Product Launch
anonymous
59 points
39 comments
Posted11 days agoActive2d ago
Rex
github.commvplibrarydevelopers
Key Features
kernel extension frameworkRust integrationeBPF replacement
Tech Stack
Rust
Key Features
Tech Stack
Also there’s reasons why eBPF programs aren’t allowed to run arbitrarily long and this just ignores that problem too.
> We currently do not support unprivileged use case (same as BPF). Basically, Rex extensions are expected to be loaded by privileged context only.
As I understand it, in privileged context would be one where one is also be able to load new kernel modules, that also don't have any limitations, although I suppose the system could be configured otherwise as well for some reasons.
So this is like a more convenient way to inject kernel code at runtime than kernel modules or eBPF modules are, with some associated downsides (such as being less safe than eBPF; the question about non-termination seems apt at the end of the thread). It doesn't seem like they are targeting to actually put this into mainstream kernel, and I doubt it could really happen anyway..
If it has to be native code, it should live on user space, at very least.
Given this thread model, I think their project is entirely reasonable. Safe Rust will prevent accidental mistakes even if you could technically circumvent it if you really try.
So it's not like eBPF is secure and this isn't. They're both insecure in different ways.
re: eBPF and WAFs: https://news.ycombinator.com/item?id=45951011
From https://news.ycombinator.com/context?id=43564972 :
> Should a microkernel implement eBPF and WASM, or, for the same reasons that justify a microkernel should eBPF and most other things be confined or relegated or segregated in userspace; in terms of microkernel goals like separation of concerns and least privilege and then performance?
"Isolated Execution Environment for eBPF" (2025-04) https://news.ycombinator.com/item?id=43697214
Further, if you want to hook into specific parts of the kernel, you might well end up writing far more boilerplate instead of just intercepting the one call you're actually interested in and adding some metadata or doing some access control.
I personally am all for a kernel that can do more things for more people with less bespoke kernel modules or patches.
If Eve gets to load bad eBPFs programs in your computer then I doubt counter-measures in how they run can save you.
This is a good article about one found in the wild: https://www.synacktiv.com/en/publications/linkpro-ebpf-rootk...
For most people, they trust most or all of the code running on their machine. They certainly trust their firewall policy to not be malware. If you already trust it, using a better, safe language might be helpful. In many cases, eBPF will be fine.
This isn't the first time this has been done. SPIN was an operating system in Modula-3 that allowed type-safe linking of code into the kernel, balancing safety and performance.
Maybe i'm missing something, but isn't that a bad thing?
It’s so common that it’s not even worth calling out.
(I may come across as an Ada zealot myself.)
Has full Ada solved their unsafe de-allocation problem in a way that's comparable to the borrow checker's guarantees?
You should take another look, lots have changed in this scene.
One could also say some in the C or C++ communities actually care about security, thus no need for Rust or alike, yet no one is paying attention to those small groups in the corner.
A village is judged by its population actions, and even the black sheeps count to its overall image from outsiders.
As for that sentence: I think Rust has its place, I do not agree at all with their 'rewrite' mantra because there are a ton of risks associated with rewrites that have nothing to do in what language the code is written in, just that it is a rewrite.
I think the Rust folks should go all-in on Redox and fix their tool optimization issues. And do one thing and do that well rather than to be the next Swiss army knife of programming. And I also think that the C and C++ folks can do a lot better still. Filip is doing something interesting I think and if there a practical solution to the C heritage I think it lies more in his direction than in rewriting billions of lines of battle tested code. Performance isn't nearly as important as it used to be. Another thing that I think would be beneficial would be to take as many device drivers out of the linux kernel as possible and run them as userspace processes.
Anyway, belated Merry Christmas to you and a pre-emptive happy 2026!
You’re then accusing me of being intellectually lazy for not giving high karma accounts the respect they deserve. Come off it. I’m going to judge comments by their content, not by the karma of the author. You shaming me is not going to make me change that.
What’s crazy is that judging people by their karma instead of their words is actually lazy. Isn’t this obvious? Do I need to get another 20k karma before you’ll understand that?
https://news.ycombinator.com/item?id=46352728
So apparently it is fine for you to call out low karma accounts but I can't have you shit on a member in excellent standing here?
The Rust community has - rightly, in my opinion - flagged a number of serious concerns about language safety. Outside of that Rust is just another programming language and languages are just one of the parts of the security picture. There is process, general hygiene and a lot of hard learned lessons about how you keep systems secure regardless of what language a particular piece of code is written in.
Given the amount of Rust evangelization on HN (which is one of the reasons this link got posted in the first place) and the fact that they can't let any opportunity go by to shit on other languages and those that use them for reasons that are unclear to me (and this goes quite far, up to and including questioning the sanity of anybody writing in a systems language other than Rust) you can expect that that higher standard is applied to the Rust advocates in the same way.
Action begets reaction.
Your response is telling: you make a personal attack on a member of HN and then hide behind pointing out the flaws in 'the community' when in fact it is you that is poisoning the community with these kind of comments.
I've made it a rule since a couple of weeks that I'm tossing accounts like that onto my blacklist because really, life's too short. If you don't see value in HN discussing languages and their communities (and I have to give the Rust community some credit here, as the language matures they've become more realistic about their abilities and there is less zealotry, especially Steve Klabik deserves a mention) then it may be that you are in the wrong place. For me your account will cease to exist after this comment.
Me calling out a sock puppet account (0 karma, created minutes before) is not the same as you saying that high karma accounts need to have their opinions respected simply because they are high karma. Coincidentally, I notice your account is very high karma.
You’re acting extraordinarily offended, like I’ve committed some major transgression here. I haven’t. I’ve re-read my comments and they’re frankly milquetoast.
Rust Striking Force meme exists for a reason, their actions are also not supported by the core team.
Many of the core team and by large its community witness RESF in action for long before sending in a few words isn't exactly not supported in my book.
But then again I understand every PL needs a lot of push and marketing. It just went way too far in one direction.
It seems a little disingenuous to describe "community" as including people who haven't even attempted to interact with anyone in the community other than forking their code.
And this is very much also something which is helped along by the community’s defining voices.
but I realized that in the past decade or so all of my kernel experiments are being done in little baby kernels. virtualization and the sheer volume of open source makes this a perfectly good path. and frankly Linux isn't that lovely to work in and extend.
the current situation with kernel modules and symbol resolution is a crappy boundary that really gets in your way as a developer, and from a security perspective is really just crime scene tape.
so we should really try to clean up and harden production systems, and understand that we will need the playground to inform that activity. right now we have neither, and this clearly belongs in the playground.
1. This requires root.
2. eBPF also requires root usually. As I understand it it was originally meant to be secure enough to allow unprivileged use but Spectre ruined that and now they've given up on that.
But you wouldn't want to use that for the actual firewall for example, or with a production service. There's no general "bad". Just different contexts.
rust type system is not a security mechanism
it's a mechanism to avoid bugs which can become security issues not a way to enforce well behavior on a kernel boundary
as an example the current rust compiler has some bugs where it accepts unsound programs which are not seen as supper high priority as you most most likely won't run into them by accident. If rust where a verification system enforcing security at a kernel boundary this would be sever CVEs...
also eBPF verification checks more properties, e.g. that a program will deterministically terminate and can't take too long to do so, which is very important for the kind of thing eBPF is(1).
and eBPF programs are also not supposed to do anything overly complex or difficult to compute but instead should only do "simple" checks and accounting and potentially delegate some parts to user space helper program. So all the nice benefits rust has aren't really that useful.
In the end there is a huge gap between the kind of "perfect verification" you need for something like eBPF and "type checking to avoid nasty bugs". One defends against mistakes the other against malicious code.
To be fair if your use case doesn't fit into eBPF at all and you choice is rex-rs or a full kernel driver rex-rs is seems a far better choice then a full custom rust driver in a lot of way.
IMHO it would be grate if rust verification could become at some point so good that it can protect reliably against malicious code and have extensions for enforcing code with guaranteed termination/max execution budged. But rust isn't anywhere close to it, and it's also not a core goal rust development focused on.
(1): In case anyone is wondering how that works given that the halting problem is undecidable: The halting problem applies to any arbitrary program. But there are subsets of programs which can be proven to halt (or not halt). E.g. `return 0` is trivially proven to halt and `while True: pass` trivially to not halt (but `while(1){}` is UB in C++ and henceforth might be compiled to a program which halts, it's still an endless loop in C)
The question is, going into 2026, what kind of thing is eBPF? It seems like all hope of it being a security boundary has been thwarted by micro-architectural vulnerabilities to the extent that you can no longer load eBPF programs as non-root. So, is it a security boundary? That's an honest question that I've not been able to find an answer to in the kernel documentation or recent mailing list posts.
If it's not a security boundary, what is it? There's a few other nice properties enforced by the validator, like protos for a subset of kernel functions, which provides some load-time validation that you've built against a compatible kernel. That's something that's lost here, so we don't get the same compile once, run everywhere properties eBPF has. One might argue this is a big loss, but in the branch that eBPF is not a security subsystem, it's worth asking whether these are strictly necessary checks that need to be enforced, or whether they're niceties that bring a higher hope of stability and reduce the burden of code review that are perfectly fine to bypass given those caveats.
That's it. Though I said "arbitrary" because the program has to pass the verifier, which limits valid programs to ones where it can make the stability guarantees.
Because it's not just a mechanism to load kernel modules in Rust, it's specifically a mechanism to load them in the same places that ebpf programs are loadable, using the existing kernel machinery for executing ebpf programs, and with some helpers to interface with existing epbf programs.
https://github.com/llvm/llvm-project/tree/main/llvm/lib/Targ...
1. How does the safety model compare to eBPF's verifier? eBPF has the advantage of being verified at load time with strict constraints. Does Rex rely purely on Rust's type system, or is there additional runtime verification?
2. What's the performance story? eBPF is JIT-compiled and heavily optimized. How does Rex-compiled Rust code compare in terms of overhead and latency?
3. Deployment/distribution - eBPF programs can be distributed as bytecode. With Rex, do you need to compile on-target or ship platform-specific binaries?
4. What about the ecosystem? eBPF has massive tooling support (bpftrace, bcc, etc.). Is there a migration path for existing eBPF programs?
5. Kernel panic protection - eBPF has strict safety rails. If Rust code panics or has an unsafe block with UB, what happens?
6. Are there features that Rex enables that are impossible/difficult with eBPF? Complex data structures, async, better ergonomics?
The expressiveness vs. safety tradeoff is fascinating here. Would love to see benchmarks comparing identical functionality in both.
Not affiliated with Hacker News or Y Combinator. We simply enrich the public API with analytics.