As a lover of Rust, ooo boy does this sound like a bad idea. The Rust compiler is not guaranteed to always output safe code against malicious inputs given that there’s numerous known soundness bugs that allow exploiting this. Unless I’m missing something this is a security nightmare of an idea.
Also there’s reasons why eBPF programs aren’t allowed to run arbitrarily long and this just ignores that problem too.
I asked about this when they presented the project at the Linux Plumbers conference. They replied that it's not really intended to be a security boundary, and that you should not let anyone malicious load these programs.
Given this thread model, I think their project is entirely reasonable. Safe Rust will prevent accidental mistakes even if you could technically circumvent it if you really try.
> We currently do not support unprivileged use case (same as BPF). Basically, Rex extensions are expected to be loaded by privileged context only.
As I understand it, in privileged context would be one where one is also be able to load new kernel modules, that also don't have any limitations, although I suppose the system could be configured otherwise as well for some reasons.
So this is like a more convenient way to inject kernel code at runtime than kernel modules or eBPF modules are, with some associated downsides (such as being less safe than eBPF; the question about non-termination seems apt at the end of the thread). It doesn't seem like they are targeting to actually put this into mainstream kernel, and I doubt it could really happen anyway..
This is a pretty cool project and I think the comments here are being overly negative. Sure, removing the constraints that the eBPF verifier requires might encourage more complex and less performant code - but this is just another tool in the toolbox. For truly production systems, I can see the battle-tested eBPF being the top choice over a dubious kernel extension. But for quick prototyping? Rex can probably take the cake here once the project matures a bit more.
please don't (replace your typical eBPF filter with it, but do replace you custom kernel modules with it where viable ;) )
rust type system is not a security mechanism
it's a mechanism to avoid bugs which can become security issues not a way to enforce well behavior on a kernel boundary
as an example the current rust compiler has some bugs where it accepts unsound programs which are not seen as supper high priority as you most most likely won't run into them by accident. If rust where a verification system enforcing security at a kernel boundary this would be sever CVEs...
also eBPF verification checks more properties, e.g. that a program will deterministically terminate and can't take too long to do so, which is very important for the kind of thing eBPF is(1).
and eBPF programs are also not supposed to do anything overly complex or difficult to compute but instead should only do "simple" checks and accounting and potentially delegate some parts to user space helper program. So all the nice benefits rust has aren't really that useful.
In the end there is a huge gap between the kind of "perfect verification" you need for something like eBPF and "type checking to avoid nasty bugs". One defends against mistakes the other against malicious code.
To be fair if your use case doesn't fit into eBPF at all and you choice is rex-rs or a full kernel driver rex-rs is seems a far better choice then a full custom rust driver in a lot of way.
IMHO it would be grate if rust verification could become at some point so good that it can protect reliably against malicious code and have extensions for enforcing code with guaranteed termination/max execution budged. But rust isn't anywhere close to it, and it's also not a core goal rust development focused on.
(1): In case anyone is wondering how that works given that the halting problem is undecidable: The halting problem applies to any arbitrary program. But there are subsets of programs which can be proven to halt (or not halt). E.g. `return 0` is trivially proven to halt and `while True: pass` trivially to not halt (but `while(1){}` is UB in C++ and henceforth might be compiled to a program which halts, it's still an endless loop in C)
Do they interact at all with the main rust community?
It seems a little disingenuous to describe "community" as including people who haven't even attempted to interact with anyone in the community other than forking their code.
It’s a common HN trope to generalise a “community” based on a handful of people or even just one person. “See this is why I dislike the xyz community”, says a person justifying their confirmation bias.
Perhaps the world is too complex without breaking it down into in-groups and out-groups, with any out-groups supposedly being completely homogenous. Pretty intellectually lazy but fairly common on HN, to the point where it’s not even worth calling out.
You may be correct but pjmlp is not one of those and if you had been here long enough you would have known that. You're the one creating an in-group here and putting yourself on the 'good' side. Perhaps that is too complex for you but I think it is intellectually lazy not to get who you're referring to before making comments such as these. Note that your strawman "See this is why I dislike the xyz community" wasn't part of this thread at all.
One could also say some in the C or C++ communities actually care about security, thus no need for Rust or alike, yet no one is paying attention to those small groups in the corner.
A village is judged by its population actions, and even the black sheeps count to its overall image from outsiders.
Indeed. If there is one person here that keeps their footing in language debates it is you (and I'm always blown away with how many details you have at instant recall that I never realized were there). So thank you for the lessons over the years, it has helped me evaluate my choices better.
As for that sentence: I think Rust has its place, I do not agree at all with their 'rewrite' mantra because there are a ton of risks associated with rewrites that have nothing to do in what language the code is written in, just that it is a rewrite.
I think the Rust folks should go all-in on Redox and fix their tool optimization issues. And do one thing and do that well rather than to be the next Swiss army knife of programming. And I also think that the C and C++ folks can do a lot better still. Filip is doing something interesting I think and if there a practical solution to the C heritage I think it lies more in his direction than in rewriting billions of lines of battle tested code. Performance isn't nearly as important as it used to be. Another thing that I think would be beneficial would be to take as many device drivers out of the linux kernel as possible and run them as userspace processes.
Anyway, belated Merry Christmas to you and a pre-emptive happy 2026!
That dude said “even worse when coming from supposedly security conscious programming language community”. The comment is dripping with contempt, pointing out that the “community” makes tall claims that are unfounded. And he said this based purely on one comment. This contempt clearly indicated a dislike, which I generalised to “I dislike xyz community”. To which you reply with “strawman”. Sure.
You’re then accusing me of being intellectually lazy for not giving high karma accounts the respect they deserve. Come off it. I’m going to judge comments by their content, not by the karma of the author. You shaming me is not going to make me change that.
Also there’s reasons why eBPF programs aren’t allowed to run arbitrarily long and this just ignores that problem too.
Given this thread model, I think their project is entirely reasonable. Safe Rust will prevent accidental mistakes even if you could technically circumvent it if you really try.
If it has to be native code, it should live on user space, at very least.
> We currently do not support unprivileged use case (same as BPF). Basically, Rex extensions are expected to be loaded by privileged context only.
As I understand it, in privileged context would be one where one is also be able to load new kernel modules, that also don't have any limitations, although I suppose the system could be configured otherwise as well for some reasons.
So this is like a more convenient way to inject kernel code at runtime than kernel modules or eBPF modules are, with some associated downsides (such as being less safe than eBPF; the question about non-termination seems apt at the end of the thread). It doesn't seem like they are targeting to actually put this into mainstream kernel, and I doubt it could really happen anyway..
rust type system is not a security mechanism
it's a mechanism to avoid bugs which can become security issues not a way to enforce well behavior on a kernel boundary
as an example the current rust compiler has some bugs where it accepts unsound programs which are not seen as supper high priority as you most most likely won't run into them by accident. If rust where a verification system enforcing security at a kernel boundary this would be sever CVEs...
also eBPF verification checks more properties, e.g. that a program will deterministically terminate and can't take too long to do so, which is very important for the kind of thing eBPF is(1).
and eBPF programs are also not supposed to do anything overly complex or difficult to compute but instead should only do "simple" checks and accounting and potentially delegate some parts to user space helper program. So all the nice benefits rust has aren't really that useful.
In the end there is a huge gap between the kind of "perfect verification" you need for something like eBPF and "type checking to avoid nasty bugs". One defends against mistakes the other against malicious code.
To be fair if your use case doesn't fit into eBPF at all and you choice is rex-rs or a full kernel driver rex-rs is seems a far better choice then a full custom rust driver in a lot of way.
IMHO it would be grate if rust verification could become at some point so good that it can protect reliably against malicious code and have extensions for enforcing code with guaranteed termination/max execution budged. But rust isn't anywhere close to it, and it's also not a core goal rust development focused on.
(1): In case anyone is wondering how that works given that the halting problem is undecidable: The halting problem applies to any arbitrary program. But there are subsets of programs which can be proven to halt (or not halt). E.g. `return 0` is trivially proven to halt and `while True: pass` trivially to not halt (but `while(1){}` is UB in C++ and henceforth might be compiled to a program which halts, it's still an endless loop in C)
Maybe i'm missing something, but isn't that a bad thing?
Why judge the whole Rust community for the choices made by one minor subgroup?
Rust Striking Force meme exists for a reason, their actions are also not supported by the core team.
Many of the core team and by large its community witness RESF in action for long before sending in a few words isn't exactly not supported in my book.
But then again I understand every PL needs a lot of push and marketing. It just went way too far in one direction.
It seems a little disingenuous to describe "community" as including people who haven't even attempted to interact with anyone in the community other than forking their code.
Perhaps the world is too complex without breaking it down into in-groups and out-groups, with any out-groups supposedly being completely homogenous. Pretty intellectually lazy but fairly common on HN, to the point where it’s not even worth calling out.
One could also say some in the C or C++ communities actually care about security, thus no need for Rust or alike, yet no one is paying attention to those small groups in the corner.
A village is judged by its population actions, and even the black sheeps count to its overall image from outsiders.
As for that sentence: I think Rust has its place, I do not agree at all with their 'rewrite' mantra because there are a ton of risks associated with rewrites that have nothing to do in what language the code is written in, just that it is a rewrite.
I think the Rust folks should go all-in on Redox and fix their tool optimization issues. And do one thing and do that well rather than to be the next Swiss army knife of programming. And I also think that the C and C++ folks can do a lot better still. Filip is doing something interesting I think and if there a practical solution to the C heritage I think it lies more in his direction than in rewriting billions of lines of battle tested code. Performance isn't nearly as important as it used to be. Another thing that I think would be beneficial would be to take as many device drivers out of the linux kernel as possible and run them as userspace processes.
Anyway, belated Merry Christmas to you and a pre-emptive happy 2026!
You’re then accusing me of being intellectually lazy for not giving high karma accounts the respect they deserve. Come off it. I’m going to judge comments by their content, not by the karma of the author. You shaming me is not going to make me change that.
(I may come across as an Ada zealot myself.)