CoursesRuntime & eBPF securityeBPF & kernel foundations

eBPF for runtime security

Sandboxed kernel programs, maps, and the verifier.

Advanced35 min · lesson 1 of 15

Runtime security lives or dies on kernel visibility, and eBPF is the technology that makes that visibility safe and portable. Before you can reason about Falco, Tetragon, or Cilium, you need a working model of what eBPF actually is and why it changed the game for detecting what a container does at execution time.

Sandboxed programs in the kernel

eBPF lets you attach small programs to defined kernel hook points — syscall entry, kernel function probes (kprobes), tracepoints, LSM decisions, and packet paths — without patching the kernel or loading an out-of-tree module. A verifier statically proves each program is safe (bounded loops, only valid memory access) before it loads, so untrusted logic can run in kernel context without crashing or hanging the machine. Programs are JIT-compiled to native code and share data with userspace through maps. Because they observe at the syscall boundary, a process cannot hide the system calls it must make to do anything meaningful.

the pieces of an eBPF security probe
# Conceptually, a runtime tool loads a program at a hook and reads a map:
#
# [ hook ] [ eBPF program ] [ map ] [ userspace agent ]
# sys_enter_execve --> record exec event --> ring buffer --> Falco/Tetragon
# security_bprm_check(LSM) allow/deny decision
#
# Inspect what's loaded on a node:
bpftool prog show # loaded eBPF programs + their attach types
bpftool map show # maps sharing state with userspace
cat /proc/kallsyms | grep bpf # kernel-side BPF symbols

Why it beats a kernel module

Older runtime tools shipped a loadable kernel module to capture syscalls — powerful but risky, requiring a compiled, signed module per kernel and capable of crashing the host. eBPF removes that: the verifier guarantees safety, and CO-RE (Compile Once, Run Everywhere) uses BTF type information so one program adapts across kernel versions. That is why modern Falco defaults to an eBPF probe and why Tetragon and Cilium are built entirely on eBPF. For security specifically, the BPF LSM lets programs attach at the same hooks SELinux and AppArmor use, making allow/deny decisions in the kernel.

eBPF for runtime security
attach points
syscall tracepoints / kprobes
exec, open, connect, mount
BPF LSM hooks
in-kernel allow/deny decisions
tc / XDP
packet-level network policy
safety + sharing
verifier
proves safety before load
maps / ring buffer
stream events to userspace
CO-RE (BTF)
portable across kernels
Observe at the kernel boundary, safely and portably. This is the foundation every runtime tool in this course is built on.
Kernel visibility is not the same as enforcement
An eBPF probe that only observes tells you what happened; stopping it requires either an in-kernel enforcement path (BPF LSM, Tetragon) or a fast userspace response. Know which mode a tool is in — detection-only tools alert after the action, and that gap matters for fast-moving attacks.