# eBPF Safety & Trust

## You're Right to Be Cautious

When evaluating kernel-level software, a healthy skepticism is appropriate. Any technology that operates at this level deserves thorough scrutiny. This page explains exactly why eBPF is designed to be safe and why enterprises trust it in production.

## How eBPF Keeps Your Systems Safe

### The Linux Kernel Verifier

The cornerstone of eBPF safety is the Linux kernel's built-in verifier. Before any eBPF program runs, the kernel performs static analysis to mathematically prove the program is safe:

**What the verifier checks:**

* **Bounded execution**: Programs must terminate; infinite loops are rejected
* **Memory safety**: All memory accesses must be within valid bounds
* **Type safety**: Operations must use correct data types
* **No kernel modification**: Programs cannot alter kernel code or data structures

{% hint style="info" %}
**Key point**: If a program fails any verification check, the kernel rejects it entirely. The program never runs. This is enforced by Linux itself, not by Qpoint.
{% endhint %}

### Sandboxed Execution

eBPF programs run in a strictly controlled environment:

* **Isolated execution context**: Cannot interfere with other programs or kernel operations
* **Limited helper functions**: Can only call pre-approved kernel functions
* **Read-only after loading**: Program code cannot be modified once loaded
* **Bounded stack size**: Fixed 512-byte stack prevents overflow attacks
* **No arbitrary memory access**: Can only access maps and approved memory regions

### The Safer Alternative to Kernel Modules

Traditional kernel modules have full kernel access and have historically caused system crashes and outages. eBPF was designed specifically to avoid these risks:

| Aspect                  | Traditional Kernel Modules | eBPF Programs                  |
| ----------------------- | -------------------------- | ------------------------------ |
| **Verification**        | None - full kernel access  | Verified before execution      |
| **Crash potential**     | Can crash entire system    | Cannot crash kernel            |
| **Memory access**       | Unrestricted               | Strictly bounded               |
| **Kernel modification** | Can modify kernel behavior | Read-only observation          |
| **Removal**             | May require reboot         | Hot-swappable, instant removal |
| **Debugging**           | Difficult, risky           | Safe, observable               |

## Enterprise Adoption

### Who Trusts eBPF in Production?

eBPF is not experimental technology. It powers critical infrastructure at the world's largest organizations.

**Financial Services:**

Major financial institutions run eBPF across thousands of developers and millions of containers for container networking and security. The technology has been vetted by security teams at organizations with the strictest compliance requirements.

**Cloud Providers:**

All three major cloud providers have adopted eBPF-based networking as their default or recommended Container Network Interface (CNI):

* Leading cloud Kubernetes services use eBPF-based CNI by default
* eBPF powers network load balancing and security at global scale
* The technology handles production traffic for some of the world's largest platforms

**Infrastructure Leaders:**

eBPF enables network observability and DDoS protection at major content delivery and streaming platforms, processing billions of requests daily.

## Third-Party Validation

### Independent Security Assessments

The eBPF ecosystem has undergone rigorous independent security review:

* **Verifier Security Audits**: Independent security assessments have focused on the correctness and robustness of the eBPF verifier itself, finding no systemic weaknesses
* **Project Security Audits**: Major eBPF-based projects have been audited by respected security firms, with findings noting well-secured implementations
* **Threat Model Documentation**: The eBPF community has published comprehensive threat models documenting security considerations and mitigations

{% hint style="info" %}
The eBPF community has been highly effective in identifying and fixing bugs, with efficient response times to security issues.
{% endhint %}

## Your Data Never Leaves Your Environment

Beyond eBPF safety, Qpoint is designed with data sovereignty as a core principle:

* **Sensitive payloads stay local**: HTTP bodies and headers are stored in YOUR S3-compatible storage (MinIO, AWS S3, GCS)
* **No "phone home"**: Qpoint never receives your sensitive traffic data
* **Air-gapped support**: Full functionality without any internet connectivity
* **You hold the keys**: We cannot access your data even if we wanted to

For detailed information on data handling and compliance, see [Security & Compliance](https://docs.qpoint.io/security-and-compliance).

## Common Questions

### How does eBPF ensure it won't crash my systems?

The Linux kernel's built-in verifier mathematically proves that each eBPF program is safe before allowing it to run. Programs that could crash the kernel, access invalid memory, or loop infinitely are rejected outright. This verification happens at the kernel level and cannot be bypassed.

### What if the eBPF program has a bug?

The verifier prevents bugs from causing system-level harm. Even if an eBPF program has a logic error, it cannot:

* Crash the kernel
* Access unauthorized memory
* Corrupt system data
* Interfere with other processes

The worst case is incorrect output, not system instability.

### Could an attacker use this to escalate privileges?

eBPF requires root/CAP\_BPF privileges to load programs. If an attacker already has root access, eBPF doesn't give them additional capabilities they don't already have. The verifier also prevents eBPF programs from being used to modify kernel behavior or escalate privileges further.

### Will this degrade performance or stability?

Qtap operates out-of-band, observing traffic without being in the critical path:

* **No added latency**: Traffic flows normally; Qtap observes copies
* **Minimal CPU overhead**: eBPF is highly optimized, running in kernel space without context switches
* **No stability risk**: Cannot crash or hang applications

### Will Qtap conflict with other eBPF tools?

No. The Linux kernel is designed to support multiple eBPF programs simultaneously. Qtap can run alongside other eBPF-based tools for networking, security, and observability without conflicts.

## Summary

Qtap uses eBPF to give you pre-encryption visibility without compromising safety. Our code is verified by the Linux kernel before it runs, sandboxed so it cannot crash your systems, and trusted by industry leaders who have already vetted this technology. Your data never leaves your environment.

## Learn More

* [eBPF Concepts](https://docs.qpoint.io/readme/ebpf-concepts) - Technical deep dive into how eBPF works
* [Security & Compliance](https://docs.qpoint.io/security-and-compliance) - Data handling and compliance frameworks
* [How It Works](https://docs.qpoint.io/readme/how-it-works) - Qtap technical architecture