8 रिपॉजिटरी
Implementations of kernel interfaces running in userspace to isolate application system calls.
Distinct from Kernel Updaters: Distinct from Kernel Updaters: focuses on reimplementing kernel interfaces in userspace rather than patching host kernels.
Explore 8 awesome GitHub repositories matching operating systems & systems programming · Userspace Kernels. Refine with filters or upvote what's useful.
This project is a secure container runtime that provides strong isolation for application workloads by implementing a userspace kernel. By intercepting system calls and executing them within a memory-safe, restricted environment, it minimizes the attack surface exposed to the host kernel. It functions as a drop-in engine for standard container orchestration platforms, ensuring compatibility with industry-standard runtime specifications while maintaining a hardened execution boundary. The runtime distinguishes itself through its ability to virtualize core system resources, including an indepen
Executes application system calls within a restricted, memory-safe userspace kernel implementation.
Redox is a POSIX-compliant, microkernel-based operating system written entirely in Rust. By utilizing a memory-safe language for the kernel and all system components, the project eliminates common vulnerabilities such as buffer overflows and use-after-free errors. Its architecture relies on a minimal kernel that manages only essential hardware and process isolation, delegating all other system services to unprivileged user-space processes. The system distinguishes itself through a modular design where hardware drivers and system services run as independent user-space daemons, allowing them to
Delegates non-core system services to unprivileged user-space processes to minimize the kernel footprint.
OpenCorePkg is a modular UEFI bootloader designed to initialize hardware and facilitate the loading of modern operating systems on non-standard or unsupported hardware. It functions as a comprehensive firmware emulation environment, providing the necessary runtime services and memory management to bridge the gap between diverse hardware configurations and operating system requirements. The project distinguishes itself through its ability to perform runtime kernel patching and system firmware modification, allowing for the injection of drivers and the manipulation of hardware tables during the
Executes firmware-compliant code within standard operating system environments to facilitate rapid development and testing without requiring dedicated hardware.
NodeOS is an operating system that boots a Linux kernel with Node.js running as the primary userspace, replacing traditional shell utilities with JavaScript execution. Every npm package is treated as a native system command, making hundreds of thousands of packages directly executable at the OS level. The operating system is built inside Docker containers using a reproducible pipeline that generates ext2 filesystem images, with the ability to conditionally disable KVM for systems without hardware virtualization. It mounts a persistent usersfs partition for user home directories, preserving ch
Boots a Linux kernel with Node.js as the primary userspace, replacing traditional shell utilities.
Afero is a Go library that provides a unified filesystem abstraction, allowing applications to interact with local disk, in-memory storage, cloud services, archives, and remote systems through a single, consistent interface. At its core, it defines a standard interface that all filesystem backends implement, enabling developers to swap storage implementations without changing application code. The library distinguishes itself through its composable architecture, which includes layered filesystem composition for creating cached, sandboxed, or restricted storage views. It offers a copy-on-write
Makes any filesystem backend available as a real mounted directory on the operating system via FUSE.
libfuse is a library and kernel module combination that enables the development of custom Linux filesystems that run in userspace rather than in kernel space. It provides a bridge between the kernel's virtual filesystem layer and a userspace daemon, allowing filesystem operations to be forwarded and handled by a regular user process. The project offers two distinct APIs: a high-level callback-driven API where filesystem operations are implemented as simple functions that return results synchronously, and a low-level API that exposes raw kernel request structures directly for fine-grained contr
Provides the core kernel-to-userspace bridge that forwards VFS operations to a daemon via a character device.
seL4 is a formally verified microkernel whose C implementation is backed by machine-checked mathematical proofs of correctness, confidentiality, integrity, and availability. It enforces strict isolation between processes through hardware-enforced address space separation and a capability-based access control system, where each process holds explicit rights only to the resources it has been granted. The kernel exposes hardware resources through a minimal API of system calls that manage threads, address spaces, and inter-process communication, with synchronous IPC supporting sender-identifying b
Provides a kernel API for userspace processes to set breakpoints, watchpoints, and single-step threads.
This project is an educational resource providing a comprehensive development tutorial for writing and loading eBPF programs using C, Go, and Rust within the Linux kernel. It serves as a technical guide for developing custom logic to execute directly in the kernel. The materials cover specialized domains including kernel observability and tracing, security implementation for intrusion detection, and high-performance network engineering for packet filtering and load balancing. It also includes dedicated manuals for Linux kernel tracing and the use of kprobes, uprobes, and tracepoints. The pro
Captures function calls and application state in user-space using a combination of uprobes and USDT.