In-kernel virtual machine

In computer science, an in-kernel virtual machine is a specialized virtualization technology that operates within an operating system kernel. Unlike traditional virtual machines that emulate entire computer systems, in-kernel virtual machines provide a controlled environment for executing code within the kernel space, typically for performance, security, or extensibility purposes. These virtual machines allow for safe execution of user-defined programs within the highly privileged kernel context.

Overview

In-kernel virtual machines create an abstraction layer that isolates user-provided code from direct kernel operations while still allowing this code to efficiently interact with kernel resources. They typically implement a restricted instruction set and provide controlled access to kernel data structures, allowing for kernel extension without risking system stability or security.^[1] This architecture enables developers to extend kernel functionality safely through just-in-time (JIT) compilation or bytecode interpretation.

The primary advantages of in-kernel virtual machines include:

Safety and security: Bytecode validation and memory access restrictions prevent malicious or buggy code from harming the system.^[2]
Performance optimization: Executing within the kernel eliminates userspace-to-kernel transition overhead.^[3]
Extensibility: Allows dynamic extension of kernel features without requiring kernel module compilation.^[4]
Portability: Programs written for these virtual machines often work across different kernel versions and architectures.^[5]

History and development

The concept of in-kernel virtual machines evolved from earlier work on packet filtering mechanisms in networking stacks. The original Berkeley Packet Filter (BPF), developed in 1992 by Steven McCanne and Van Jacobson at Lawrence Berkeley Laboratory, introduced a simple virtual machine for efficient packet filtering in the Unix kernel.^[6]

The approach gained significant attention in the early 2000s when DTrace was introduced in the Solaris operating system, providing a comprehensive framework for dynamic tracing using a safe in-kernel VM.^[7]

The modern evolution came with extended Berkeley Packet Filter (eBPF) in the Linux kernel, which substantially expanded the capabilities beyond the original networking focus to general-purpose programmability across multiple subsystems.^[8]

Technical characteristics

In-kernel virtual machines typically share several common characteristics:

Restricted instruction set: Limited to operations that can be safely verified.^[1]
Memory safety guarantees: Strict controls on memory access to prevent corruption.^[2]
No arbitrary loops: Many implementations restrict or verify loops to ensure termination.^[9]
Verification mechanisms: Static analysis of programs before execution.^[10]
Just-in-time compilation: Conversion of bytecode to native instructions for performance.^[11]
Limited state retention: Controls for how much state can be maintained between invocations.^[12]

Implementation examples

eBPF (Extended Berkeley Packet Filter)

eBPF is the most prominent modern implementation of an in-kernel virtual machine, integrated into the Linux kernel. It evolved from the classic BPF into a sophisticated virtual machine that allows users to load and run custom programs within the kernel.^[8]

eBPF programs undergo rigorous verification before execution to ensure they cannot crash the kernel, get stuck in infinite loops, or access unauthorized memory.^[10]

DTrace

DTrace, originally developed by Sun Microsystems for Solaris, implements an in-kernel virtual machine that interprets bytecode generated by its "D" language compiler.^[7]

nftables

nftables is a packet filtering framework within the Linux kernel that replaced the earlier iptables system.^[13]

Applications

Network filtering and monitoring

In-kernel virtual machines were first applied to network packet filtering, where the ability to make rapid filtering decisions within the kernel significantly improved performance.^[6]

Security enforcement

Security researchers have leveraged in-kernel VMs to implement advanced security policies.^[2]

Performance analysis

Performance analysis tools have been revolutionized by in-kernel virtual machines.^[14]

Future directions

In-kernel virtual machine technology continues to evolve, with research focusing on:

Enhanced safety mechanisms^[9]
Hardware acceleration^[15]
Cross-platform standardization^[12]

References

^ ^a ^b Corbet, Jonathan (2014-05-21). "BPF: the universal in-kernel virtual machine". Linux Weekly News. Retrieved 2022-08-12.
^ ^a ^b ^c Wang, Xi; Lazar, David; Zeldovich, Nickolai; Chlipala, Adam; Tatlock, Zachary (2019). "Jitk: A Trustworthy In-Kernel Interpreter Infrastructure" (PDF). USENIX Security Symposium. USENIX Association.
^ Høiland-Jørgensen, Toke (2018). "The eXpress Data Path: Fast Programmable Packet Processing in the Operating System Kernel". Proceedings of the 14th International Conference on emerging Networking EXperiments and Technologies. ACM. doi:10.1145/3281411.3281443.
^ Rice, Liz (2022). What Is eBPF? An Introduction to a New Generation of Networking, Security, and Observability Tools. O'Reilly Media. p. 24. ISBN 978-1-492-09723-5.
^ Gregg, Brendan (2019). BPF Performance Tools. Addison-Wesley Professional. p. 43. ISBN 978-0136554820.
^ ^a ^b McCanne, Steven; Jacobson, Van (1993). "The BSD Packet Filter: A New Architecture for User-level Packet Capture" (PDF). USENIX Winter Conference. USENIX Association.
^ ^a ^b Cantrill, Bryan; Shapiro, Michael W.; Leventhal, Adam H. (2004). "Dynamic Instrumentation of Production Systems" (PDF). USENIX Annual Technical Conference. USENIX Association.
^ ^a ^b Fleming, Matt (2017-12-02). "A thorough introduction to eBPF". Linux Weekly News. Retrieved 2022-09-02.
^ ^a ^b Nelson, Luke; Geffen, Jacob Van; Torlak, Emina; Wang, Xi (2020). "Specification and verification in the field: Applying formal methods to BPF just-in-time compilers in the Linux kernel" (PDF). 14th USENIX Symposium on Operating Systems Design and Implementation. USENIX Association.
^ ^a ^b Starovoitov, Alexei; Shirokov, Andrii (2020). "A Thorough Introduction to eBPF". USENIX ;login. 45 (1).
^ Gregg, Brendan (2019). BPF Performance Tools. Addison-Wesley Professional. p. 58. ISBN 978-0136554820.
^ ^a ^b Rice, Liz (2022). What Is eBPF? An Introduction to a New Generation of Networking, Security, and Observability Tools. O'Reilly Media. p. 97. ISBN 978-1-492-09723-5.
^ Ayuso, Pablo Neira (2013). "nftables: a new packet filtering engine" (PDF). Netfilter Workshop.
^ Gregg, Brendan (2019). BPF Performance Tools. Addison-Wesley Professional. p. 82. ISBN 978-0136554820.
^ Borkmann, Daniel; Starovoitov, Alexei (2020). "BPF and Networking". Proceedings of the Linux Plumbers Conference.

External links

[Corbet_2014-1] Corbet, Jonathan (2014-05-21). "BPF: the universal in-kernel virtual machine". Linux Weekly News. Retrieved 2022-08-12.

[Wang_2019-2] Wang, Xi; Lazar, David; Zeldovich, Nickolai; Chlipala, Adam; Tatlock, Zachary (2019). "Jitk: A Trustworthy In-Kernel Interpreter Infrastructure" (PDF). USENIX Security Symposium. USENIX Association.

[Høiland_2018-3] Høiland-Jørgensen, Toke (2018). "The eXpress Data Path: Fast Programmable Packet Processing in the Operating System Kernel". Proceedings of the 14th International Conference on emerging Networking EXperiments and Technologies. ACM. doi:10.1145/3281411.3281443.

[Rice_2022_p24-4] Rice, Liz (2022). What Is eBPF? An Introduction to a New Generation of Networking, Security, and Observability Tools. O'Reilly Media. p. 24. ISBN 978-1-492-09723-5.

[Gregg_2019_p43-5] Gregg, Brendan (2019). BPF Performance Tools. Addison-Wesley Professional. p. 43. ISBN 978-0136554820.

[McCanne_1993-6] McCanne, Steven; Jacobson, Van (1993). "The BSD Packet Filter: A New Architecture for User-level Packet Capture" (PDF). USENIX Winter Conference. USENIX Association.

[Cantrill_2004-7] Cantrill, Bryan; Shapiro, Michael W.; Leventhal, Adam H. (2004). "Dynamic Instrumentation of Production Systems" (PDF). USENIX Annual Technical Conference. USENIX Association.

[Fleming_2017-8] Fleming, Matt (2017-12-02). "A thorough introduction to eBPF". Linux Weekly News. Retrieved 2022-09-02.

[Nelson_2020-9] Nelson, Luke; Geffen, Jacob Van; Torlak, Emina; Wang, Xi (2020). "Specification and verification in the field: Applying formal methods to BPF just-in-time compilers in the Linux kernel" (PDF). 14th USENIX Symposium on Operating Systems Design and Implementation. USENIX Association.

[Starovoitov_2020-10] Starovoitov, Alexei; Shirokov, Andrii (2020). "A Thorough Introduction to eBPF". USENIX ;login. 45 (1).

[Gregg_2019_p58-11] Gregg, Brendan (2019). BPF Performance Tools. Addison-Wesley Professional. p. 58. ISBN 978-0136554820.

[Rice_2022_p97-12] Rice, Liz (2022). What Is eBPF? An Introduction to a New Generation of Networking, Security, and Observability Tools. O'Reilly Media. p. 97. ISBN 978-1-492-09723-5.

[Ayuso_2013-13] Ayuso, Pablo Neira (2013). "nftables: a new packet filtering engine" (PDF). Netfilter Workshop.

[Gregg_2019_p82-14] Gregg, Brendan (2019). BPF Performance Tools. Addison-Wesley Professional. p. 82. ISBN 978-0136554820.

[Borkmann_2020-15] Borkmann, Daniel; Starovoitov, Alexei (2020). "BPF and Networking". Proceedings of the Linux Plumbers Conference.

[1]

[2]

[3]

[4]

[5]

[6]

[7]

[8]

[9]

[10]

[11]

[12]

[13]

[14]

[15]