vBPF

Abstract

Extended Berkely Packet Filter (eBPF) is a revolutionary technology with origins in the Linux kernel that can run sandboxed programs in an operating system kernel without modifying kernel source code or loading kernel modules. eBPF guarantees isolation and safety in native performance by enforcing static verification and just-in-time compilation. However, eBPF is not sufficient for safely and efficiently extending the capabilities of the kernel. Compared to the native kernel code, eBPF forces the users to follow the strict and limited programming guide and fixed execution model to ensure the possibility of static verification. In this paper, we claim that the restrictions and disadvantages of eBPF could be overcome by carefully redesigning the separation between protection and verification with additional confinements of the hardware protections and execution models. Experiments with our prototype show comparable performance increments of various research projects without modification of kernel source code. We also show that vBPF could be an alternative solution for existing kernel bypassing solutions like Userfaultfd with better performance and flexibility. From the pioneer works done by SPIN~\cite{bershad_extensibility_1995}, we think that a flexible and safe kernel extension model has finally come!