In-kernel Virtual Machine
   HOME

TheInfoList



OR:

In
computer science Computer science is the study of computation, information, and automation. Computer science spans Theoretical computer science, theoretical disciplines (such as algorithms, theory of computation, and information theory) to Applied science, ...
, an in-kernel virtual machine is a specialized
virtualization In computing, virtualization (abbreviated v12n) is a series of technologies that allows dividing of physical computing resources into a series of virtual machines, operating systems, processes or containers. Virtualization began in the 1960s wit ...
technology that operates within an
operating system kernel A kernel is a computer program at the core of a computer's operating system that always has complete control over everything in the system. The kernel is also responsible for preventing and mitigating conflicts between different processes. It is ...
. Unlike traditional
virtual machine In computing, a virtual machine (VM) is the virtualization or emulator, emulation of a computer system. Virtual machines are based on computer architectures and provide the functionality of a physical computer. Their implementations may involve ...
s that emulate entire computer systems, in-kernel virtual machines provide a controlled environment for executing code within the kernel space, typically for performance, security, or extensibility purposes. These virtual machines allow for safe execution of user-defined programs within the highly privileged kernel context.


Overview

In-kernel virtual machines create an abstraction layer that isolates user-provided code from direct kernel operations while still allowing this code to efficiently interact with kernel resources. They typically implement a restricted instruction set and provide controlled access to kernel data structures, allowing for kernel extension without risking system stability or security. This architecture enables developers to extend kernel functionality safely through just-in-time (JIT) compilation or bytecode interpretation. The primary advantages of in-kernel virtual machines include: * Safety and security: Bytecode validation and memory access restrictions prevent malicious or buggy code from harming the system. * Performance optimization: Executing within the kernel eliminates userspace-to-kernel transition overhead. * Extensibility: Allows dynamic extension of kernel features without requiring kernel module compilation. * Portability: Programs written for these virtual machines often work across different kernel versions and architectures.


History and development

The concept of in-kernel virtual machines evolved from earlier work on packet filtering mechanisms in networking stacks. The original
Berkeley Packet Filter The Berkeley Packet Filter (BPF; also BSD Packet Filter, classic BPF or cBPF) is a network tap and packet filter which permits computer network packets to be captured and filtered at the operating system level. It provides a raw interface to da ...
(BPF), developed in 1992 by Steven McCanne and Van Jacobson at Lawrence Berkeley Laboratory, introduced a simple virtual machine for efficient packet filtering in the Unix kernel. The approach gained significant attention in the early 2000s when
DTrace DTrace is a comprehensive dynamic tracing framework originally created by Sun Microsystems for troubleshooting kernel and application problems on production systems in real time. Originally developed for Solaris, it has since been released un ...
was introduced in the Solaris operating system, providing a comprehensive framework for dynamic tracing using a safe in-kernel VM. The modern evolution came with extended Berkeley Packet Filter (eBPF) in the
Linux kernel The Linux kernel is a Free and open-source software, free and open source Unix-like kernel (operating system), kernel that is used in many computer systems worldwide. The kernel was created by Linus Torvalds in 1991 and was soon adopted as the k ...
, which substantially expanded the capabilities beyond the original networking focus to general-purpose programmability across multiple subsystems.


Technical characteristics

In-kernel virtual machines typically share several common characteristics: * Restricted instruction set: Limited to operations that can be safely verified. * Memory safety guarantees: Strict controls on memory access to prevent corruption. * No arbitrary loops: Many implementations restrict or verify loops to ensure termination. * Verification mechanisms: Static analysis of programs before execution. * Just-in-time compilation: Conversion of bytecode to native instructions for performance. * Limited state retention: Controls for how much state can be maintained between invocations.


Implementation examples


eBPF (Extended Berkeley Packet Filter)

eBPF eBPF is a technology that can run programs in a privileged context such as the operating system kernel. It is the successor to the Berkeley Packet Filter (BPF, with the "e" originally meaning "extended") filtering mechanism in Linux and is al ...
is the most prominent modern implementation of an in-kernel virtual machine, integrated into the Linux kernel. It evolved from the classic BPF into a sophisticated virtual machine that allows users to load and run custom programs within the kernel. eBPF programs undergo rigorous verification before execution to ensure they cannot crash the kernel, get stuck in infinite loops, or access unauthorized memory.


DTrace

DTrace DTrace is a comprehensive dynamic tracing framework originally created by Sun Microsystems for troubleshooting kernel and application problems on production systems in real time. Originally developed for Solaris, it has since been released un ...
, originally developed by
Sun Microsystems Sun Microsystems, Inc., often known as Sun for short, was an American technology company that existed from 1982 to 2010 which developed and sold computers, computer components, software, and information technology services. Sun contributed sig ...
for Solaris, implements an in-kernel virtual machine that interprets bytecode generated by its "D" language compiler.


nftables

nftables nftables is a subsystem of the Linux kernel providing filtering and classification of network packets/datagrams/frames. It has been available since Linux kernel 3.13 released on 19 January 2014. nftables replaces the legacy iptables component of ...
is a packet filtering framework within the Linux kernel that replaced the earlier
iptables iptables is a user-space utility program that allows a system administrator to configure the IP packet filter rules of the Linux kernel firewall, implemented as different Netfilter modules. The filters are organized in a set of tables, whi ...
system.


Applications


Network filtering and monitoring

In-kernel virtual machines were first applied to network packet filtering, where the ability to make rapid filtering decisions within the kernel significantly improved performance.


Security enforcement

Security researchers have leveraged in-kernel VMs to implement advanced security policies.


Performance analysis

Performance analysis tools have been revolutionized by in-kernel virtual machines.


Future directions

In-kernel virtual machine technology continues to evolve, with research focusing on: * Enhanced safety mechanisms * Hardware acceleration * Cross-platform standardization


See also

*
Virtual machine In computing, a virtual machine (VM) is the virtualization or emulator, emulation of a computer system. Virtual machines are based on computer architectures and provide the functionality of a physical computer. Their implementations may involve ...
*
Berkeley Packet Filter The Berkeley Packet Filter (BPF; also BSD Packet Filter, classic BPF or cBPF) is a network tap and packet filter which permits computer network packets to be captured and filtered at the operating system level. It provides a raw interface to da ...
*
Operating system kernel A kernel is a computer program at the core of a computer's operating system that always has complete control over everything in the system. The kernel is also responsible for preventing and mitigating conflicts between different processes. It is ...


References

{{Reflist, refs= {{cite journal , last=Ayuso , first=Pablo Neira , year=2013 , title=nftables: a new packet filtering engine , journal=Netfilter Workshop , url=https://netfilter.org/workshops/2013/nftables-why-paper.pdf {{cite conference , last1=Borkmann , first1=Daniel , last2=Starovoitov , first2=Alexei , year=2020 , title=BPF and Networking , book-title=Proceedings of the Linux Plumbers Conference , url=https://lpc.events/event/7/contributions/676/ {{cite conference , last1=Cantrill , first1=Bryan , last2=Shapiro , first2=Michael W. , last3=Leventhal , first3=Adam H. , year=2004 , title=Dynamic Instrumentation of Production Systems , book-title=USENIX Annual Technical Conference , publisher=USENIX Association , url=https://www.usenix.org/legacy/events/usenix04/tech/general/full_papers/cantrill/cantrill.pdf {{cite journal , last=Corbet , first=Jonathan , date=2014-05-21 , title=BPF: the universal in-kernel virtual machine , journal=Linux Weekly News , url=https://lwn.net/Articles/599755/ , access-date=2022-08-12 {{cite journal , last=Fleming , first=Matt , date=2017-12-02 , title=A thorough introduction to eBPF , journal=Linux Weekly News , url=https://lwn.net/Articles/740157/ , access-date=2022-09-02 {{cite book , last=Gregg , first=Brendan , year=2019 , title=BPF Performance Tools , publisher=Addison-Wesley Professional , isbn=978-0136554820 , page=43 {{cite book , last=Gregg , first=Brendan , year=2019 , title=BPF Performance Tools , publisher=Addison-Wesley Professional , isbn=978-0136554820 , page=58 {{cite book , last=Gregg , first=Brendan , year=2019 , title=BPF Performance Tools , publisher=Addison-Wesley Professional , isbn=978-0136554820 , page=82 {{cite conference , last1=Høiland-Jørgensen , first1=Toke , year=2018 , title=The eXpress Data Path: Fast Programmable Packet Processing in the Operating System Kernel , book-title=Proceedings of the 14th International Conference on emerging Networking EXperiments and Technologies , publisher=ACM , doi=10.1145/3281411.3281443 {{cite conference , last1=McCanne , first1=Steven , last2=Jacobson , first2=Van , year=1993 , title=The BSD Packet Filter: A New Architecture for User-level Packet Capture , book-title=USENIX Winter Conference , publisher=USENIX Association , url=https://www.usenix.org/legacy/publications/library/proceedings/sd93/mccanne.pdf {{cite conference , last1=Nelson , first1=Luke , last2=Geffen , first2=Jacob Van , last3=Torlak , first3=Emina , last4=Wang , first4=Xi , year=2020 , title=Specification and verification in the field: Applying formal methods to BPF just-in-time compilers in the Linux kernel , book-title=14th USENIX Symposium on Operating Systems Design and Implementation , publisher=USENIX Association , url=https://unsat.cs.washington.edu/papers/nelson-jitterbug.pdf {{cite book , last=Rice , first=Liz , year=2022 , title=What Is eBPF? An Introduction to a New Generation of Networking, Security, and Observability Tools , publisher=O'Reilly Media , isbn=978-1-492-09723-5 , page=24 {{cite book , last=Rice , first=Liz , year=2022 , title=What Is eBPF? An Introduction to a New Generation of Networking, Security, and Observability Tools , publisher=O'Reilly Media , isbn=978-1-492-09723-5 , page=97 {{cite journal , last1=Starovoitov , first1=Alexei , last2=Shirokov , first2=Andrii , year=2020 , title=A Thorough Introduction to eBPF , journal=USENIX ;login , volume=45 , issue=1 , url=https://www.usenix.org/publications/login/spring2020/starovoitov {{cite conference , last1=Wang , first1=Xi , last2=Lazar , first2=David , last3=Zeldovich , first3=Nickolai , last4=Chlipala , first4=Adam , last5=Tatlock , first5=Zachary , year=2019 , title=Jitk: A Trustworthy In-Kernel Interpreter Infrastructure , book-title=USENIX Security Symposium , publisher=USENIX Association , url=https://people.csail.mit.edu/nickolai/papers/wang-jitk.pdf


External links


eBPF official website

DTrace official website
Linux kernel features Virtualization software