they have the engineers to write BPF-LSM patches, but I think it points to a future where they can (almost) keep up with vulnerability disclosures.

https://blog.cloudflare.com/copy-fail-linux-vulnerability-mitigation/

u/xmull1gan — 13 days ago
▲ 320 r/netsec+1 crossposts

Cloudflare patches Copy-Fail across all servers in two days

Kind of crazy to look at the graph in this blog. CVE drops on 04/29, they develop a patch on 4/30, and deploy it across all of their servers on 05/01. Obviously they have the engineers to write BPF-LSM patches, but I think it points to a future where they can (almost) keep up with vulnerability disclosures.

https://blog.cloudflare.com/copy-fail-linux-vulnerability-mitigation/

u/xmull1gan — 13 days ago

Wisconsin Driftless Bikepacking Weekender

Growing up in Wisconsin with the Driftless Region almost out of my backdoor, I was often told it is some of the best cycling in the world. Having been lucky enough to bikepack many places around the globe, I can now confirm those childhood rumors. But trips back to visit friends and family usually left little time to explore beyond what I could get to and return from in a day.

This year the opportunity arose to finally get a multi-day bikepacking trip through the Driftless Region and explore some of the corners I had only heard about. Jumping out of the car in Eau Claire and biking down to Winona, La Crosse, Viroqua, Richland Center, and back to Madison, I finally got to experience all of what makes the area so special. Paved roads with little traffic (thank you dairy industry), churches serving homestead townships, and people that will give you their last dollar (quite literally in one community gas station).

The Driftless Region may feel like the end of the earth to some, but it’s my end of the earth. There is always more to explore, even when it has been waiting in your backyard for your whole life.

Full route is here: https://www.komoot.com/collection/4369864/-wisconsin-driftless-bikepacking

u/xmull1gan — 24 days ago
▲ 6 r/eBPF

GitHub - mykola-lysenko/bpf-verify: BPF verifier campaign: compile Linux kernel lib/ sources to BPF bytecode and verify with veristat

A pipeline for compiling Linux kernel lib/ source files to BPF bytecode and formally verifying them with the in-kernel BPF verifier via veristat

github.com
u/xmull1gan — 1 month ago
▲ 8 r/mcp+1 crossposts

GitHub - facebook/mcpguard-dynamic: Kernel-level eBPF sandbox for securing LLM agent tool calls made through the Model Context Protocol (MCP)

MCP currently lacks context isolation. This makes it highly susceptible to threat vectors like tool shadowing (registering malicious tools with identical names), data exfiltration, and dynamic tool modification post-deployment.

Meta released a new open source project addressing a major attack surface in Agentic AI architectures, "indirect prompt injections" basically hiding malicious text in a tool description or a web page that the AI reads to trick the AI into stealing data or executing bad code.

It does:

  • Input/Output Sanitization: Real-time monitoring of prompts, memory updates, and system tool calls.
  • Three-Tier Pipeline: Combines deterministic regex-based gatekeeping (blocking primitive string manipulations and file system path traversals) with semantic neural networks and LLM-driven arbitration for edge cases.
  • Performance: Handles the first layer of defense with sub-2ms processing delays to avoid choking agent workflows.

Thought this would be of interest to anyone dealing with AppSec for LLM apps or defending autonomous agent infrastructure.

github.com
u/xmull1gan — 1 month ago
▲ 9 r/eBPF

eBPF Foundation Opens Applications for 2026 Academic Research Grant Program

eBPF Foundation is funding a third year of academic research grants. Applications open on June 15th

ebpf.foundation
u/xmull1gan — 1 month ago

Buzzing Beyond Clouds: The Illustrated Children's Guide to Cilium Out Now

Buzzing Across Space: The Illustrated Children's Guide to eBPF now has a fanfic sequel.

Quentin and I (disclosure I wrote the book and am a maintainers of the project) took the story from Buzzing Across Space and extended it to multiple new planets and characters. Read on to find out how Obee defeats Java the Hut and how Cilium can do the same for the problems in your Kubernetes clusters.

https://isovalent.com/blog/post/children-guide-cilium/

u/xmull1gan — 2 months ago
▲ 184 r/github+4 crossposts

Securing CI/CD for an open source project: lessons from Cilium

A lot of “software supply chain security” discussions stay pretty abstract, this is Cilium's take on how we secure our Github Actions in the OSS project. A few highlights:

  • SHA pinning every GitHub Action
  • Separating trusted vs untrusted code paths in pull_request_target
  • Isolating CI credentials from production release credentials
  • Cosign signing + SBOM attestations
  • Vendoring Go dependencies to make supply chain changes visible in review
  • Treating blast radius reduction as the core design principle

and a few gaps:

  • no SLSA provenance yet
  • remaining mutable u/main references
  • no dependency review at PR time
  • missing govulncheck integration
cilium.io
u/xmull1gan — 2 months ago
▲ 33 r/eBPF+1 crossposts

Netbump is a new Rust tool (no AI involved) using Aya to work with EBPF.

It is intended to be used by end-user to limit a group of targets which can be a started program or an already running program, a socket or a cgroup (v2). User can add/delete/update/list his own rules.

netbump is the client, buiding request to be sent over a Unix socket to the server. netbumpd is the server handling client request and some events from internal EBPF programs and netlink connections.

Netbump EBPF programs are used to track targets and to mark network packets. Bandwidth limitation is done by the kernel itself.

u/gonbalf — 2 months ago
▲ 13 r/eBPF

The limiting factor for a BPF program is the peak memory usage because the verifier limits us to 512 bytes of stack per BPF program or 256 bytes when combining tail calls and BPF-to-BPF functions. Dylan Reimerink has some tip to reduce stage usage:

  1. Removing variables. not always possible, but a 1 byte variable can take up a whole 8 byte stack slot.

  2. Shorten variable lifetimes. Use inlined functions or variable scopes to limit the lifetime of a variable. Attempt to order code such that variables can have smaller lifetimes. This promotes stack slot reuse, less variables alive a the same time, smaller peak usage.

  3. Utilize non-stack memory. Avoid storing variables which can be derived from the program context. Use map values instead of copying and holding onto individual field values. Use per-CPU map values or global variables to store large values (that are not used as input to branching logic).

  4. Split programs into tail calls.

  5. Reduce function call depth.

oh yea, and a tool to explore where usage comes from

u/xmull1gan — 2 months ago
▲ 13 r/eBPF+1 crossposts

Hello, I’m sharing a project I’ve been developing for the past few months

It’s a GPU manager that uses the kernel eBPF+LSM to block GPU access, it aims to be an alternative to tools such as the deprecated supergfxctl. These tools handle this by unbinding the pci device or unloading the driver, which typically requires a reboot or a logout, with Cardwire, rebooting is not necessary

How it works: it attaches an eBPF program to the kernel to intercept file operation on GPU node such as /dev/dri/renderD or /dev/dri/card, and returns -ENOENT, applications cannot see or use the GPU

This keeps the GPU in its D3cold power state, without touching the driver or the PCI sysfs

I made it for two main reasons:

  • i didn't want to restart/logout every time i wanted to disable/enable the dGPU
  • Apps such as Electron apps could wake the dGPU up on launch, which would increase the launch time as the GPU is being awakened

It's still experimental and some apps can still bypass it, feel free to open an issue on github

Here is the repo link: https://github.com/OpenGamingCollective/cardwire

u/luytan — 2 months ago

Uses eBPF for secrets injection so your app never has access to them.

Basically instead of having the application itself have access to secrets, it uses a "key" to identify which secret to use (like: "kloak:<uuid>" which then eBPF magic swaps it at the transport layer. So, applications never have access, so they cannot leak what they don't know. Happens all within the kernel.

u/xmull1gan — 2 months ago
▲ 46 r/eBPF+1 crossposts

Uses eBPF for secrets injection so your app never has access to them.

Clever idea! Note: I have not tried this yet, just looks interesting and an interesting approach!

https://github.com/spinningfactory/kloak

Edit: More info so it does not get removed: Basically instead of having the application itself have access to secrets, it uses a "key" to identify which secret to use (like: "kloak:<uuid>" which then eBPF magic swaps it at the transport layer. So, applications never have access, so they cannot leak what they don't know. Happens all within the kernel.

u/destari — 2 months ago
▲ 30 r/eBPF

- Dropped NAT setup latency by 100x
- Lowered Geneve tunnel latency from 150ms to 200μs and moved expensive tunnel creation moved off the hot path entirely
- Solved the kernel's RTNL lock to eliminate queuing

u/xmull1gan — 2 months ago