When I started reading on BPF there weren’t many academic papers to describe how it worked, how it didn’t, or how it is used. There are many blog posts and informal articles out there, but it’s harder to find self-contained papers with references to older, sometimes unsuspected, related works. They have become more frequent though, so I wanted to draw up a list with one-sentence summaries for anyone looking for related works or otherwise interested.

I expect this list to only grow with time. If I want to keep things manageable, I need a way to select papers. Except I’d rather not be the one having to decide which papers are the “best papers”1. So I opted to follow the selection from CSRankings: I will only list papers from conference listed by CSRankins by default. CSRankins tends to put the bar fairly high, but I think there is at least consensus on the top conferences they selected.

I’ve sorted papers according to their type of contribution and the field or area they focus on. For example, papers improving either the JIT compilers or verifier of eBPF will have improving, jit, and verifier (see those papers).

If you notice any bug in the selectors, missing papers, or other opportunity for improvement, as usual, don’t hesitate to reach out via one of the contacts at the bottom of the page.


Type selector

Areas selector


Selected 49 papers.

BeeBox: Hardening BPF Against Transient Execution Attacks

Sec'24   Paper  D. Jin, A. J. Gaidis, V. P. Kemerlis
improving verifier security 
Combines the verifier's static analysis with SFI-like runtime checks and memory copies to mitigate transient execution attacks.

Toss a Fault to BpfChecker: Revealing Implementation Flaws for eBPF runtimes with Differential Fuzzing

CCS'24   Paper  C. Peng, M. Jiang, L. Wu, Y. Zhou
improving verifier jit 
Designs a fuzzer for userspace eBPF runtimes, including Windows's, using differential fuzzing, verifier logs, and an intermediate representation of the eBPF bytecode.

NetEdit: An Orchestration Platform for eBPF Network Functions at Scale

SIGCOMM'24   Paper  T. A. Benson, P. Kannan, P. Gupta, B. Madhavan, K. S. Arora, J. Meng, M. Lau, A. Dhamija, R. Krishnamurthy, S. Sundaresan, N. Spring, Y. Zhang
using networking 
Describes an orchestration system for eBPF programs designed to tune the network stack of Meta's services.

Merlin: Multi-tier Optimization of eBPF Code for Performance and Compactness

ASPLOS'24   Paper  J. Mao, H. Ding, J. Zhai, S. Ma
using misc 
Proposes new compiler optimization tailored to the eBPF bytecode.

DINT: Fast In-Kernel Distributed Transactions with eBPF

NSDI'24   Paper  Y. Zhou, X. Xiang, M. Kiley, S. Dharanipragada, M. Yu
using networking offload 
Designs a new distributed transaction system that offloads common operations to tc and XDP.

BlueSWAT: A Lightweight State-Aware Security Framework for Bluetooth Low Energy

CCS'24   Paper  X. Che, Y. He, X. Feng, K. Sun, K. Xu, Q. Li
using security misc 
Proposes to use a userspace eBPF VM to facilitate the distribution of security patches to Bluetooth Low Energy (BLE) devices, to mitigate session-based attacks.

SeaK: Rethinking the Design of a Secure Allocator for OS Kernel

Sec'24   Paper  Z. Wang, Y. Guang, Y. Chen, Z. Lin, M. Le, D. K Le, D. Williams, X. Xing, Z. Gu, H. Jamjooml
using security misc 
Builds a secure allocator for the kernel, to separate security-sensitive objects, using new BPF helpers.

Rethinking Process Management for Interactive Mobile Systems

MobiCom'24   Paper  J. Zheng, Z. Li, F. Qian, W. Liu, H. Lin, Y. Liu, T. Xu, N. Zhang, J. Wang, C. Zhang
using misc 
Leverages eBPF to measure the usage of hardware resources by Android applications and investigate slow UI responsiveness problems.

MegaTE: Extending WAN Traffic Engineering to Millions of Endpoints in Virtualized Cloud

SIGCOMM'24   Paper  C. Miao, Z. Zhong, Y. Xiao, F. Yang, S. Zhang, Y. Jiang, Z. Bai, C. Lu, J. Geng, Z. He, Y. Wang, X. Zou, C. Yang
using networking 
Relies on eBPF to identify traffic sources and enforce traffic engineering via segment routing across the WAN.

FetchBPF: Customizable Prefetching Policies in Linux with eBPF

ATC'24   Paper  X. Cao, S. Patel, S. Y. Lim, X. Han, T. Pasquier
using misc 
Extends the kernel with new BPF hooks and helpers to be able to customize memory prefetching policies.

Validating the eBPF Verifier via State Embedding

OSDI'24   Paper  H. Sun, Z. Su
improving verifier 
Devises a test oracle to fuzz the eBPF verifier.

Hive: A Hardware-assisted Isolated Execution Environment for eBPF on AArch64

Sec'24   Paper  P. Zhang, C. Wu, X. Meng, Y. Zhang, M. Peng, S. Zhang, B. Hu, M. Xie, Y. Lai, Y. Kang, Z. Wang
improving verifier security 
Proposes to replace the static analysis of the verifier with a hardware-based runtime isolation for ARM64.

End-to-End Mechanized Proof of a JIT-Accelerated eBPF Virtual Machine for IoT

CAV'24   Paper  S. Yuan, F. Besson, and J.-P. Talpin
improving jit 
Correctness proof for the eBPF JIT compiler used in the micro-controller RIOT kernel.

Fast, Flexible, and Practical Kernel Extensions

SOSP'24   Paper  K. K. Dwivedi, R. Iyer, S. Kashyap
improving verifier 
Extends the Linux verifier with limited runtime checks and in a backward compatible way, significantly improving eBPF's expressibility.

MOAT: Towards Safe BPF Kernel Extension

Sec'24   Paper  H. Lu, S. Wang, Y. Wu, W. He, F. Zhang
improving verifier security 
Hardens eBPF in Linux by leveraging Intel MPK and adding runtime checks for helpers.

Cross Container Attacks: The Bewildered eBPF on Clouds

Sec'23   Paper  Y. He, R. Guo, Y. Xing, X. Che, K. Sun, Z. Liu, K. Xu, Q. Li
analysis security 
Highlights that eBPF tracing programs can be used to escape container boundaries and the impact on cloud and online coding platforms.

λ-IO: A Unified IO Stack for Computational Storage

FAST'23   Paper  Z. Yang, Y. Lu, X. Liao, Y. Chen, J. Li, S. He, J. Shu
using storage 
Modifies eBPF to implement a unified IO stack spanning the kernel and storage devices, in the context of in-storage computing.

eHDL: Turning eBPF/XDP Programs into Hardware Designs for the NIC

ASPLOS'23   Paper  A. Rivitti, R. Bifulco, A. Tulumello, M. Bonola, S. Pontarelli
using networking 
Introduces a synthesis tool that generates FPGA pipelines for NICs from unmodified XDP programs.

Fuzz on the Beach: Fuzzing Solana Smart Contracts

CCS'23   Paper  S. Smolka, J.-R. Giesen, P. Winkler, O. Draissi, L. Davi, G. Karame, K. Pohl
improving security misc 
Fuzzes Solana smart contracts, including those compiled to eBPF bytecode, by extending Solana's userspace eBPF VM with six bug oracles and coverage feedback.

Taking 5G RAN Analytics and Control to a New Level

MobiCom'23   Paper  X. Foukas, B. Radunovic, M. Balkwill, Z. Lai
using networking 
Proposes to extend virtualized Radio Access Network (vRAN) functions using a userspace BPF implementation and the PREVAIL verifier, with a new runtime check to bound the execution time.

Network-Centric Distributed Tracing with DeepFlow: Troubleshooting Your Microservices in Zero Code

SIGCOMM'23   Paper  J. Shen H. Zhang, Y. Xiang, X. Shi, X. Li, Y. Shen, Z. Zhang, Y. Wu, X. Yin, J. Wang, M. Xu, Y. Li, J. Yin, J. Song, Z. Li, R. Nie
using tracing 
Presents a distributed tracing framework for troubleshooting microservices that leverages eBPF for data collection.

Tigger: A Database Proxy That Bounces with User-Bypass

VLDB'23   Paper  M. Butrovich, K. Ramanathan, J. Rollinson, W. S. Lim, W. Zhang, J. Sherry, A. Pavlo
using networking offload 
Offloads PostgreSQL connection pooling and mirroring to the kernel using sockmap BPF programs.

Electrode: Accelerating Distributed Protocols with eBPF

NSDI'23   Paper  Y. Zhou, Z. Wang, S. Dharanipragada, M. Yu
using networking offload 
Offloads common Paxos networking operations to tc and XDP to improve performance.

Verifying the Verifier: eBPF Range Analysis Verification

CAV'23   Paper  H. Vishwanathan, M. Shachnai, S. Narayana, S. Nagarakatte
improving verifier 
Automatically and formally proves the ranges analysis of the Linux verifier.

EPF: Evil Packet Filter

ATC'23   Paper  D. Jin, V. Atlidakis, V. P. Kemerlis
analysis security 
Presents an approach to bypass various kernel isolation techniques by abusing the cBPF infrastructure.

Domain Specific Run Time Optimization for Software Data Planes

ASPLOS'22   Paper  S. Miano, A. Sanaee, F. Risso, G. Rétvári, G. Antichi
using networking 
Optimizes datapath binaries, including eBPF bytecodes, based on traffic patterns.

End-to-end Mechanized Proof of an eBPF Virtual Machine for Micro-controllers

CAV'22   Paper  S. Yuan, F. Besson, J.-P. Talpin, S. Hym, K. Zandberg, E. Baccelli
improving verifier 
Correctness proof for the eBPF interpreter and verifier used in the micro-controller RIOT kernel.

Application-Informed Kernel Synchronization Primitives

OSDI'22   Paper  S. Park, D. Zhou, Y. Qian, I. Calciu, T. Kim, S. Kashyap
using misc 
Allows Linux users to customize kernel lock policies using eBPF and according to the applications' needs and hardware characteristics.

RapidPatch: Firmware Hotpatching for Real-Time Embedded Devices

Sec'22   Paper  Y. He, Z. Zou, K. Sun, Z. Liu, K. Xu, Q. Wang, C. Shen, Z. Wang, Q. Li
using misc 
Implements a hotpatching mechanism for real-time OSes using eBPF, a modified verifier, and additional runtime checks.

SPRIGHT: Extracting the Server from Serverless Computing! High-Performance eBPF-Based Event-Driven, Shared-Memory Processing

SIGCOMM'22   Paper  S. Qi, L. Monis, Z. Zeng, I.-C. Wang, K. K. Ramakrishnan
using networking 
Leverages various eBPF hooks to improve the performance of Knative, a container-based serverless platform.

Faster Software Packet Processing on FPGA NICs with eBPF Program Warping

ATC'22   Paper  M. Bonola, G. Belocchi, A. Tulumello, M. Spaziani Brunella, G. Siracusano, G. Bianchi, R. Bifulco
using networking 
Improves the performance of hXDP, an eBPF processor for FPGA NICs, via peephole optimization, thereby replacing series of instructions with optimized hardware implementations.

XRP: In-Kernel Storage Functions with eBPF

OSDI'22   Paper  Y. Zhong, H. Li, Y. J. Wu, I. Zarkadas, J. Tao, E. Mesterhazy, M. Makris, J. Yang, A. Tai, R. Stutsman, A. Cidon
using storage offload 
Offloads processing to the NVMe drivers using BPF, to reduce kernel overhead in storage applications

Sound, Precise, and Fast Abstract Interpretation with Tristate Numbers

CGO'22   Paper  H. Vishwanathan, M. Shachnai, S. Narayana, S. Nagarakatte
improving verifier 
Formally proves and improves the Linux verifier operations on tristate numbers for the range analysis.

Synthesizing Safe and Efficient Kernel Extensions for Packet Processing

SIGCOMM'21   Paper  Qiongwen Xu, M. D. Wong, T. Wagle, S. Narayana, A. Sivaraman
using networking 
Proposes a synthesis-based compiler that optimizes eBPF programs while ensuring they still pass the Linux verifier.

BMC: Accelerating Memcached using Safe In-Kernel Caching and Pre-Stack Processing

NSDI'21   Paper   Summary  Y. Ghigoff, J. Sopena, K. Lazri, A. Blin, G. Muller
using networking offload 
Speeds up Memcached with an XDP-based, transparent, first-level cache.

An Analysis of Speculative Type Confusion Vulnerabilities in the Wild

Sec'21   Paper  O. Kirzner, A. Morrison
analysis security 
Describes how eBPF can be leveraged to create speculative type confusion gadgets in the kernel.

Syrup: User-Defined Scheduling Across the Stack

SOSP'21   Paper  K. Kaffes, J. Humphries, D. Mazières, C. Kozyrakis
using networking 
Proposes an eBPF-based framework to enable users to write application-specific scheduling policies for threads, network packets, and network connections.

Revisiting the Open vSwitch Dataplane Ten Years Later

SIGCOMM'21   Paper  W. Tu, Y.-H. Wei, G. Antichi, B. Pfaff
using networking 
Describes how production experience with Open vSwitch over a decade led to the development of its new AF_XDP-based datapath.

Synthesizing JIT Compilers for In-Kernel DSLs

CAV'20   Paper  J. Van Geffen, L. Nelson, I. Dillig, X. Wang, E. Torlak
improving jit 
Synthesizes eBPF and cBPF JIT compilers, which are proven to be formally correct, from DSL interpreters.

hXDP: Efficient Software Packet Processing on FPGA NICs

OSDI'20   Paper   Summary  M. Spaziani Brunella, G. Belocchi, M. Bonola, S. Pontarelli, G. Siracusano, G. Bianchi, A. Cammarano, A. Palumbo, L. Petrucci, R. Bifulco
using networking 
Investigates the execution of XDP programs on FPGA NICs by implementing an interpreter.

Specification and Verification in the Field: Applying Formal Methods to BPF Just-in-Time Compilers in the Linux Kernel

OSDI'20   Paper  L. Nelson, J. Van Geffen, E. Torlak, X. Wang
improving jit 
Applies formal verification techniques to the eBPF JIT compilers and implements a new formally-verified JIT compiler for 32-bit RISC-V.

Scaling Symbolic Evaluation for Automated Verification of Systems Code with Serval

SOSP'19   Paper  L. Nelson, J. Bornholt, R. Gu, A. Baumann, E. Torlak, X. Wang
improving verifier 
Proposes a framework to developing verifiers for system software, including eBPF, by lifting existing interpreters under symbolic execution.

Extension Framework for File Systems in User Space

ATC'19   Paper  A. Bijlani, U. Ramachandran
using storage offload 
Enables eBPF support in the FUSE interface to improve the performance of user-space file systems by offloading operations to the kernel.

Pluginizing QUIC

SIGCOMM'19   Paper  Q. De Coninck, F. Michel, M. Piraux, F. Rochet, T. Given-Wilson, A. Legay, O. Pereira, O. Bonaventure
using networking 
Designs an extension mechanism for QUIC using a userspace implementation of eBPF with SFI-like runtime checks.

Simple and Precise Static Analysis of Untrusted Linux Kernel Extensions

PLDI'19   Paper   Summary  E. Gershuni, N. Amit, A. Gurfinkel, N. Narodytska, J. A. Navas, N. Rinetzky, L. Ryzhyk, M. Sagiv
improving verifier 
Introduces PREVAIL, an alternative to the Linux eBPF verifier based on abstract interpretation and now used in Windows.

The Design and Implementation of Hyperupcalls

ATC'18   Paper  N. Amit, M. Wei
using misc 
Leverages eBPF to bridge the semantic gap of virtualization, by letting hypervisors execute verified code from the guests.

Jitk: A Trustworthy In-Kernel Interpreter Infrastructure

OSDI'14   Paper  X. Wang, D. Lazar, N. Zeldovich, A. Chlipala, Z. Tatlock
improving jit 
Proposes a formally-verified infrastructure to compile high-level rules into cBPF bytecode and machine code.

Safe Kernel Extensions Without Run-Time Checking

OSDI'96   Paper  G. C. Necula, P. Lee
improving verifier 
Proposes kernel extensions in the form of proof-carrying code and compares it to cBPF.

The BSD Packet Filter: A New Architecture for User-level Packet Capture

USENIX Winter'93   Paper  S. McCanne, V. Jacobson
foundation networking 
The original cBPF paper, describing a register-based packet filter for BSD.



Thanks to Kahina for her reviews and for reporting multiple bugs with the early version of the selectors.


  1. Of course, I can’t really escape chosing a method to select papers, so it’s not as if this is completely objective either.