Description
The eBPF Track is going to bring together developers, maintainers, and other contributors from all around the globe to discuss improvements to the Linux kernelโs eBPF subsystem and its surrounding user space ecosystem such as libraries, loaders, compiler backends, related system tooling as well as eBPF use cases.
The gathering is designed to foster collaboration and face to face discussion of ongoing development topics as well as to encourage bringing new ideas into the development community for the advancement of the eBPF subsystem.
The track will be composed of talks, 30 minutes in length (including Q&A discussion).
eBPF Track's technical committee: Alexei Starovoitov, Daniel Borkmann, Andrii Nakryiko and Martin Lau.
-
Ihor Solodrai (Meta Platforms, Inc.), Jordan Rome11/12/2025, 10:00
Writing non-trivial BPF programs presents a unique challenge because of the constraints enforced by the BPF verifier. If a program fails to load, the verifier emits a log containing a complete trace of its evaluation with various debugging information. Interpreting such a log to track down the root cause of a failure can be difficult, especially for developers new to BPF.
BPF Verifier...
Go to contribution page -
Mahรฉ Tardy (Isovalent), Paul Chaignon (Isovalent)11/12/2025, 10:30
State pruning allows the BPF verifier to mitigate the path explosion problem and scale to large programs. With its underlying algorithms, precision tracking, strongly connected components computation, and liveness analysis, state pruning accounts for around 15% of the verifier. Its many heuristics have been tuned over a decade of trial and error.
While state pruning inefficiencies can lead...
Go to contribution page -
Eduard Zingerman11/12/2025, 11:00
The BPF verifier has troubles when verifying loops,
Go to contribution page
and we are slowly moving to address these.
In the talk I want to cover:
- historical evolution of loops handling by verifier;
- problems with current state of things (too crude widening,
no bounds for induction variables);
- describe DFA based liveness analysis that landed recently;
- describe further steps adding DFA-based value... -
Yiming Xiang (University of Texas at Austin)11/12/2025, 12:00
eBPF enables safely extending kernel functionality for various applications,
Go to contribution page
but its static verifier is overly restrictive, preventing many useful and
valid programs in practice from running. It can also miss safety violations
in complex conditions. Recent work proposes adding runtime checks to mitigate
these limitations, but they narrowly target specific cases. Their
instrumentations... -
Paul Chaignon (Isovalent)11/12/2025, 12:30
Several fuzzers are able to target the BPF verifier, some achieving high coverage. They are fairly efficient at uncovering deadlocks, unnecessary warnings, and memory errors, but struggle to uncover false negatives: cases where the verifier incorrectly accepts a program. Without a test oracle for these false negatives, fuzzers remain silent.
This talk proposes a new test oracle for the...
Go to contribution page -
Peilin Ye (Google LLC)11/12/2025, 13:00
The growing demand for sophisticated, high-performance eBPF programs on weakly-ordered architectures like arm64 necessitates finer-grained control over memory ordering, instead of relying on the default of full memory barriers. To that end, the eBPF ISA has been expanded by two new BPF_ATOMIC instructions that provide load-acquire and store-release semantics.
This talk introduces these new...
Go to contribution page -
KP Singh11/12/2025, 15:00
With the initial implementation for BPF signing nearly merged, more advanced signing use-cases can be discussed. There are three key cases for signed BPF programs:
- Applications that use light skeletons and a BPF loader program and a light skeleton.
- Applications that generate eBPF programs during their runtime (e.g. Cilium)
- Debugging tools that use a scripting language or command...
-
Liam Wisehart (Meta)11/12/2025, 15:30
At Meta, due to the proliferation of AI workloads, increased security was needed around key services. In particular, two use cases were jailing untrusted code, and preventing insider and attacker tampering with user data.
AI training and execution of prompts involves executing untrusted code. Meta's network is flat, leading to untrusted workloads operating in the same space as sensitive...
Go to contribution page -
Carl El Khoury11/12/2025, 16:00
Given the increasing concerns around user data and AI model theft, we prioritized developing robust mechanisms to monitor critical files throughout the file system. Leveraging eBPF, we implemented real-time detection for the creation of sensitive files and established comprehensive tracking of their lifecycle events, including renames, moves, deletions, compression, decompression, and uploads....
Go to contribution page -
Justin Ngai (Meta)11/12/2025, 17:00
Abstract: At Metaโs scale, high-signal telemetry competes with overwhelming noise. We present a pragmatic approach that pushes policy into the kernel to eliminate noise at the source and enforce controls before user space is involved. First, we show how we compile regex patterns into deterministic finite automata (DFAs) and execute them in eBPF at Linux Security Module (LSM) and fentry attach...
Go to contribution page -
Hemanth Malla (Microsoft)11/12/2025, 17:30
Container networking plugins for Kubernetes like Cilium currently implement Fully Qualified Domain Name (FQDN) based DNS network policies using a user-space DNS proxy to intercept the DNS to IP mappings and plumb CIDR based policy into bpf maps.
This architecture introduces some challenges since any downtime with the the userspace proxy would result in DNS resolution failure for all...
Go to contribution page -
Raman Shukhau11/12/2025, 18:00
This talk explores the idea of capturing and identifying DNS requests with BPF and responding to them "in-place" with BPF.
DNS is a relatively simple UDP protocol, and a typical DNS query over UDP usually involves just one packet for the query and one packet for the response. If BPF parses structure of the packet and is able to resolve address from the request, e.g. from the hash map...
Go to contribution page -
Andrii Nakryiko (Meta)12/12/2025, 10:00
Writing basic BPF-based profilers nowadays isn't too hard. The challenges start when one needs to go a step further beyond just capturing a bunch of stack traces. When profiler needs to capture user data reliably bypassing restrictions of NMI and/or non-sleepable context, that's when the real fun begins.
This talk will describe recent advancements in BPF tracing domain which now allow BPF...
Go to contribution page -
Menglong Dong (ChinaTelecom)12/12/2025, 10:30
For now, tracing-type BPF programs and BPF trampolines adopt a per-function design, requiring the creation of independent instances for each kernel function to be traced. This leads to significant inefficiencies in large-scale tracing scenarios (e.g., monitoring hundreds or thousands of kernel functions): not only do redundant instances consume substantial additional memory, but the program...
Go to contribution page -
Jiri Olsa (Isovalent)12/12/2025, 11:00
I'd like to discuss two uprobe related topics:
uprobe optimization - I'd like to update on what's been pushed/accepted and what are the leftovers for backward compatibility with old kernels and discuss if it makes sense to continue with further optimizations.
uprobe override - We had several requests for ebpf being able to force user space function override in a similar way the kprobe...
Go to contribution page -
Yonghong Song12/12/2025, 12:00
I would like to discuss my ongoing work to supply true
signatures for available functions in kallsyms. The
change will be in clang, pahole, libbpf and kernel.For clang, the goal is to add additional functions to
Go to contribution page
dwarf where these functions are not in current dwarf or
their signatures have changed. The example includes like
- original func 'void foo(int a, int b)' becomes
'void... -
Tal Zussman (Columbia University)12/12/2025, 12:30
The page cache is central to the performance of many applications. However, its one-size-fits-all eviction policy may perform poorly for many workloads. While the systems community has experimented with new and adaptive eviction policies in non-kernel settings (e.g., key-value stores, CDNs), it is very difficult to implement such policies in the kernel. We design a flexible eBPF-based...
Go to contribution page -
Prankur Gupta (Meta)12/12/2025, 13:00
Training large models requires significant resources and failure of any GPU or Host can significantly prolong training times. At Meta, we observed that 17% of our jobs fail due to RDMA-related syscall errors which arise due to bugs in the RDMA driver code. Unlike other parts of the Kernel RDMA-related syscalls are opaque and the errors create a mismatched application/kernel view of hardware...
Go to contribution page -
Brendan Gregg (Intel), Ben Olson (Intel Corporation)12/12/2025, 15:00
The world urgently needs better AI analysis tools to find AI datacenter cost reductions. eBPF has been used for a decade to help find compute performance wins and various companies have now been building eBPF tools for AI analysis. This session discusses one such tool: the open source AI flame graphs built by Intel (by us: the talk presenters) which uses eBPF for kernel driver instrumentation...
Go to contribution page -
Jiri Gogela (Trend Micro)12/12/2025, 15:30
Bridging the Observability Gap: Using eBPF for GPU Workload Identification
Go to contribution page
Modern computing workloads are increasingly offloaded to GPUs, yet our ability to observe and understand the specific tasks running on these accelerators from the host kernel remains limited. This fundamental lack of visibility hinders system administrators, security engineers, and resource schedulers. While... -
Yusheng Zheng (eunomia-bpf), Tong Yu (eunomia-bpf)12/12/2025, 16:00
Widely used for ML workloads, GPUs are typically SIMT accelerators with threads in warps on SMs, organized into blocks, launched as kernels, using multi-level memory hierarchies (registers, shared/LDS, L2, device memory), and with complex CPU side orchestration in kernel driver and userspace runtime. This complexity creates rich but challenging behavior patterns for observability and...
Go to contribution page -
Pragyansh Chaturvedi, Mr Varun Mallya (Indian Institute of Technology, Roorkee)12/12/2025, 17:00
This talk aims to introduce the audience to Python-BPF, a project that enables developers to write eBPF programs in pure Python. We allow a reduced Python grammar to be used for the eBPF-specific parts of code.
This improves the following things in the eBPF ecosystem
- Both eBPF logic and userspace code is written in Python (and can
be in...
- Both eBPF logic and userspace code is written in Python (and can
-
Kenta Tada12/12/2025, 17:30
eBPF has emerged as a foundational technology for building observability, networking, and security tooling across modern Linux systems. However, in long-term supported (LTS) and embedded environmentsโsuch as automotive or industrial platformsโthe deployment of eBPF-based software remains fraught with challenges. These range from kernel version divergence and verifier incompatibilities to...
Go to contribution page -
Bill Mulligan (Isovalent)12/12/2025, 18:00
The eBPF Foundation is rethinking what an open source foundation can be by shifting from simply stewarding projects to actively building an ecosystem around a powerful enabling technology like eBPF.
This session will highlight investments like security audits, research grants, funding for directed development, face to face meeting sponsorship, and documenting the ecosystemโs evolution like...
Go to contribution page -
Amery Hung (Meta)
This talk will introduce task local data, an abstract storage type built on top of task local storage map for sharing thread-specific data between user space and BPF programs. A motivational use case is allowing user space programs to pass hints to sched_ext scheduler for better scheduling decisions.
Task local storage map supports a special field, UPTR, to allow sharing user memory...
Go to contribution page -
Amery Hung (Meta)
This talk will introduce task local data, an abstract storage type built on top of task local storage map for sharing thread-specific data between user space and BPF programs. A motivational use case is allowing user space programs to pass hints to sched_ext scheduler for better scheduling decisions.
Task local storage map supports a special field, UPTR, to allow sharing user memory...
Go to contribution page
