From Browser to Kernel: Exploring a Lightweight Sandboxed Approach for Unikernel Extensions

Library Operating Systems (libOS) are highly efficient because the entire software stack, from the kernel to the application, is compiled, optimized, and linked together. However, in certain scenarios, such as code injection for network packet analysis or adding custom drivers, it is necessary to extend the kernel as needed. The traditional approach of modifying and recompiling the kernel source code can be time-consuming and error-prone. This paper analyzes the possibility of using WebAssembly (Wasm) to extend an operating system kernel at runtime. Wasm is a portable bytecode format that enables fast execution of language-independent code while prioritizing security and portability. Its type system and bounded memory regions effectively prevent unauthorized data access. A prototype module for analyzing network traffic demonstrates the potential, while performance is determined by using standard benchmarks. The performance of the kernel sandbox proved to be about 20 % slower than running the Wasm code in state-of-the-art runtimes on Linux, which is acceptable for a first proof-of-concept.