In-kernel virtual machine: Difference between revisions
Moved page from wikipedia:en:Draft:In-kernel virtual machine ([[Edithistory:|history]]) |
m Moved page from wikipedia:en:Draft:In-kernel virtual machine ([[Edithistory:|history]]) |
||
| Line 1: | Line 1: | ||
{{ | {{Draft article|nomove=yes}} | ||
{{ | {{AI-generated|date=May 2025}} | ||
''' | {{short description|Computing technology that allows running programs safely within operating system kernels}} | ||
In [[computer science]], an '''in-kernel virtual machine''' is a specialized [[virtualization]] technology that operates within an [[operating system kernel]]. Unlike traditional [[virtual machine]]s that emulate entire computer systems, in-kernel virtual machines provide a controlled environment for executing code within the kernel space, typically for performance, security, or extensibility purposes. These virtual machines allow for safe execution of user-defined programs within the highly privileged kernel context. | |||
== | == Overview == | ||
In-kernel virtual machines create an abstraction layer that isolates user-provided code from direct kernel operations while still allowing this code to efficiently interact with kernel resources. They typically implement a restricted instruction set and provide controlled access to kernel data structures, allowing for kernel extension without risking system stability or security.<ref name="Corbet_2014"/> This architecture enables developers to extend kernel functionality safely through [[just-in-time compilation|just-in-time (JIT) compilation]] or bytecode interpretation. | |||
The primary advantages of in-kernel virtual machines include: | |||
* '''Safety and security''': Bytecode validation and memory access restrictions prevent malicious or buggy code from harming the system.<ref name="Wang_2019"/> | |||
* '''Performance optimization''': Executing within the kernel eliminates userspace-to-kernel transition overhead.<ref name="Høiland_2018"/> | |||
* '''Extensibility''': Allows dynamic extension of kernel features without requiring kernel module compilation.<ref name="Rice_2022_p24"/> | |||
* '''Portability''': Programs written for these virtual machines often work across different kernel versions and architectures.<ref name="Gregg_2019_p43"/> | |||
== History and development == | |||
The concept of in-kernel virtual machines evolved from earlier work on packet filtering mechanisms in networking stacks. The original [[Berkeley Packet Filter]] (BPF), developed in 1992 by Steven McCanne and Van Jacobson at Lawrence Berkeley Laboratory, introduced a simple virtual machine for efficient packet filtering in the Unix kernel.<ref name="McCanne_1993"/> | |||
The approach gained significant attention in the early 2000s when [[DTrace]] was introduced in the [[Solaris (operating system)|Solaris operating system]], providing a comprehensive framework for dynamic tracing using a safe in-kernel VM.<ref name="Cantrill_2004"/> | |||
[[ | |||
The modern evolution came with extended Berkeley Packet Filter (eBPF) in the [[Linux kernel]], which substantially expanded the capabilities beyond the original networking focus to general-purpose programmability across multiple subsystems.<ref name="Fleming_2017"/> | |||
== | == Technical characteristics == | ||
In-kernel virtual machines typically share several common characteristics: | |||
* '''Restricted instruction set''': Limited to operations that can be safely verified.<ref name="Corbet_2014"/> | |||
* '''Memory safety guarantees''': Strict controls on memory access to prevent corruption.<ref name="Wang_2019"/> | |||
* '''No arbitrary loops''': Many implementations restrict or verify loops to ensure termination.<ref name="Nelson_2020"/> | |||
* '''Verification mechanisms''': Static analysis of programs before execution.<ref name="Starovoitov_2020"/> | |||
* '''Just-in-time compilation''': Conversion of bytecode to native instructions for performance.<ref name="Gregg_2019_p58"/> | |||
* '''Limited state retention''': Controls for how much state can be maintained between invocations.<ref name="Rice_2022_p97"/> | |||
== Implementation examples == | |||
=== eBPF (Extended Berkeley Packet Filter) === | |||
[[eBPF]] is the most prominent modern implementation of an in-kernel virtual machine, integrated into the Linux kernel. It evolved from the classic BPF into a sophisticated virtual machine that allows users to load and run custom programs within the kernel.<ref name="Fleming_2017"/> | |||
eBPF programs undergo rigorous verification before execution to ensure they cannot crash the kernel, get stuck in infinite loops, or access unauthorized memory.<ref name="Starovoitov_2020"/> | |||
=== DTrace === | |||
[[DTrace]], originally developed by [[Sun Microsystems]] for Solaris, implements an in-kernel virtual machine that interprets bytecode generated by its "D" language compiler.<ref name="Cantrill_2004"/> | |||
=== nftables === | |||
[[nftables]] is a packet filtering framework within the Linux kernel that replaced the earlier [[iptables]] system.<ref name="Ayuso_2013"/> | |||
== Applications == | |||
=== Network filtering and monitoring === | |||
In-kernel virtual machines were first applied to network packet filtering, where the ability to make rapid filtering decisions within the kernel significantly improved performance.<ref name="McCanne_1993"/> | |||
=== Security enforcement === | |||
Security researchers have leveraged in-kernel VMs to implement advanced security policies.<ref name="Wang_2019"/> | |||
=== Performance analysis === | |||
Performance analysis tools have been revolutionized by in-kernel virtual machines.<ref name="Gregg_2019_p82"/> | |||
== Future directions == | |||
In-kernel virtual machine technology continues to evolve, with research focusing on: | |||
* '''Enhanced safety mechanisms'''<ref name="Nelson_2020"/> | |||
* '''Hardware acceleration'''<ref name="Borkmann_2020"/> | |||
* '''Cross-platform standardization'''<ref name="Rice_2022_p97"/> | |||
== See also == | |||
* [[Virtual machine]] | |||
* [[Berkeley Packet Filter]] | |||
* [[Operating system kernel]] | |||
== References == | == References == | ||
{{Reflist| | {{Reflist|refs= | ||
<ref name="Ayuso_2013">{{cite journal |last=Ayuso |first=Pablo Neira |year=2013 |title=nftables: a new packet filtering engine |journal=Netfilter Workshop |url=https://netfilter.org/workshops/2013/nftables-why-paper.pdf}}</ref> | |||
<ref name="Borkmann_2020">{{cite conference |last1=Borkmann |first1=Daniel |last2=Starovoitov |first2=Alexei |year=2020 |title=BPF and Networking |book-title=Proceedings of the Linux Plumbers Conference |url=https://lpc.events/event/7/contributions/676/}}</ref> | |||
<ref name="Cantrill_2004">{{cite conference |last1=Cantrill |first1=Bryan |last2=Shapiro |first2=Michael W. |last3=Leventhal |first3=Adam H. |year=2004 |title=Dynamic Instrumentation of Production Systems |book-title=USENIX Annual Technical Conference |publisher=USENIX Association |url=https://www.usenix.org/legacy/events/usenix04/tech/general/full_papers/cantrill/cantrill.pdf}}</ref> | |||
<ref name="Corbet_2014">{{cite journal |last=Corbet |first=Jonathan |date=2014-05-21 |title=BPF: the universal in-kernel virtual machine |journal=Linux Weekly News |url=https://lwn.net/Articles/599755/ |access-date=2022-08-12}}</ref> | |||
<ref name="Fleming_2017">{{cite journal |last=Fleming |first=Matt |date=2017-12-02 |title=A thorough introduction to eBPF |journal=Linux Weekly News |url=https://lwn.net/Articles/740157/ |access-date=2022-09-02}}</ref> | |||
<ref name="Gregg_2019_p43">{{cite book |last=Gregg |first=Brendan |year=2019 |title=BPF Performance Tools |publisher=Addison-Wesley Professional |isbn=978-0136554820 |page=43}}</ref> | |||
<ref name="Gregg_2019_p58">{{cite book |last=Gregg |first=Brendan |year=2019 |title=BPF Performance Tools |publisher=Addison-Wesley Professional |isbn=978-0136554820 |page=58}}</ref> | |||
<ref name="Gregg_2019_p82">{{cite book |last=Gregg |first=Brendan |year=2019 |title=BPF Performance Tools |publisher=Addison-Wesley Professional |isbn=978-0136554820 |page=82}}</ref> | |||
<ref name="Høiland_2018">{{cite conference |last1=Høiland-Jørgensen |first1=Toke |year=2018 |title=The eXpress Data Path: Fast Programmable Packet Processing in the Operating System Kernel |book-title=Proceedings of the 14th International Conference on emerging Networking EXperiments and Technologies |publisher=ACM |doi=10.1145/3281411.3281443}}</ref> | |||
<ref name="McCanne_1993">{{cite conference |last1=McCanne |first1=Steven |last2=Jacobson |first2=Van |year=1993 |title=The BSD Packet Filter: A New Architecture for User-level Packet Capture |book-title=USENIX Winter Conference |publisher=USENIX Association |url=https://www.usenix.org/legacy/publications/library/proceedings/sd93/mccanne.pdf}}</ref> | |||
<ref name="Nelson_2020">{{cite conference |last1=Nelson |first1=Luke |last2=Geffen |first2=Jacob Van |last3=Torlak |first3=Emina |last4=Wang |first4=Xi |year=2020 |title=Specification and verification in the field: Applying formal methods to BPF just-in-time compilers in the Linux kernel |book-title=14th USENIX Symposium on Operating Systems Design and Implementation |publisher=USENIX Association |url=https://unsat.cs.washington.edu/papers/nelson-jitterbug.pdf}}</ref> | |||
<ref name="Rice_2022_p24">{{cite book |last=Rice |first=Liz |year=2022 |title=What Is eBPF? An Introduction to a New Generation of Networking, Security, and Observability Tools |publisher=O'Reilly Media |isbn=978-1-492-09723-5 |page=24}}</ref> | |||
<ref name="Rice_2022_p97">{{cite book |last=Rice |first=Liz |year=2022 |title=What Is eBPF? An Introduction to a New Generation of Networking, Security, and Observability Tools |publisher=O'Reilly Media |isbn=978-1-492-09723-5 |page=97}}</ref> | |||
<ref name="Starovoitov_2020">{{cite journal |last1=Starovoitov |first1=Alexei |last2=Shirokov |first2=Andrii |year=2020 |title=A Thorough Introduction to eBPF |journal=USENIX ;login |volume=45 |issue=1 |url=https://www.usenix.org/publications/login/spring2020/starovoitov}}</ref> | |||
<ref name="Wang_2019">{{cite conference |last1=Wang |first1=Xi |last2=Lazar |first2=David |last3=Zeldovich |first3=Nickolai |last4=Chlipala |first4=Adam |last5=Tatlock |first5=Zachary |year=2019 |title=Jitk: A Trustworthy In-Kernel Interpreter Infrastructure |book-title=USENIX Security Symposium |publisher=USENIX Association |url=https://people.csail.mit.edu/nickolai/papers/wang-jitk.pdf}}</ref> | |||
}} | |||
== External links == | |||
* [https://ebpf.io/ eBPF official website] | |||
* [https://dtrace.org/ DTrace official website] | |||
{{Draft categories| | |||
[[Category:Linux kernel features]] | |||
[[Category:Virtualization software]] | |||
}} | |||
= | {{Drafts moved from mainspace|date=August 2025}} | ||
{{Drafts moved from mainspace|date=August 2025}} | |||
{{Drafts moved from mainspace|date= | |||
{{⚠️🚨COPIED from EverybodyWiki ❗❕⚠️😡😤Please respect Licence CC-BY-SA ❗}} | {{⚠️🚨COPIED from EverybodyWiki ❗❕⚠️😡😤Please respect Licence CC-BY-SA ❗}} | ||
{{Source Wikipedia}} | {{Source Wikipedia}} | ||
Latest revision as of 11:29, 24 August 2025
This article appears to have been generated by a large language model (such as ChatGPT) without having been rigorously scrutinized for verifiability, neutrality, original research, and copyright compliance. It may include misleading or inaccurate claims and fake references that sound plausible. (May 2025) (Learn how and when to remove this template message) |
In computer science, an in-kernel virtual machine is a specialized virtualization technology that operates within an operating system kernel. Unlike traditional virtual machines that emulate entire computer systems, in-kernel virtual machines provide a controlled environment for executing code within the kernel space, typically for performance, security, or extensibility purposes. These virtual machines allow for safe execution of user-defined programs within the highly privileged kernel context.
Overview
In-kernel virtual machines create an abstraction layer that isolates user-provided code from direct kernel operations while still allowing this code to efficiently interact with kernel resources. They typically implement a restricted instruction set and provide controlled access to kernel data structures, allowing for kernel extension without risking system stability or security.[1] This architecture enables developers to extend kernel functionality safely through just-in-time (JIT) compilation or bytecode interpretation.
The primary advantages of in-kernel virtual machines include:
- Safety and security: Bytecode validation and memory access restrictions prevent malicious or buggy code from harming the system.[2]
- Performance optimization: Executing within the kernel eliminates userspace-to-kernel transition overhead.[3]
- Extensibility: Allows dynamic extension of kernel features without requiring kernel module compilation.[4]
- Portability: Programs written for these virtual machines often work across different kernel versions and architectures.[5]
History and development
The concept of in-kernel virtual machines evolved from earlier work on packet filtering mechanisms in networking stacks. The original Berkeley Packet Filter (BPF), developed in 1992 by Steven McCanne and Van Jacobson at Lawrence Berkeley Laboratory, introduced a simple virtual machine for efficient packet filtering in the Unix kernel.[6]
The approach gained significant attention in the early 2000s when DTrace was introduced in the Solaris operating system, providing a comprehensive framework for dynamic tracing using a safe in-kernel VM.[7]
The modern evolution came with extended Berkeley Packet Filter (eBPF) in the Linux kernel, which substantially expanded the capabilities beyond the original networking focus to general-purpose programmability across multiple subsystems.[8]
Technical characteristics
In-kernel virtual machines typically share several common characteristics:
- Restricted instruction set: Limited to operations that can be safely verified.[1]
- Memory safety guarantees: Strict controls on memory access to prevent corruption.[2]
- No arbitrary loops: Many implementations restrict or verify loops to ensure termination.[9]
- Verification mechanisms: Static analysis of programs before execution.[10]
- Just-in-time compilation: Conversion of bytecode to native instructions for performance.[11]
- Limited state retention: Controls for how much state can be maintained between invocations.[12]
Implementation examples
eBPF (Extended Berkeley Packet Filter)
eBPF is the most prominent modern implementation of an in-kernel virtual machine, integrated into the Linux kernel. It evolved from the classic BPF into a sophisticated virtual machine that allows users to load and run custom programs within the kernel.[8]
eBPF programs undergo rigorous verification before execution to ensure they cannot crash the kernel, get stuck in infinite loops, or access unauthorized memory.[10]
DTrace
DTrace, originally developed by Sun Microsystems for Solaris, implements an in-kernel virtual machine that interprets bytecode generated by its "D" language compiler.[7]
nftables
nftables is a packet filtering framework within the Linux kernel that replaced the earlier iptables system.[13]
Applications
Network filtering and monitoring
In-kernel virtual machines were first applied to network packet filtering, where the ability to make rapid filtering decisions within the kernel significantly improved performance.[6]
Security enforcement
Security researchers have leveraged in-kernel VMs to implement advanced security policies.[2]
Performance analysis
Performance analysis tools have been revolutionized by in-kernel virtual machines.[14]
Future directions
In-kernel virtual machine technology continues to evolve, with research focusing on:
See also
References
- ↑ 1.0 1.1 Corbet, Jonathan (2014-05-21). "BPF: the universal in-kernel virtual machine". Linux Weekly News. Retrieved 2022-08-12.
- ↑ 2.0 2.1 2.2 Wang, Xi; Lazar, David; Zeldovich, Nickolai; Chlipala, Adam; Tatlock, Zachary (2019). "Jitk: A Trustworthy In-Kernel Interpreter Infrastructure" (PDF). USENIX Security Symposium. USENIX Association.
- ↑ Høiland-Jørgensen, Toke (2018). "The eXpress Data Path: Fast Programmable Packet Processing in the Operating System Kernel". Proceedings of the 14th International Conference on emerging Networking EXperiments and Technologies. ACM. doi:10.1145/3281411.3281443.
- ↑ Rice, Liz (2022). What Is eBPF? An Introduction to a New Generation of Networking, Security, and Observability Tools. O'Reilly Media. p. 24. ISBN 978-1-492-09723-5. Search this book on
- ↑ Gregg, Brendan (2019). BPF Performance Tools. Addison-Wesley Professional. p. 43. ISBN 978-0136554820. Search this book on
- ↑ 6.0 6.1 McCanne, Steven; Jacobson, Van (1993). "The BSD Packet Filter: A New Architecture for User-level Packet Capture" (PDF). USENIX Winter Conference. USENIX Association.
- ↑ 7.0 7.1 Cantrill, Bryan; Shapiro, Michael W.; Leventhal, Adam H. (2004). "Dynamic Instrumentation of Production Systems" (PDF). USENIX Annual Technical Conference. USENIX Association.
- ↑ 8.0 8.1 Fleming, Matt (2017-12-02). "A thorough introduction to eBPF". Linux Weekly News. Retrieved 2022-09-02.
- ↑ 9.0 9.1 Nelson, Luke; Geffen, Jacob Van; Torlak, Emina; Wang, Xi (2020). "Specification and verification in the field: Applying formal methods to BPF just-in-time compilers in the Linux kernel" (PDF). 14th USENIX Symposium on Operating Systems Design and Implementation. USENIX Association.
- ↑ 10.0 10.1 Starovoitov, Alexei; Shirokov, Andrii (2020). "A Thorough Introduction to eBPF". USENIX ;login. 45 (1).
- ↑ Gregg, Brendan (2019). BPF Performance Tools. Addison-Wesley Professional. p. 58. ISBN 978-0136554820. Search this book on
- ↑ 12.0 12.1 Rice, Liz (2022). What Is eBPF? An Introduction to a New Generation of Networking, Security, and Observability Tools. O'Reilly Media. p. 97. ISBN 978-1-492-09723-5. Search this book on
- ↑ Ayuso, Pablo Neira (2013). "nftables: a new packet filtering engine" (PDF). Netfilter Workshop.
- ↑ Gregg, Brendan (2019). BPF Performance Tools. Addison-Wesley Professional. p. 82. ISBN 978-0136554820. Search this book on
- ↑ Borkmann, Daniel; Starovoitov, Alexei (2020). "BPF and Networking". Proceedings of the Linux Plumbers Conference.
External links
This article "In-kernel virtual machine" is from Wikipedia. The list of its authors can be seen in its historical and/or the page Edithistory:In-kernel virtual machine. Articles copied from Draft Namespace on Wikipedia could be seen on the Draft Namespace of Wikipedia and not main one.
