Skip to content

Papers and Research

Full-text research library (PDF + plain text per paper) from the eunomia-bpf community across eBPF, userspace runtimes, GPU systems, and AI agent infrastructure.

This page is the canonical library of research produced by or directly connected to the eunomia-bpf community. Each paper carries a link to its published or arXiv version, a local PDF copy, a plain-text extraction readable by both people and LLM tools, the public artifact, and the developer-oriented blog explanation when one exists. Only published papers or public arXiv versions enter this library; work under review never appears here. Metadata and pinned arXiv versions live in registry.yaml in this directory.

The research arc

The papers below form one continuous line of work, told in four threads that build on each other.

Making eBPF usable (2022 to 2024)

The eunomia-bpf toolchain and the bpf-developer-tutorial together established an educational base for eBPF programming, but distribution and authoring remained hard problems. Wasm-bpf (arXiv 2408.04856) tackled distribution by packaging eBPF programs inside WebAssembly modules so they could be shipped and instantiated like ordinary cloud workloads. KEN (arXiv 2312.05531, eBPF@SIGCOMM 2024) tackled authoring by generating verified kernel extensions from natural-language intent, the first demonstration that an LLM could produce programs the kernel verifier would accept. Code-Survey (arXiv 2410.01837) then turned the LLM lens inward, providing an automated methodology to analyze the kernel's own eBPF subsystem history at scale.

These three papers lowered the barrier from complementary sides: packaging and portability, generation and verification, and large-scale codebase understanding.

Taking the extension runtime beyond the kernel

Kernel eBPF is powerful but constrained to the kernel boundary. bpftime began as an arXiv preprint (2311.07923) describing a userspace uprobe and syscall extension runtime fully compatible with kernel eBPF toolchains, and matured into the OSDI 2025 paper "Extending Applications Safely and Efficiently," which demonstrates that the same extension model works outside the kernel with competitive performance. MVVM (arXiv 2410.15894) complements this story with Wasm checkpoint-restore and live migration, enabling agent deployment across heterogeneous nodes.

Robustness of the extension pipeline itself became its own concern. Kops (arXiv 2606.24213) introduces native operations into the eBPF compilation pipeline without breaking safety guarantees. bpfix (arXiv 2607.02748) characterizes the diagnostic gap when the verifier rejects a program, the first systematic study of why developers struggle to interpret rejection messages and how tooling can bridge that gap.

CET-disassembly (arXiv 2506.09426) sits at a different layer: sound and precise static binary disassembly using control-flow enforcement metadata. It provides the binary-level foundation for instrumenting closed-source software where source-level eBPF attachment is unavailable.

Into GPUs and the I/O path

Once the extension philosophy proved viable in userspace, the natural question was whether it could reach hardware domains the CPU and syscall view cannot see. gpu_ext (arXiv 2512.12615) answers for GPUs: it attaches eBPF-style extensible OS policies to GPU scheduling and memory management. NCCLbpf (arXiv 2603.11438) pushes further into GPU collective communication, composing verified policies over NCCL operations. ChainIO (DOI 10.1145/3748355.3748371, eBPF@SIGCOMM 2025) applies the same principle to bridging the disk and network I/O domains.

Together these papers demonstrate that the extension model generalizes beyond CPU-bound system calls into the hardware paths where modern infrastructure spends most of its time.

Observing and governing AI agents

The current center of gravity connects back to the runtime and tooling groundwork of the earlier threads: kernel-level infrastructure is what makes deep agent observability and enforcement possible without modifying agent code.

SchedCP (arXiv 2509.01245, MLforSystem 2025) showed that LLM agents can safely drive Linux schedulers, casting the agent as an autonomous operator rather than a passive tool. AgentSight (arXiv 2508.02736, PACMI 2025) provides system-level observability for AI agents using eBPF, capturing behavior below the SDK and below HTTP. AgentCgroup (arXiv 2602.09345) characterizes and controls the OS resources agents consume, exposing how agent workloads differ from traditional server processes.

ACRFence (arXiv 2603.20625) identifies a new attack surface: semantic rollback attacks in agent checkpoint-restore, where restoring a prior state can silently undo safety-critical decisions. The paper proposes prevention mechanisms that preserve checkpoint-restore utility while blocking rollback exploitation.

ActPlane (arXiv 2606.25189) synthesizes these threads into OS-level enforcement of the policies developers already write. An empirical study of 84 CLAUDE.md/AGENTS.md files from 64 repositories found 2,116 policy-relevant statements; 64% of those statements are policies (the remainder are descriptions), and 83% of the policies are system-observable. ActPlane enforces these policies at runtime, achieving 75.8% dangerous-command refusal compared to 53.7% for the best prior baseline (measured over 190 traces and 38 rules), at 1.9% end-to-end overhead.

Full index

2026

PaperPDF / TextArtifactTechnical blogStatus
Characterizing and Bridging the Diagnostic Gap in eBPF Verifier RejectionsPDF · txtbpfixBlog pendingarXiv preprint
ActPlane: Programmable OS-Level Policy Enforcement for Agent HarnessesPDF · txtActPlaneRead the blogarXiv preprint, v2
Kops: Safely Extending the eBPF Compilation Pipeline with Native OperationsPDF · txtKops artifactBlog pendingarXiv preprint
ACRFence: Preventing Semantic Rollback Attacks in Agent Checkpoint-RestorePDF · txtPaper artifact described in the paperRead the blogarXiv preprint
NCCLbpf: Verified, Composable Policy Execution for GPU Collective CommunicationPDF · txtnccl-eBPFBlog pendingarXiv preprint
AgentCgroup: Understanding and Controlling OS Resources of AI AgentsPDF · txtAgentCgroupRead the blogarXiv preprint, v2

2025

PaperPDF / TextArtifactTechnical blogStatus
gpu_ext: Extensible OS Policies for GPUs via eBPFPDF · txtgpu_extGPU verification background, paper explainer pendingarXiv preprint, v2
Towards Agentic OS: An LLM Agent Framework for Linux SchedulersPDF · txtSchedCPRead the blogMLforSystem 2025
AgentSight: System-Level Observability for AI Agents Using eBPFPDF · txtAgentSightRead the blogPACMI 2025
ChainIO: Bridging Disk and Network Domains with eBPFACM DLChainIOBlog pendingeBPF@SIGCOMM 2025
Extending Applications Safely and EfficientlyPDF · txtbpftimebpftime background, OSDI paper explainer pendingOSDI 2025
Exploiting Control-flow Enforcement Technology for Sound and Precise Static Binary DisassemblyPDF · txtNoneBlog pendingarXiv preprint

Earlier work

PaperPDF / TextArtifactTechnical blogStatus
MVVM: Deploy Your AI Agents Securely, Efficiently, EverywherePDF · txtMVVMBlog pendingarXiv preprint
Code-Survey: An LLM-Driven Methodology for Analyzing Large-Scale CodebasesPDF · txtcode-surveyRead the blogarXiv preprint
Wasm-bpf: Streamlining eBPF Deployment in Cloud Environments with WebAssemblyPDF · txtwasm-bpfRead the blogarXiv preprint
KEN: Kernel Extensions using Natural LanguagePDF · txtKENRead the blogeBPF@SIGCOMM 2024
bpftime: userspace eBPF Runtime for Uprobe, Syscall and Kernel-User InteractionsPDF · txtbpftimebpftime backgroundarXiv preprint; superseded by the OSDI 2025 paper

Reading notes

  • osdi20-brunella.md: bilingual reading note and full text of hXDP (OSDI 2020), an external paper on efficient software packet processing on FPGA NICs.
  • uXDP camera-ready text: reference material kept alongside the library.

Keeping this library current

A weekly audit compares this index and registry.yaml against arXiv, checking for new versions, new papers, and link rot. When it finds drift, it opens a GitHub issue. When a paper receives a new arXiv version, refresh the local PDF and plain-text pair, update the version pin in registry.yaml, and re-verify every number cited across the site. New papers follow the checklist in .github/PAPER_PUBLICATION_CHECKLIST.md.