When I started reading on BPF there weren’t many academic papers to describe how it worked, how it didn’t, or how it is used. There are many blog posts and informal articles out there, but it’s harder to find self-contained papers with references to older, sometimes unsuspected, related works. They have become more frequent though, so I wanted to draw up a list with one-sentence summaries for anyone looking for related works or otherwise interested.

I expect this list to only grow with time. If I want to keep things manageable, I need a way to select papers. Except I’d rather not be the one having to decide which papers are the “best papers”1. So I opted to follow the selection from CSRankings: I will only list papers from conference listed by CSRankins by default. CSRankins tends to put the bar fairly high, but I think there is at least consensus on the top conferences they selected.

I’ve sorted papers according to their type of contribution and the field or area they focus on. For example, papers improving either the JIT compilers or verifier of eBPF will have improving, jit, and verifier (see those papers).

If you notice any bug in the selectors, missing papers, or other opportunity for improvement, as usual, don’t hesitate to reach out via one of the contacts at the bottom of the page.


Type selector

Areas selector


Selected 49 papers.

BeeBox: Hardening BPF Against Transient Execution Attacks

Sec'24   Paper   Talk  D. Jin, A. J. Gaidis, V. P. Kemerlis
improving verifier security 
Combines the verifier's static analysis with SFI-like runtime checks and memory copies to mitigate transient execution attacks.

NetEdit: An Orchestration Platform for eBPF Network Functions at Scale

SIGCOMM'24   Paper   Talk  T. A. Benson, P. Kannan, P. Gupta, B. Madhavan, K. S. Arora, J. Meng, M. Lau, A. Dhamija, R. Krishnamurthy, S. Sundaresan, N. Spring, Y. Zhang
using networking 
Describes an orchestration system for eBPF programs designed to tune the network stack of Meta's services.

Merlin: Multi-tier Optimization of eBPF Code for Performance and Compactness

ASPLOS'24   Paper   Talk  J. Mao, H. Ding, J. Zhai, S. Ma
using misc 
Proposes new compiler optimization tailored to the eBPF bytecode.

DINT: Fast In-Kernel Distributed Transactions with eBPF

NSDI'24   Paper   Talk  Y. Zhou, X. Xiang, M. Kiley, S. Dharanipragada, M. Yu
using networking offload 
Designs a new distributed transaction system that offloads common operations to tc and XDP.

BlueSWAT: A Lightweight State-Aware Security Framework for Bluetooth Low Energy

CCS'24   Paper  X. Che, Y. He, X. Feng, K. Sun, K. Xu, Q. Li
using security misc 
Proposes to use a userspace eBPF VM to facilitate the distribution of security patches to Bluetooth Low Energy (BLE) devices, to mitigate session-based attacks.

SeaK: Rethinking the Design of a Secure Allocator for OS Kernel

Sec'24   Paper   Talk  Z. Wang, Y. Guang, Y. Chen, Z. Lin, M. Le, D. K Le, D. Williams, X. Xing, Z. Gu, H. Jamjooml
using security misc 
Builds a secure allocator for the kernel, to separate security-sensitive objects, using new BPF helpers.

Rethinking Process Management for Interactive Mobile Systems

MobiCom'24   Paper  J. Zheng, Z. Li, F. Qian, W. Liu, H. Lin, Y. Liu, T. Xu, N. Zhang, J. Wang, C. Zhang
using misc 
Leverages eBPF to measure the usage of hardware resources by Android applications and investigate slow UI responsiveness problems.

MegaTE: Extending WAN Traffic Engineering to Millions of Endpoints in Virtualized Cloud

SIGCOMM'24   Paper   Talk  C. Miao, Z. Zhong, Y. Xiao, F. Yang, S. Zhang, Y. Jiang, Z. Bai, C. Lu, J. Geng, Z. He, Y. Wang, X. Zou, C. Yang
using networking 
Relies on eBPF to identify traffic sources and enforce traffic engineering via segment routing across the WAN.

FetchBPF: Customizable Prefetching Policies in Linux with eBPF

ATC'24   Paper   Talk  X. Cao, S. Patel, S. Y. Lim, X. Han, T. Pasquier
using misc 
Extends the kernel with new BPF hooks and helpers to be able to customize memory prefetching policies.

Validating the eBPF Verifier via State Embedding

OSDI'24   Paper   Talk  H. Sun, Z. Su
improving verifier 
Devises a test oracle to fuzz the eBPF verifier.

Hive: A Hardware-assisted Isolated Execution Environment for eBPF on AArch64

Sec'24   Paper   Talk  P. Zhang, C. Wu, X. Meng, Y. Zhang, M. Peng, S. Zhang, B. Hu, M. Xie, Y. Lai, Y. Kang, Z. Wang
improving verifier security 
Proposes to replace the static analysis of the verifier with a hardware-based runtime isolation for ARM64.

End-to-End Mechanized Proof of a JIT-Accelerated eBPF Virtual Machine for IoT

CAV'24   Paper  S. Yuan, F. Besson, and J.-P. Talpin
improving jit 
Correctness proof for the eBPF JIT compiler used in the micro-controller RIOT kernel.

Fast, Flexible, and Practical Kernel Extensions

SOSP'24   Paper  K. K. Dwivedi, R. Iyer, S. Kashyap
improving verifier 
Extends the Linux verifier with limited runtime checks and in a backward compatible way, significantly improving eBPF's expressibility.

MOAT: Towards Safe BPF Kernel Extension

Sec'24   Paper   Talk  H. Lu, S. Wang, Y. Wu, W. He, F. Zhang
improving verifier security 
Hardens eBPF in Linux by leveraging Intel MPK and adding runtime checks for helpers.

Cross Container Attacks: The Bewildered eBPF on Clouds

Sec'23   Paper   Talk  Y. He, R. Guo, Y. Xing, X. Che, K. Sun, Z. Liu, K. Xu, Q. Li
analysis security 
Highlights that eBPF tracing programs can be used to escape container boundaries and the impact on cloud and online coding platforms.

λ-IO: A Unified IO Stack for Computational Storage

FAST'23   Paper   Talk  Z. Yang, Y. Lu, X. Liao, Y. Chen, J. Li, S. He, J. Shu
using storage 
Modifies eBPF to implement a unified IO stack spanning the kernel and storage devices, in the context of in-storage computing.

eHDL: Turning eBPF/XDP Programs into Hardware Designs for the NIC

ASPLOS'23   Paper   Talk  A. Rivitti, R. Bifulco, A. Tulumello, M. Bonola, S. Pontarelli
using networking 
Introduces a synthesis tool that generates FPGA pipelines for NICs from unmodified XDP programs.

Fuzz on the Beach: Fuzzing Solana Smart Contracts

CCS'23   Paper  S. Smolka, J.-R. Giesen, P. Winkler, O. Draissi, L. Davi, G. Karame, K. Pohl
improving security misc 
Fuzzes Solana smart contracts, including those compiled to eBPF bytecode, by extending Solana's userspace eBPF VM with six bug oracles and coverage feedback.

xBGP: Faster Innovation in Routing Protocols

NSDI'23   Paper   Talk  T. Wirtgen, T. Rousseaux, Q. De Coninck, N. Rybowski, R. Bush, L. Vanbever, A. Legay, O. Bonaventure
using networking 
Designs an extension mechanism for BGP using a userspace implementation of eBPF and several C verification tools to replace and extend the Linux verifier.

Taking 5G RAN Analytics and Control to a New Level

MobiCom'23   Paper  X. Foukas, B. Radunovic, M. Balkwill, Z. Lai
using networking 
Proposes to extend virtualized Radio Access Network (vRAN) functions using a userspace BPF implementation and the PREVAIL verifier, with a new runtime check to bound the execution time.

Network-Centric Distributed Tracing with DeepFlow: Troubleshooting Your Microservices in Zero Code

SIGCOMM'23   Paper   Talk  J. Shen H. Zhang, Y. Xiang, X. Shi, X. Li, Y. Shen, Z. Zhang, Y. Wu, X. Yin, J. Wang, M. Xu, Y. Li, J. Yin, J. Song, Z. Li, R. Nie
using tracing 
Presents a distributed tracing framework for troubleshooting microservices that leverages eBPF for data collection.

Tigger: A Database Proxy That Bounces with User-Bypass

VLDB'23   Paper  M. Butrovich, K. Ramanathan, J. Rollinson, W. S. Lim, W. Zhang, J. Sherry, A. Pavlo
using networking offload 
Offloads PostgreSQL connection pooling and mirroring to the kernel using sockmap BPF programs.

Electrode: Accelerating Distributed Protocols with eBPF

NSDI'23   Paper   Talk  Y. Zhou, Z. Wang, S. Dharanipragada, M. Yu
using networking offload 
Offloads common Paxos networking operations to tc and XDP to improve performance.

Verifying the Verifier: eBPF Range Analysis Verification

CAV'23   Paper  H. Vishwanathan, M. Shachnai, S. Narayana, S. Nagarakatte
improving verifier 
Automatically and formally proves the ranges analysis of the Linux verifier.

EPF: Evil Packet Filter

ATC'23   Paper   Talk  D. Jin, V. Atlidakis, V. P. Kemerlis
analysis security 
Presents an approach to bypass various kernel isolation techniques by abusing the cBPF infrastructure.

Domain Specific Run Time Optimization for Software Data Planes

ASPLOS'22   Paper   Talk  S. Miano, A. Sanaee, F. Risso, G. Rétvári, G. Antichi
using networking 
Optimizes datapath binaries, including eBPF bytecodes, based on traffic patterns.

End-to-end Mechanized Proof of an eBPF Virtual Machine for Micro-controllers

CAV'22   Paper  S. Yuan, F. Besson, J.-P. Talpin, S. Hym, K. Zandberg, E. Baccelli
improving verifier 
Correctness proof for the eBPF interpreter and verifier used in the micro-controller RIOT kernel.

Application-Informed Kernel Synchronization Primitives

OSDI'22   Paper   Talk  S. Park, D. Zhou, Y. Qian, I. Calciu, T. Kim, S. Kashyap
using misc 
Allows Linux users to customize kernel lock policies using eBPF and according to the applications' needs and hardware characteristics.

RapidPatch: Firmware Hotpatching for Real-Time Embedded Devices

Sec'22   Paper   Talk  Y. He, Z. Zou, K. Sun, Z. Liu, K. Xu, Q. Wang, C. Shen, Z. Wang, Q. Li
using misc 
Implements a hotpatching mechanism for real-time OSes using eBPF, a modified verifier, and additional runtime checks.

SPRIGHT: Extracting the Server from Serverless Computing! High-Performance eBPF-Based Event-Driven, Shared-Memory Processing

SIGCOMM'22   Paper   Talk  S. Qi, L. Monis, Z. Zeng, I.-C. Wang, K. K. Ramakrishnan
using networking 
Leverages various eBPF hooks to improve the performance of Knative, a container-based serverless platform.

Faster Software Packet Processing on FPGA NICs with eBPF Program Warping

ATC'22   Paper   Talk  M. Bonola, G. Belocchi, A. Tulumello, M. Spaziani Brunella, G. Siracusano, G. Bianchi, R. Bifulco
using networking 
Improves the performance of hXDP, an eBPF processor for FPGA NICs, via peephole optimization, thereby replacing series of instructions with optimized hardware implementations.

XRP: In-Kernel Storage Functions with eBPF

OSDI'22   Paper   Talk  Y. Zhong, H. Li, Y. J. Wu, I. Zarkadas, J. Tao, E. Mesterhazy, M. Makris, J. Yang, A. Tai, R. Stutsman, A. Cidon
using storage offload 
Offloads processing to the NVMe drivers using BPF, to reduce kernel overhead in storage applications

Sound, Precise, and Fast Abstract Interpretation with Tristate Numbers

CGO'22   Paper   Talk  H. Vishwanathan, M. Shachnai, S. Narayana, S. Nagarakatte
improving verifier 
Formally proves and improves the Linux verifier operations on tristate numbers for the range analysis.

Synthesizing Safe and Efficient Kernel Extensions for Packet Processing

SIGCOMM'21   Paper   Talk  Qiongwen Xu, M. D. Wong, T. Wagle, S. Narayana, A. Sivaraman
using networking 
Proposes a synthesis-based compiler that optimizes eBPF programs while ensuring they still pass the Linux verifier.

BMC: Accelerating Memcached using Safe In-Kernel Caching and Pre-Stack Processing

NSDI'21   Paper   Talk   Summary Y. Ghigoff, J. Sopena, K. Lazri, A. Blin, G. Muller
using networking offload 
Speeds up Memcached with an XDP-based, transparent, first-level cache.

An Analysis of Speculative Type Confusion Vulnerabilities in the Wild

Sec'21   Paper   Talk  O. Kirzner, A. Morrison
analysis security 
Describes how eBPF can be leveraged to create speculative type confusion gadgets in the kernel.

Syrup: User-Defined Scheduling Across the Stack

SOSP'21   Paper   Talk  K. Kaffes, J. Humphries, D. Mazières, C. Kozyrakis
using networking 
Proposes an eBPF-based framework to enable users to write application-specific scheduling policies for threads, network packets, and network connections.

Revisiting the Open vSwitch Dataplane Ten Years Later

SIGCOMM'21   Paper  W. Tu, Y.-H. Wei, G. Antichi, B. Pfaff
using networking 
Describes how production experience with Open vSwitch over a decade led to the development of its new AF_XDP-based datapath.

Synthesizing JIT Compilers for In-Kernel DSLs

CAV'20   Paper  J. Van Geffen, L. Nelson, I. Dillig, X. Wang, E. Torlak
improving jit 
Synthesizes eBPF and cBPF JIT compilers, which are proven to be formally correct, from DSL interpreters.

hXDP: Efficient Software Packet Processing on FPGA NICs

OSDI'20   Paper   Talk   Summary M. Spaziani Brunella, G. Belocchi, M. Bonola, S. Pontarelli, G. Siracusano, G. Bianchi, A. Cammarano, A. Palumbo, L. Petrucci, R. Bifulco
using networking 
Investigates the execution of XDP programs on FPGA NICs by implementing an interpreter.

Specification and Verification in the Field: Applying Formal Methods to BPF Just-in-Time Compilers in the Linux Kernel

OSDI'20   Paper   Talk  L. Nelson, J. Van Geffen, E. Torlak, X. Wang
improving jit 
Applies formal verification techniques to the eBPF JIT compilers and implements a new formally-verified JIT compiler for 32-bit RISC-V.

Scaling Symbolic Evaluation for Automated Verification of Systems Code with Serval

SOSP'19   Paper  L. Nelson, J. Bornholt, R. Gu, A. Baumann, E. Torlak, X. Wang
improving verifier 
Proposes a framework to developing verifiers for system software, including eBPF, by lifting existing interpreters under symbolic execution.

Extension Framework for File Systems in User Space

ATC'19   Paper   Talk  A. Bijlani, U. Ramachandran
using storage offload 
Enables eBPF support in the FUSE interface to improve the performance of user-space file systems by offloading operations to the kernel.

Pluginizing QUIC

SIGCOMM'19   Paper  Q. De Coninck, F. Michel, M. Piraux, F. Rochet, T. Given-Wilson, A. Legay, O. Pereira, O. Bonaventure
using networking 
Designs an extension mechanism for QUIC using a userspace implementation of eBPF with SFI-like runtime checks.

Simple and Precise Static Analysis of Untrusted Linux Kernel Extensions

PLDI'19   Paper   Talk   Summary E. Gershuni, N. Amit, A. Gurfinkel, N. Narodytska, J. A. Navas, N. Rinetzky, L. Ryzhyk, M. Sagiv
improving verifier 
Introduces PREVAIL, an alternative to the Linux eBPF verifier based on abstract interpretation and now used in Windows.

The Design and Implementation of Hyperupcalls

ATC'18   Paper  N. Amit, M. Wei
using misc 
Leverages eBPF to bridge the semantic gap of virtualization, by letting hypervisors execute verified code from the guests.

Jitk: A Trustworthy In-Kernel Interpreter Infrastructure

OSDI'14   Paper   Talk  X. Wang, D. Lazar, N. Zeldovich, A. Chlipala, Z. Tatlock
improving jit 
Proposes a formally-verified infrastructure to compile high-level rules into cBPF bytecode and machine code.

Safe Kernel Extensions Without Run-Time Checking

OSDI'96   Paper  G. C. Necula, P. Lee
improving verifier 
Proposes kernel extensions in the form of proof-carrying code and compares it to cBPF.

The BSD Packet Filter: A New Architecture for User-level Packet Capture

USENIX Winter'93   Paper  S. McCanne, V. Jacobson
foundation networking 
The original cBPF paper, describing a register-based packet filter for BSD.



Thanks to Kahina for her reviews and for reporting multiple bugs with the early version of the selectors.


  1. Of course, I can’t really escape chosing a method to select papers, so it’s not as if this is completely objective either.