Safe and usable kernel extensions with Rex

TL;DR

Rex is a new framework for kernel extensions that uses safe Rust and a lightweight runtime to improve safety and usability, addressing limitations of existing mechanisms like eBPF without sacrificing performance.

Contribution

Rex introduces a language-based safety framework for kernel extensions that eliminates the need for static verification, enhancing usability and safety in kernel programming.

Findings

Rex enables writing kernel extensions in safe Rust with no static verification.

It improves usability by closing the language-verifier gap.

Rex maintains performance comparable to existing mechanisms.

Abstract

Safe kernel extensions have gained significant traction, evolving from simple packet filters to large, complex programs that customize storage, networking, and scheduling. Existing kernel extension mechanisms like eBPF rely on in-kernel verifiers to ensure safety of kernel extensions by static verification using symbolic execution. We identify significant usability issues -- safe extensions being rejected by the verifier -- due to the language-verifier gap, a mismatch between developers' expectation of program safety provided by a contract with the programming language, and the verifier's expectation. We present Rex, a new kernel extension framework that closes the language-verifier gap and improves the usability of kernel extensions in terms of programming experience and maintainability. Rex builds upon language-based safety to provide safety properties desired by kernel extensions, along with a lightweight extralingual runtime for properties that are unsuitable for static analysis, including safe exception handling, stack safety, and termination. With Rex, kernel extensions are written in safe Rust and interact with the kernel via a safe interface provided by Rex's kernel crate. No separate static verification is needed. Rex addresses usability issues of eBPF kernel extensions without compromising performance.