General-purpose operating systems (OSes) rely on hardware-based isolation to confine user processes
to their own virtual address space. By doing so, they protect the system from malicious actors,
maintain privacy, and achieve fault tolerance. However, user applications must still be able to
communicate with each other and access the hardware for input/output (I/O). For this, OSes rely
on system calls, which allow the user applications to invoke kernel code in a controlled manner.
Every system call includes a switch from the unprivileged user mode to the privileged kernel mode.
Although these processor-mode and address-space switches are the essential isolation mechanisms
that guarantee the system's integrity, they induce direct and indirect performance costs as they
invalidate parts of the processor state. In recent years, high-performance network and storage
hardware have made the user/kernel transition overhead the bottleneck for input/output-heavy
applications. To make matters worse, security vulnerabilities in modern processors (e.g., Meltdown)
have prompted kernel mitigations that further increase the transition overheads. To decouple system
calls from user/kernel transitions, we propose AnyCall, which uses an in-kernel bytecode compiler to
execute safety-checked user code in kernel mode. This allows for multiple fast system calls interleaved
with error checking and processing logic, using only a single user/kernel transition. We implement
AnyCall using the Linux kernel’s Berkeley Packet Filter (BPF) subsystem, extending it to support
system-call invocation and user memory access. Being already supported in the kernel for flexible
event handling and debugging, reusing BPF to implement system-call aggregation demonstrates that
software-isolated processes are practical for modern general-purpose OSes. To demonstrate that
porting real-world user applications to AnyCall is both practical and straight-forward, we port two
real-world tools and document the code changes required. Finally, we evaluate AnyCall's performance
on systems with OS-level mitigations against transient execution vulnerabilities active or inactive,
including for example Kernel Page Table Isolation (KPTI) against Meltdown. On systems where KPTI
is inactive, we demonstrate speedups of up to 10% in compute-bound real-world applications. On the
other hand, when KPTI is active, our evaluation demonstrates that system-call bursts are up to 98%
faster using AnyCall, and that real-world applications are sped up by 32% to 40%.