December 28, 2025

Kernel chaos: Rust vs guard rails

Article URL →HN comments →

Rex is a safe kernel extension framework that allows Rust in the place of eBPF

Rust in the kernel? Devs freak out as new tool skips guard rails

TLDR: Rex lets Rust programs run in the kernel without eBPF’s strict safety checks, promising speed and simplicity. Commenters erupted, calling it risky and “a security nightmare,” with jokey HolyC wishes and cautious voices saying it might fit custom modules—but not replace safety-first filters.

Meet Rex, a new framework that lets developers run tiny programs inside the operating system using Rust instead of the usual eBPF (a tiny, sandboxed program system with strict safety checks). Rex skips eBPF’s in-kernel verifier and leans on “safe Rust” and the Rust compiler to keep things sane, promising fewer weird errors and better performance via native code. Sounds slick… until the comments lit up like a Christmas tree.

The hottest take: one Rust fan warned, “this is a security nightmare,” arguing the compiler has known edge cases and that eBPF’s limits exist for a reason—like making sure these tiny programs don’t run forever. Another skeptic asked, “isn’t that a bad thing?” about proudly avoiding restrictions. A more measured voice chimed in: Rust’s type system helps prevent bugs, but it’s not a security gate for kernel boundaries. Meanwhile, the memes arrived right on time: one joker demanded we “run HolyC in the kernel,” channeling retro OS cult vibes. Rex’s team says all this pain is exactly why eBPF is frustrating, and they show off a faster Memcached use case where complex eBPF hoops weren’t needed. But the crowd’s mood? Split between curiosity and “please don’t.” If you’re into kernel drama, this is it.

Key Points

  • Rex is a kernel extension framework that runs Rust programs as an alternative to eBPF, compiling safe Rust to native code via LLVM.
  • Rex avoids the in-kernel eBPF verifier and its constraints, aiming to reduce usability issues and arcane verification errors.
  • It supports five eBPF program types (kprobe, perf_event, tracepoint, XDP, tc), eBPF helpers, and eBPF maps.
  • Rex provides RAII-style resource management, panic cleanup with stack traces, and a thin runtime for termination safety and optional kernel stack.
  • A Memcached case study (BMC) shows Rex can implement complex logic without eBPF’s tail-calls or verifier-friendly constructs.

Hottest takes

"this is a security nightmare of an idea" — vlovich123
"isn't that a bad thing?" — bawolff
"We need a way to run HolyC in the kernel" — dracarys18

Save News

Made with <3 by @siedrix and @shesho from CDMX. Powered by Forge&Hive.