In-Kernel Virtual Machine

In-Kernel Virtual Machine, in computer science, a Virtual machine is the virtualization or emulation of a computer system. Virtual machine applications may contain specialized hardware, software, or a combination of these. It is possible to come across virtual machines in structures called kernels.

Examples

eBPF

eBPF is an "in-kernel virtual machine" that allows users to load and run custom programs within the kernel of the operating system.^[1]^[2] That means it can extend or even modify the way the kernel behaves.^[3]^[4]^[5]

It is used as a backend for the libpcap library and performs packet filtering for tools like tcpdump. When tcpdump is executed with some filtering rules, it generates the eBPF bytecode for that rule and sends it to the kernel for inclusion in the early stages of network stack processing. This bytecode is then interpreted in the virtual machine and decides which packet will appear in the tcpdump output. This filtering mechanism is performant and safe by design. eBPF programs are executed in isolation in the "in-kernel virtual machine". ^[6] They are limited to 4096 commands, they cannot have cycles, and all memory accesses are checked for a valid range. Therefore, it is guaranteed that the execution of the BPF bytecode will be terminated. It cannot cause kernel error, denial of service, or memory damage.(Kovalev 2020).

nftables

nftables is an in-kernel packet classification framework built on a network-specific Virtual Machine (VM) and the nft userspace command line tool.^[7]

It was introduced in the Linux kernel v3.13, and it improves the kernel's network stack with new bytecode filtering capabilities, where the filters are not statically coded into kernel modules. However, the rules are compiled and optimized in user space for small bytecode programs. Those small programs are then executed in an "in-kernel virtual machine" at runtime.(Märdian).

DTrace

DTrace is a performance analysis and troubleshooting tool developed by Sun Microsystems. It has Dynamic Tracing that patches live running instructions with instrumentation code, including Solaris, Mac OS X, and FreeBSD.^[8] As distinct from other solutions for dynamic instrumentation that execute native instrumentation code, it implements a simple "in-kernel virtual machine"^[9] that interprets byte code generated by a compiler for the "D" language.(Engel & Freisleben 2005).

References

Engel, Michael; Freisleben, Bernd (2005), Using a Low-Level Virtual Machine to Improve Dynamic Aspect Support in Operating System Kernels (PDF), University of Marburg
Kovalev, M.G (2020), Tracing Network Packets in the Linux Kernel using eBPF (PDF), St Petersburg State University
Xu, Qiongwen; Wong, Michael D.; Narayana, Srinivas; Sivaraman, Anirudh (2021), Synthesizing Safe and Efficient Kernel Extensions for Packet Processing (PDF), Rutgers University
Märdian, Lukas M. (2021), What's New in the Linux Network Stack? (PDF), Department for Computer Science, Technische Universität München

Notes

↑ "Extending the Kernel with eBPF". Retrieved 2022-08-12.
↑ Matt Fleming (December 2, 2017). "A thorough introduction to eBPF". Retrieved 2022-09-02.
↑ Rice, Liz (2022). What Is eBPF? An Introduction to a New Generation of Networking, Security, and Observability Tools (PDF) (First ed.). California: O'Reilly Media. ISBN 978-1-492-09723-5. Search this book on
↑ Stanislav Kozina. "Introduction to eBPF in Red Hat Enterprise Linux 7" (PDF). Retrieved 2022-08-12.
↑ Si Chen, Liu Cui. "EXTENDED BERKELEY PACKET FILTER (EBPF) – THE NEW SWISS KNIFE FOR CYBERSECURITY EDUCATION". Retrieved 2022-08-12.
↑ Jonathan Corbet. "BPF: the universal in-kernel virtual machine". Retrieved 2022-08-12.
↑ "netfilter/iptables project homepage". Retrieved 2022-11-17.
↑ "About DTrace". Retrieved 2022-07-30.
↑ Nelson, Luke; Geffen, Jacob Van; Torlak, Emina; Wang, Xi. "Specification and verification in the field: Applying formal methods to BPF just-in-time compilers in the Linux kernel" (PDF). University of Washington.

External links

This article "In-Kernel Virtual Machine" is from Wikipedia. The list of its authors can be seen in its historical and/or the page Edithistory:In-Kernel Virtual Machine. Articles copied from Draft Namespace on Wikipedia could be seen on the Draft Namespace of Wikipedia and not main one.

[1] "Extending the Kernel with eBPF". Retrieved 2022-08-12.

[2] Matt Fleming (December 2, 2017). "A thorough introduction to eBPF". Retrieved 2022-09-02.

[3] Rice, Liz (2022). What Is eBPF? An Introduction to a New Generation of Networking, Security, and Observability Tools (PDF) (First ed.). California: O'Reilly Media. ISBN 978-1-492-09723-5. Search this book on

[4] Stanislav Kozina. "Introduction to eBPF in Red Hat Enterprise Linux 7" (PDF). Retrieved 2022-08-12.

[5] Si Chen, Liu Cui. "EXTENDED BERKELEY PACKET FILTER (EBPF) – THE NEW SWISS KNIFE FOR CYBERSECURITY EDUCATION". Retrieved 2022-08-12.

[6] Jonathan Corbet. "BPF: the universal in-kernel virtual machine". Retrieved 2022-08-12.

[7] "netfilter/iptables project homepage". Retrieved 2022-11-17.

[8] "About DTrace". Retrieved 2022-07-30.

[9] Nelson, Luke; Geffen, Jacob Van; Torlak, Emina; Wang, Xi. "Specification and verification in the field: Applying formal methods to BPF just-in-time compilers in the Linux kernel" (PDF). University of Washington.

[1]

[2]

[3]

[4]

[5]

[6]

[7]

[8]

[9]