vKernel is a kernel virtualization framework for improving kernel isolation among containers. Unlike the existing approaches based on kernel duplication, vKernel only virtualizes code and data minimally necessary for isolation. While ordinary execution and data access are carried out in the containers at userspace or in the host kernel, sensitive computation and accesses that require security checks are redirected to vKernel.

At heart, vKernel relies on in-kernel monitoring hooks for function tracing (frace) to intercept and redirect requests sent to the host kernel to a vKernel instance (vKI), where a container-specific system call table, capabilities, file permission lists, and other user-defined functions and data are implemented and stored. Users can customize security profiles and generate a specialized vKernel instance that provide the same types of security checks the existing kernel security mechanisms offer but is with a higher efficiency and more secure.The vKI can be dynamically loaded and updated as a kernel module and is independent from the host kernel.

What'more, users can customize vKernel to improve data isolation in the commonly-used futex system call, enable different configurations of shared kernel parameters, and support customized scheduling that only takes effect in a particular container.