Kops: Safely Extending the eBPF Compilation Pipeline with Native Operations

Computer Science > Operating Systems [Submitted on 23 Jun 2026] Kops: Safely Extending the eBPF Compilation Pipeline with Native Operations Yusheng Zheng, Zhengjie Ji, Weichen Tao, Hao Sun, Wei Zhang, Dan Williams, Andi Quinn eBPF safely extends OS kernels in domains such as networking, observability, and security. The safety comes from an in-kernel compilation pipeline where a verifier checks every program, and a kernel just-in-time compiler (JIT) translates the verified bytecode to native code. The kernel keeps the JIT simple to stay trustworthy, translating one bytecode instruction at a time in a single pass. This single-pass design misses optimization opportunities, so eBPF runs up to twice as slow as natively compiled code in our characterization. Adding optimizations to the kernel JIT directly requires upstream acceptance and a long release cycle, enlarges the trusted computing base (TCB), and grows the per-architecture kernel code. To address this, we present Kops, an extension interface that lets userspace compilers and kernel modules introduce new operations without modifying the kernel core, while keeping a minimal trusted computing base (TCB). Each operation has two forms, a proof sequence of vanilla eBPF instructions that the existing verifier checks and a native emit of machine instructions that the JIT compiles. Because the verifier checks the proof sequence, the native emit is the only per-operation addition to the TCB. Hardware idioms are the lowest-hanging fruit for this interface. With Kops, we build EInsn, seven operations such as rotate and conditional select that CPUs execute as single instructions. Lean 4 proofs show that each native emit computes the same result as its proof sequence. On x86-64 and ARM64, EInsn speeds up eBPF microbenchmarks by up to 24% and production applications by up to 12%. The same interface also supports whole-program native replacement, reaching 2.358x at the cost of a larger TCB. Comments: Yusheng Zheng and Zhengjie Ji contributed equally to this work Subjects: Operating Systems (cs.OS); Cryptography and Security (cs.CR) Cite as: arXiv:2606.24213 [cs.OS]   (or arXiv:2606.24213v1 [cs.OS] for this version)   https://doi.org/10.48550/arXiv.2606.24213 Focus to learn more Submission history From: Yusheng Zheng [view email] [v1] Tue, 23 Jun 2026 06:55:36 UTC (637 KB) Access Paper: HTML (experimental) view license Current browse context: cs.OS < prev   |   next > new | recent | 2026-06 Change to browse by: cs cs.CR References & Citations NASA ADS Google Scholar Semantic Scholar Export BibTeX Citation Bookmark Bibliographic Tools Bibliographic and Citation Tools Bibliographic Explorer Toggle Bibliographic Explorer (What is the Explorer?) Connected Papers Toggle Connected Papers (What is Connected Papers?) Litmaps Toggle Litmaps (What is Litmaps?) scite.ai Toggle scite Smart Citations (What are Smart Citations?) Code, Data, Media Demos Related Papers About arXivLabs Which authors of this paper are endorsers? | Disable MathJax (What is MathJax?)