eBPF allows safe, programmable kernel instrumentation for networking, security, and observability without kernel modules. Understanding attachment points (kprobes, uprobes, tracepoints), BPF maps, the CO-RE portability model, and the safety verifier is essential for systems engineers working at the kernel level.
0 / 5 completed
1 / 5
What makes eBPF programs safe to run in the Linux kernel, unlike kernel modules?
The kernel's BPF verifier is a static analyser that rejects any program it cannot prove is safe: no unbounded loops (historically), no null pointer dereferences, no out-of-bounds memory access, and adherence to calling conventions. Programs that pass the verifier are then JIT-compiled and run at near-native speed in kernel context.
2 / 5
What is the difference between a kprobe and a tracepoint as eBPF attachment points?
kprobes dynamically instrument any kernel function by patching the instruction at runtime. They are powerful but fragile — kernel internal function names change between versions. Tracepoints are explicitly placed hooks with stable names and type-checked argument structures, forming a supported ABI for tooling.
3 / 5
What are BPF maps, and what is their primary purpose?
BPF maps are key-value stores residing in kernel memory. eBPF programs use them to accumulate counts, store per-connection state, pass events to user space (via ring buffers), or receive configuration from user space. They are the primary communication channel between eBPF programs and controlling user-space processes.
4 / 5
What does CO-RE (Compile Once – Run Everywhere) solve in eBPF development?
CO-RE relies on BTF (BPF Type Format) embedded in the kernel and the eBPF program. At load time, libbpf reads the running kernel's BTF and adjusts field offsets in the eBPF bytecode to match, so a single compiled binary works across different kernel versions without recompilation.
5 / 5
You attach an eBPF program to a uprobe on a user-space library function. What does this allow?
uprobes dynamically instrument user-space functions by inserting a breakpoint at the target address. An attached eBPF program runs in kernel context when that address is hit, giving you visibility into function arguments, return values, and timing for any user-space binary — without source changes or restarts.