You can edit almost every page by Creating an account and confirming your email.

In-kernel virtual machine: Difference between revisions

From EverybodyWiki Bios & Wiki
WikiMasterBot2 (talk | contribs)
Moved page from wikipedia:en:Draft:In-kernel virtual machine ([[Edithistory:|history]])
 
WikiMasterBot2 (talk | contribs)
m Moved page from wikipedia:en:Draft:In-kernel virtual machine ([[Edithistory:|history]])
 
Line 1: Line 1:
{{AfC submission|t||ts=20230301154231|u=Redoyk20|ns=118|demo=}}
{{Draft article|nomove=yes}}
{{Short description|In-Kernel Virtual Machine}}
{{AI-generated|date=May 2025}}
'''In-Kernel Virtual Machine''', in computer science, a [[Virtual machine]] is the virtualization/emulation of a computer system. Virtual machine applications may contain specialized hardware, software, or a combination of these. It is possible to come across virtual machines in structures called [[Kernel (operating system)|kernels]].
{{short description|Computing technology that allows running programs safely within operating system kernels}}
In [[computer science]], an '''in-kernel virtual machine''' is a specialized [[virtualization]] technology that operates within an [[operating system kernel]]. Unlike traditional [[virtual machine]]s that emulate entire computer systems, in-kernel virtual machines provide a controlled environment for executing code within the kernel space, typically for performance, security, or extensibility purposes. These virtual machines allow for safe execution of user-defined programs within the highly privileged kernel context.


==Examples==
== Overview ==
In-kernel virtual machines create an abstraction layer that isolates user-provided code from direct kernel operations while still allowing this code to efficiently interact with kernel resources. They typically implement a restricted instruction set and provide controlled access to kernel data structures, allowing for kernel extension without risking system stability or security.<ref name="Corbet_2014"/> This architecture enables developers to extend kernel functionality safely through [[just-in-time compilation|just-in-time (JIT) compilation]] or bytecode interpretation.


===eBPF===
The primary advantages of in-kernel virtual machines include:
[[eBPF]] is an "'''in-kernel virtual machine'''" that allows users to load and run custom programs within the kernel of the operating system.<ref>{{cite web|url=https://source.android.com/devices/architecture/kernel/bpf |title=Extending the Kernel with eBPF |date= |accessdate=2022-08-12}}</ref> <ref>{{cite web|author=Matt Fleming |url=https://lwn.net/Articles/740157/ |title=A thorough introduction to eBPF |date=December 2, 2017 |accessdate=2022-09-02}}</ref> That means it can extend or even modify the way the kernel behaves.<ref>{{cite book |last=Rice |first=Liz |title=What Is eBPF? An Introduction to a New Generation of Networking, Security, and Observability Tools |year=2022 |location=California |publisher=O’Reilly Media |edition=First |isbn=978-1-492-09723-5 |url=https://isovalent.com/data/liz-rice-what-is-ebpf.pdf}}</ref>
* '''Safety and security''': Bytecode validation and memory access restrictions prevent malicious or buggy code from harming the system.<ref name="Wang_2019"/>
<ref>{{cite web|author=Stanislav Kozina |url=https://www.redhat.com/en/blog/introduction-ebpf-red-hat-enterprise-linux-7 | title=Introduction to eBPF in Red Hat Enterprise Linux 7 |accessdate=2022-08-12}}</ref><ref>{{cite web|author=Si Chen, Liu Cui |url=https://www.darlingtree.com/static/paper/pacise22.pdf |title=EXTENDED BERKELEY PACKET FILTER (EBPF) – THE NEW SWISS KNIFE FOR CYBERSECURITY EDUCATION |accessdate=2022-08-12}}</ref>
* '''Performance optimization''': Executing within the kernel eliminates userspace-to-kernel transition overhead.<ref name="Høiland_2018"/>
* '''Extensibility''': Allows dynamic extension of kernel features without requiring kernel module compilation.<ref name="Rice_2022_p24"/>
* '''Portability''': Programs written for these virtual machines often work across different kernel versions and architectures.<ref name="Gregg_2019_p43"/>


It is used as a backend for the libpcap library and performs packet filtering for tools like [[tcpdump]]. When [[tcpdump]] is executed with some filtering rules, it generates the [[eBPF]] bytecode for that rule and sends it to the kernel for inclusion in the early stages of network stack processing. This bytecode is then interpreted in the [[virtual machine]] and decides which packet will appear in the [[tcpdump]] output. This filtering mechanism is performant and safe by design. [[eBPF]] programs executed in isolation in the "'''in-kernel virtual machine"'''.
== History and development ==
<ref>{{cite web|author=Jonathan Corbet |url=https://lwn.net/Articles/599755/ |title=BPF: the universal in-kernel virtual machine |date= |accessdate=2022-08-12}}</ref> They are limited to 4096 commands, they cannot have cycles, and all memory accesses are checked for a valid range. Therefore, it is guaranteed that the execution of the BPF bytecode will be terminated. It cannot cause kernel error, denial of service, or memory damage.<ref>{{cite web
The concept of in-kernel virtual machines evolved from earlier work on packet filtering mechanisms in networking stacks. The original [[Berkeley Packet Filter]] (BPF), developed in 1992 by Steven McCanne and Van Jacobson at Lawrence Berkeley Laboratory, introduced a simple virtual machine for efficient packet filtering in the Unix kernel.<ref name="McCanne_1993"/>
| last1=Kovalev | first1=M.G | author-link1=M.G. Kovalev
| title=Tracing Network Packets in the Linux Kernel using eBPF
| url=http://www.mathnet.ru/links/35d0cf7569624c0b246edfc28ea56bf0/tisp513.pdf
| accessdate=2023-02-01
}}</ref>


===nftables===
The approach gained significant attention in the early 2000s when [[DTrace]] was introduced in the [[Solaris (operating system)|Solaris operating system]], providing a comprehensive framework for dynamic tracing using a safe in-kernel VM.<ref name="Cantrill_2004"/>
[[nftables]] is an in-kernel packet classification framework built on a network-specific Virtual Machine (VM) and the nft userspace command line tool.<ref>{{cite web|author= |url=https://netfilter.org/projects/nftables/ |title=netfilter/iptables project homepage |accessdate=2022-11-17}}</ref>


It was introduced in the [[Linux kernel]] v3.13, and it improves the kernel's [[network stack]] with new [[bytecode]] filtering capabilities, where the filters are not statically coded into kernel modules. However, the rules are compiled and optimized in user space for small bytecode programs. Those small programs are then executed in an "'''in-kernel virtual machine'''" at runtime.<ref>{{cite web
The modern evolution came with extended Berkeley Packet Filter (eBPF) in the [[Linux kernel]], which substantially expanded the capabilities beyond the original networking focus to general-purpose programmability across multiple subsystems.<ref name="Fleming_2017"/>
| last1=Lukas M. | first1=Märdian | author-link1=Märdian Lukas M.
| title=What’s New in the Linux Network Stack?
| url=https://blog.slyon.de/uploads/Maerdian-Linux_Network_Stack.pdf
| accessdate=2023-02-01
}}</ref>


===DTrace===
== Technical characteristics ==
[[DTrace]] is a performance analysis and troubleshooting tool developed by [[Sun Microsystems]]. It has Dynamic Tracing that patches live running instructions with instrumentation code, including [[Solaris]], [[Mac OS X]], and [[FreeBSD]].<ref>{{cite web|author= |url=http://dtrace.org/blogs/about/ |title=About DTrace |date= |accessdate=2022-07-30}}</ref> As distinct from other solutions for dynamic instrumentation that execute native instrumentation code, it implements a simple "'''in-kernel virtual machine'''"<ref>{{cite web
In-kernel virtual machines typically share several common characteristics:
| last1=Nelson | first1=Luke | author-link1=Luke Nelson
* '''Restricted instruction set''': Limited to operations that can be safely verified.<ref name="Corbet_2014"/>
| last2=Geffen | first2=Jacob Van | author-link2=Jacob Van Geffen
* '''Memory safety guarantees''': Strict controls on memory access to prevent corruption.<ref name="Wang_2019"/>
| last3=Torlak| first3=Emina| author-link3=Emina Torlak
* '''No arbitrary loops''': Many implementations restrict or verify loops to ensure termination.<ref name="Nelson_2020"/>
| last4=Wang | first4=Xi| author-link4=Xi Wang
* '''Verification mechanisms''': Static analysis of programs before execution.<ref name="Starovoitov_2020"/>
| title=Specification and verification in the field: Applying formal methods to BPF just-in-time compilers in the Linux kernel
* '''Just-in-time compilation''': Conversion of bytecode to native instructions for performance.<ref name="Gregg_2019_p58"/>
| url=https://unsat.cs.washington.edu/papers/nelson-jitterbug.pdf
* '''Limited state retention''': Controls for how much state can be maintained between invocations.<ref name="Rice_2022_p97"/>
| accessdate=2023-02-01
 
}}</ref> that interprets byte code generated by a compiler for the "D" language.<ref>{{cite web
== Implementation examples ==
| last1=Engel
=== eBPF (Extended Berkeley Packet Filter) ===
| first1=Michael
[[eBPF]] is the most prominent modern implementation of an in-kernel virtual machine, integrated into the Linux kernel. It evolved from the classic BPF into a sophisticated virtual machine that allows users to load and run custom programs within the kernel.<ref name="Fleming_2017"/>
| author-link1=Engel Michael
 
| last2=Freisleben
eBPF programs undergo rigorous verification before execution to ensure they cannot crash the kernel, get stuck in infinite loops, or access unauthorized memory.<ref name="Starovoitov_2020"/>
| first2=Bernd
 
| author-link2=Bernd Freisleben
=== DTrace ===
| year=2005
[[DTrace]], originally developed by [[Sun Microsystems]] for Solaris, implements an in-kernel virtual machine that interprets bytecode generated by its "D" language compiler.<ref name="Cantrill_2004"/>
| title=Using a Low-Level Virtual Machine to Improve Dynamic Aspect Support in Operating System Kernels
 
| url=https://llvm.org/pubs/2005-03-14-ACP4IS-AspectsKernel.pdf
=== nftables ===
| accessdate=2023-02-01
[[nftables]] is a packet filtering framework within the Linux kernel that replaced the earlier [[iptables]] system.<ref name="Ayuso_2013"/>
}}</ref>  
 
== Applications ==
=== Network filtering and monitoring ===
In-kernel virtual machines were first applied to network packet filtering, where the ability to make rapid filtering decisions within the kernel significantly improved performance.<ref name="McCanne_1993"/>
 
=== Security enforcement ===
Security researchers have leveraged in-kernel VMs to implement advanced security policies.<ref name="Wang_2019"/>
 
=== Performance analysis ===
Performance analysis tools have been revolutionized by in-kernel virtual machines.<ref name="Gregg_2019_p82"/>
 
== Future directions ==
In-kernel virtual machine technology continues to evolve, with research focusing on:
* '''Enhanced safety mechanisms'''<ref name="Nelson_2020"/>
* '''Hardware acceleration'''<ref name="Borkmann_2020"/>
* '''Cross-platform standardization'''<ref name="Rice_2022_p97"/>
 
== See also ==
* [[Virtual machine]]
* [[Berkeley Packet Filter]]
* [[Operating system kernel]]


== References ==
== References ==
{{Reflist|30em}}
{{Reflist|refs=
<ref name="Ayuso_2013">{{cite journal |last=Ayuso |first=Pablo Neira |year=2013 |title=nftables: a new packet filtering engine |journal=Netfilter Workshop |url=https://netfilter.org/workshops/2013/nftables-why-paper.pdf}}</ref>
<ref name="Borkmann_2020">{{cite conference |last1=Borkmann |first1=Daniel |last2=Starovoitov |first2=Alexei |year=2020 |title=BPF and Networking |book-title=Proceedings of the Linux Plumbers Conference |url=https://lpc.events/event/7/contributions/676/}}</ref>
<ref name="Cantrill_2004">{{cite conference |last1=Cantrill |first1=Bryan |last2=Shapiro |first2=Michael W. |last3=Leventhal |first3=Adam H. |year=2004 |title=Dynamic Instrumentation of Production Systems |book-title=USENIX Annual Technical Conference |publisher=USENIX Association |url=https://www.usenix.org/legacy/events/usenix04/tech/general/full_papers/cantrill/cantrill.pdf}}</ref>
<ref name="Corbet_2014">{{cite journal |last=Corbet |first=Jonathan |date=2014-05-21 |title=BPF: the universal in-kernel virtual machine |journal=Linux Weekly News |url=https://lwn.net/Articles/599755/ |access-date=2022-08-12}}</ref>
<ref name="Fleming_2017">{{cite journal |last=Fleming |first=Matt |date=2017-12-02 |title=A thorough introduction to eBPF |journal=Linux Weekly News |url=https://lwn.net/Articles/740157/ |access-date=2022-09-02}}</ref>
<ref name="Gregg_2019_p43">{{cite book |last=Gregg |first=Brendan |year=2019 |title=BPF Performance Tools |publisher=Addison-Wesley Professional |isbn=978-0136554820 |page=43}}</ref>
<ref name="Gregg_2019_p58">{{cite book |last=Gregg |first=Brendan |year=2019 |title=BPF Performance Tools |publisher=Addison-Wesley Professional |isbn=978-0136554820 |page=58}}</ref>
<ref name="Gregg_2019_p82">{{cite book |last=Gregg |first=Brendan |year=2019 |title=BPF Performance Tools |publisher=Addison-Wesley Professional |isbn=978-0136554820 |page=82}}</ref>
<ref name="Høiland_2018">{{cite conference |last1=Høiland-Jørgensen |first1=Toke |year=2018 |title=The eXpress Data Path: Fast Programmable Packet Processing in the Operating System Kernel |book-title=Proceedings of the 14th International Conference on emerging Networking EXperiments and Technologies |publisher=ACM |doi=10.1145/3281411.3281443}}</ref>
<ref name="McCanne_1993">{{cite conference |last1=McCanne |first1=Steven |last2=Jacobson |first2=Van |year=1993 |title=The BSD Packet Filter: A New Architecture for User-level Packet Capture |book-title=USENIX Winter Conference |publisher=USENIX Association |url=https://www.usenix.org/legacy/publications/library/proceedings/sd93/mccanne.pdf}}</ref>
<ref name="Nelson_2020">{{cite conference |last1=Nelson |first1=Luke |last2=Geffen |first2=Jacob Van |last3=Torlak |first3=Emina |last4=Wang |first4=Xi |year=2020 |title=Specification and verification in the field: Applying formal methods to BPF just-in-time compilers in the Linux kernel |book-title=14th USENIX Symposium on Operating Systems Design and Implementation |publisher=USENIX Association |url=https://unsat.cs.washington.edu/papers/nelson-jitterbug.pdf}}</ref>
<ref name="Rice_2022_p24">{{cite book |last=Rice |first=Liz |year=2022 |title=What Is eBPF? An Introduction to a New Generation of Networking, Security, and Observability Tools |publisher=O'Reilly Media |isbn=978-1-492-09723-5 |page=24}}</ref>
<ref name="Rice_2022_p97">{{cite book |last=Rice |first=Liz |year=2022 |title=What Is eBPF? An Introduction to a New Generation of Networking, Security, and Observability Tools |publisher=O'Reilly Media |isbn=978-1-492-09723-5 |page=97}}</ref>
<ref name="Starovoitov_2020">{{cite journal |last1=Starovoitov |first1=Alexei |last2=Shirokov |first2=Andrii |year=2020 |title=A Thorough Introduction to eBPF |journal=USENIX ;login |volume=45 |issue=1 |url=https://www.usenix.org/publications/login/spring2020/starovoitov}}</ref>
<ref name="Wang_2019">{{cite conference |last1=Wang |first1=Xi |last2=Lazar |first2=David |last3=Zeldovich |first3=Nickolai |last4=Chlipala |first4=Adam |last5=Tatlock |first5=Zachary |year=2019 |title=Jitk: A Trustworthy In-Kernel Interpreter Infrastructure |book-title=USENIX Security Symposium |publisher=USENIX Association |url=https://people.csail.mit.edu/nickolai/papers/wang-jitk.pdf}}</ref>
}}
 
== External links ==
* [https://ebpf.io/ eBPF official website]
* [https://dtrace.org/ DTrace official website]
 
{{Draft categories|
[[Category:Linux kernel features]]
[[Category:Virtualization software]]
}}


==External links==
{{Drafts moved from mainspace|date=August 2025}}
* [https://ebpf.io/ EBPF official web site]
* [http://dtrace.org/blogs/about/ DTrace official web site]


[[Category:Software]]
{{Drafts moved from mainspace|date=August 2025}}
{{Drafts moved from mainspace|date=March 2023}}
{{⚠️🚨COPIED from EverybodyWiki ❗❕⚠️😡😤Please respect Licence CC-BY-SA ❗}}
{{⚠️🚨COPIED from EverybodyWiki ❗❕⚠️😡😤Please respect Licence CC-BY-SA ❗}}
{{Source Wikipedia}}
{{Source Wikipedia}}

Latest revision as of 11:29, 24 August 2025

In computer science, an in-kernel virtual machine is a specialized virtualization technology that operates within an operating system kernel. Unlike traditional virtual machines that emulate entire computer systems, in-kernel virtual machines provide a controlled environment for executing code within the kernel space, typically for performance, security, or extensibility purposes. These virtual machines allow for safe execution of user-defined programs within the highly privileged kernel context.

Overview

In-kernel virtual machines create an abstraction layer that isolates user-provided code from direct kernel operations while still allowing this code to efficiently interact with kernel resources. They typically implement a restricted instruction set and provide controlled access to kernel data structures, allowing for kernel extension without risking system stability or security.[1] This architecture enables developers to extend kernel functionality safely through just-in-time (JIT) compilation or bytecode interpretation.

The primary advantages of in-kernel virtual machines include:

  • Safety and security: Bytecode validation and memory access restrictions prevent malicious or buggy code from harming the system.[2]
  • Performance optimization: Executing within the kernel eliminates userspace-to-kernel transition overhead.[3]
  • Extensibility: Allows dynamic extension of kernel features without requiring kernel module compilation.[4]
  • Portability: Programs written for these virtual machines often work across different kernel versions and architectures.[5]

History and development

The concept of in-kernel virtual machines evolved from earlier work on packet filtering mechanisms in networking stacks. The original Berkeley Packet Filter (BPF), developed in 1992 by Steven McCanne and Van Jacobson at Lawrence Berkeley Laboratory, introduced a simple virtual machine for efficient packet filtering in the Unix kernel.[6]

The approach gained significant attention in the early 2000s when DTrace was introduced in the Solaris operating system, providing a comprehensive framework for dynamic tracing using a safe in-kernel VM.[7]

The modern evolution came with extended Berkeley Packet Filter (eBPF) in the Linux kernel, which substantially expanded the capabilities beyond the original networking focus to general-purpose programmability across multiple subsystems.[8]

Technical characteristics

In-kernel virtual machines typically share several common characteristics:

  • Restricted instruction set: Limited to operations that can be safely verified.[1]
  • Memory safety guarantees: Strict controls on memory access to prevent corruption.[2]
  • No arbitrary loops: Many implementations restrict or verify loops to ensure termination.[9]
  • Verification mechanisms: Static analysis of programs before execution.[10]
  • Just-in-time compilation: Conversion of bytecode to native instructions for performance.[11]
  • Limited state retention: Controls for how much state can be maintained between invocations.[12]

Implementation examples

eBPF (Extended Berkeley Packet Filter)

eBPF is the most prominent modern implementation of an in-kernel virtual machine, integrated into the Linux kernel. It evolved from the classic BPF into a sophisticated virtual machine that allows users to load and run custom programs within the kernel.[8]

eBPF programs undergo rigorous verification before execution to ensure they cannot crash the kernel, get stuck in infinite loops, or access unauthorized memory.[10]

DTrace

DTrace, originally developed by Sun Microsystems for Solaris, implements an in-kernel virtual machine that interprets bytecode generated by its "D" language compiler.[7]

nftables

nftables is a packet filtering framework within the Linux kernel that replaced the earlier iptables system.[13]

Applications

Network filtering and monitoring

In-kernel virtual machines were first applied to network packet filtering, where the ability to make rapid filtering decisions within the kernel significantly improved performance.[6]

Security enforcement

Security researchers have leveraged in-kernel VMs to implement advanced security policies.[2]

Performance analysis

Performance analysis tools have been revolutionized by in-kernel virtual machines.[14]

Future directions

In-kernel virtual machine technology continues to evolve, with research focusing on:

  • Enhanced safety mechanisms[9]
  • Hardware acceleration[15]
  • Cross-platform standardization[12]

See also

References

  1. 1.0 1.1 Corbet, Jonathan (2014-05-21). "BPF: the universal in-kernel virtual machine". Linux Weekly News. Retrieved 2022-08-12.
  2. 2.0 2.1 2.2 Wang, Xi; Lazar, David; Zeldovich, Nickolai; Chlipala, Adam; Tatlock, Zachary (2019). "Jitk: A Trustworthy In-Kernel Interpreter Infrastructure" (PDF). USENIX Security Symposium. USENIX Association.
  3. Høiland-Jørgensen, Toke (2018). "The eXpress Data Path: Fast Programmable Packet Processing in the Operating System Kernel". Proceedings of the 14th International Conference on emerging Networking EXperiments and Technologies. ACM. doi:10.1145/3281411.3281443.
  4. Rice, Liz (2022). What Is eBPF? An Introduction to a New Generation of Networking, Security, and Observability Tools. O'Reilly Media. p. 24. ISBN 978-1-492-09723-5. Search this book on
  5. Gregg, Brendan (2019). BPF Performance Tools. Addison-Wesley Professional. p. 43. ISBN 978-0136554820. Search this book on
  6. 6.0 6.1 McCanne, Steven; Jacobson, Van (1993). "The BSD Packet Filter: A New Architecture for User-level Packet Capture" (PDF). USENIX Winter Conference. USENIX Association.
  7. 7.0 7.1 Cantrill, Bryan; Shapiro, Michael W.; Leventhal, Adam H. (2004). "Dynamic Instrumentation of Production Systems" (PDF). USENIX Annual Technical Conference. USENIX Association.
  8. 8.0 8.1 Fleming, Matt (2017-12-02). "A thorough introduction to eBPF". Linux Weekly News. Retrieved 2022-09-02.
  9. 9.0 9.1 Nelson, Luke; Geffen, Jacob Van; Torlak, Emina; Wang, Xi (2020). "Specification and verification in the field: Applying formal methods to BPF just-in-time compilers in the Linux kernel" (PDF). 14th USENIX Symposium on Operating Systems Design and Implementation. USENIX Association.
  10. 10.0 10.1 Starovoitov, Alexei; Shirokov, Andrii (2020). "A Thorough Introduction to eBPF". USENIX ;login. 45 (1).
  11. Gregg, Brendan (2019). BPF Performance Tools. Addison-Wesley Professional. p. 58. ISBN 978-0136554820. Search this book on
  12. 12.0 12.1 Rice, Liz (2022). What Is eBPF? An Introduction to a New Generation of Networking, Security, and Observability Tools. O'Reilly Media. p. 97. ISBN 978-1-492-09723-5. Search this book on
  13. Ayuso, Pablo Neira (2013). "nftables: a new packet filtering engine" (PDF). Netfilter Workshop.
  14. Gregg, Brendan (2019). BPF Performance Tools. Addison-Wesley Professional. p. 82. ISBN 978-0136554820. Search this book on
  15. Borkmann, Daniel; Starovoitov, Alexei (2020). "BPF and Networking". Proceedings of the Linux Plumbers Conference.

External links




This article "In-kernel virtual machine" is from Wikipedia. The list of its authors can be seen in its historical and/or the page Edithistory:In-kernel virtual machine. Articles copied from Draft Namespace on Wikipedia could be seen on the Draft Namespace of Wikipedia and not main one.