Existing kernel extension mechanisms—such as eBPF—rely on static symbolic execution within the in-kernel verifier. A semantic gap between language semantics and verifier rules frequently leads to false positives, rejecting safe programs and undermining usability and maintainability. This paper introduces Rax, a novel framework that pioneers a “language-level safety + lightweight exokernel runtime” co-design paradigm, eliminating in-kernel symbolic execution verification entirely. Leveraging safe Rust and a custom kernel crate, Rax natively guarantees exception safety, stack safety, and termination. All safety guarantees are established in userspace, significantly improving developer experience and software maintainability. Performance remains competitive with eBPF, with overheads negligible in practice. Rax has been rigorously validated through real-world storage and networking extensions, demonstrating both practicality and robustness.

Safe kernel extensions have gained significant traction, evolving from simple packet filters to large, complex programs that customize storage, networking, and scheduling. Existing kernel extension mechanisms like eBPF rely on in-kernel verifiers to ensure safety of kernel extensions by static verification using symbolic execution. We identify significant usability issues -- safe extensions being rejected by the verifier -- due to the language-verifier gap, a mismatch between developers' expectation of program safety provided by a contract with the programming language, and the verifier's expectation. We present Rax, a new kernel extension framework that closes the language-verifier gap and improves the usability of kernel extensions in terms of programming experience and maintainability. Rax builds upon language-based safety to provide safety properties desired by kernel extensions, along with a lightweight extralingual runtime for properties that are unsuitable for static analysis, including safe exception handling, stack safety, and termination. With Rax, kernel extensions are written in safe Rust and interact with the kernel via a safe interface provided by Rax's kernel crate. No separate static verification is needed. Rax addresses usability issues of eBPF kernel extensions without compromising performance.