eBPF for runtime security
Sandboxed kernel programs, maps, and the verifier.
Runtime security lives or dies on kernel visibility, and eBPF is the technology that makes that visibility safe and portable. Before you can reason about Falco, Tetragon, or Cilium, you need a working model of what eBPF actually is and why it changed the game for detecting what a container does at execution time.
Sandboxed programs in the kernel
eBPF lets you attach small programs to defined kernel hook points — syscall entry, kernel function probes (kprobes), tracepoints, LSM decisions, and packet paths — without patching the kernel or loading an out-of-tree module. A verifier statically proves each program is safe (bounded loops, only valid memory access) before it loads, so untrusted logic can run in kernel context without crashing or hanging the machine. Programs are JIT-compiled to native code and share data with userspace through maps. Because they observe at the syscall boundary, a process cannot hide the system calls it must make to do anything meaningful.
# Conceptually, a runtime tool loads a program at a hook and reads a map:## [ hook ] [ eBPF program ] [ map ] [ userspace agent ]# sys_enter_execve --> record exec event --> ring buffer --> Falco/Tetragon# security_bprm_check(LSM) allow/deny decision## Inspect what's loaded on a node:bpftool prog show # loaded eBPF programs + their attach typesbpftool map show # maps sharing state with userspacecat /proc/kallsyms | grep bpf # kernel-side BPF symbols
Why it beats a kernel module
Older runtime tools shipped a loadable kernel module to capture syscalls — powerful but risky, requiring a compiled, signed module per kernel and capable of crashing the host. eBPF removes that: the verifier guarantees safety, and CO-RE (Compile Once, Run Everywhere) uses BTF type information so one program adapts across kernel versions. That is why modern Falco defaults to an eBPF probe and why Tetragon and Cilium are built entirely on eBPF. For security specifically, the BPF LSM lets programs attach at the same hooks SELinux and AppArmor use, making allow/deny decisions in the kernel.