From 65KB WebAssembly to a Booting Windows Kernel: The Browser Tab That Thinks It’s a PC + Video

Listen to this Post

Featured Image

Introduction:

What if you could boot a 64-bit Windows kernel inside a browser tab—with no plugins, no special headers, and no remote servers—using just 65 kilobytes of WebAssembly and four megabytes of RAM? Security researcher Alexandre Borges (@ale_sp_brazil) has done exactly that. His project, nanokrnl, demonstrates a full x86-64 Windows NT‑shaped kernel written in Rust, running inside a custom emulator called nanox that compiles to a WebAssembly module small enough to fit on a floppy disk. This isn’t a toy 32‑bit emulator running DOS; it’s a genuine 64‑bit kernel with 4‑level paging, syscall/sysret, a local APIC, and a real IDT—all executing in your browser’s sandbox. For penetration testers, red teamers, and exploit developers, this represents a paradigm shift: the ability to test kernel‑level code, driver interactions, and memory corruption primitives entirely client‑side, with zero infrastructure and instant reproducibility.

Learning Objectives:

  • Understand the architectural differences between 32‑bit (v86) and 64‑bit (nanox) browser‑based emulation, and why off‑the‑shelf solutions fail for modern kernels.
  • Master the distinction between Windows cold boot, fast startup, and wake‑from‑hibernation—and how these concepts translate to browser‑based kernel instantiation.
  • Learn how Rust’s memory‑safe abstractions enable kernel‑development in hostile environments like the browser sandbox.
  • Acquire hands‑on commands to analyze Windows boot states, manipulate hibernation files, and detect fast startup vs. cold boot programmatically.
  1. Why v86 Won’t Cut It: The 64‑Bit Emulation Gap

Most browser‑based OS demos—from Windows 95 to Linux 2.4—rely on v86, a JavaScript/WebAssembly x86 emulator that faithfully reproduces a Pentium‑class PC. But v86 has a fatal limitation: it does not support 64‑bit long mode. Run a 64‑bit kernel under v86, and it panics with `Unimplemented: GP handler (cpu.rs:846)` before a single byte of serial output appears. The emulator simply cannot deliver a general‑protection fault through the IDT in long mode, and a 64‑bit kernel dies on its first fault.

The alternative, QEMU‑WASM, is QEMU compiled to WebAssembly via Emscripten—it would boot the kernel faithfully, but at ~46 MB and with strict requirements for SharedArrayBuffer, COOP/COEP cross‑origin isolation headers, and threading. That’s too heavy for a “see a kernel boot in a tab” demo, and the header requirements make it awkward to host on static sites.

nanox was written from scratch in Rust specifically to solve this: a bespoke x86‑64 emulator that compiles to 67,074 bytes (about 65 KB) of WebAssembly. No threads, no SharedArrayBuffer, no special headers—it drops onto any static host and just works.

Practical Takeaway for Security Researchers:

When testing kernel‑exploit primitives or driver interactions in a browser environment, verify the emulator’s long‑mode support first. Tools like v86 are excellent for legacy OS work but cannot handle modern 64‑bit kernels. If you need to test a 64‑bit payload or kernel‑mode exploit in a sandboxed browser context, you must use a long‑mode‑capable emulator like nanox or CheerpX.

  1. Cold Boot vs. Fast Boot: What’s Actually Happening Under the Hood

Windows has three startup modes:

  • Cold (traditional) – The boot loader constructs a kernel memory image by loading sections of the Windows kernel file into memory and linking them. The kernel then configures core system functions, enumerates devices, and loads drivers.
  • Wake‑from‑hibernation – Loads the hibernation file (Hiberfil.sys) and restores the previous system state.
  • Fast startup (introduced in Windows 8) – A hybrid: it performs a full shutdown of user‑mode sessions but saves the kernel session and drivers to disk, then restores them on the next power‑on, skipping the rebuild. This saves seconds off boot times but can cause issues in dual‑boot environments or when debugging kernel drivers.

How to Detect Fast Startup vs. Cold Boot Programmatically:

Kernel‑mode drivers can examine system power IRPs to distinguish fast startups from wake‑from‑hibernation. The `SYSTEM_POWER_STATE_CONTEXT` structure contains two critical bit fields:

  • If `TargetSystemState = PowerSystemHibernate` and `EffectiveSystemState = PowerSystemHibernate` → wake‑from‑hibernation.
  • If `TargetSystemState = PowerSystemShutdown` and `EffectiveSystemState = PowerSystemHibernate` → fast startup.

Windows Commands to Control Fast Startup:

 Check if Fast Startup is enabled
powercfg /availablesleepstates

Disable Fast Startup (requires admin)
powercfg /hibernate off

Enable Fast Startup
powercfg /hibernate on

Force a full cold boot on next restart (bypass Fast Startup)
shutdown /s /f /t 0

Linux Command to Check System Boot Time (for comparison):

 Check last boot time
who -b

Check system uptime
uptime

Check kernel boot messages
dmesg | grep "Linux version"

Why This Matters for Browser‑Based Kernel Demos:

When nanokrnl boots in a browser tab, it performs a true cold boot—loading the kernel image from scratch, initializing paging, setting up the IDT, and enumerating virtual devices. This is fundamentally different from resuming a hibernated state, and it’s why the demo is so impressive: every time you open the tab, you’re witnessing a complete, fresh kernel initialization in ~4 MB of RAM.

  1. Four Megabytes: The Kernel That Fits in a 1990s RAM Stick

The running operating system, at the `C:\` prompt, occupies about four megabytes. That’s not a stripped‑down microkernel; it’s a full NT‑shaped kernel that loads real Windows drivers and runs real Microsoft console binaries. For context:

  • The original Windows NT 3.1 kernel fit in ~4 MB.
  • A modern Windows 11 kernel image (ntoskrnl.exe) is typically 8–12 MB compressed.
  • The Linux kernel with basic drivers is often 5–15 MB.

nanokrnl achieves this density through careful engineering: it’s written in Rust, with no unnecessary abstractions, and the emulator (nanox) handles only the hardware interfaces the kernel actually uses—no legacy BIOS emulation, no floppy controller, no PS/2 mouse support unless needed.

Rust’s Role in Kernel Safety:

Microsoft has stated that for two decades, roughly 70% of its security vulnerabilities have been due to memory‑safety issues—the very class of bugs that C and C++ are susceptible to, and which Rust was designed from the ground up to prevent. Rust’s ownership model, borrow checker, and lack of undefined behavior catch memory‑safety bugs at compile time.

For kernel development, this is transformative. A buffer overread, null dereference, or race condition in Ring 0 causes an immediate BSOD and can corrupt system state irreparably. Rust eliminates entire classes of these vulnerabilities before the code even runs.

Code Snippet: Minimal Rust Kernel Entry Point

![bash]
![bash]

use core::panic::PanicInfo;

[bash]
fn panic(_info: &PanicInfo) -> ! {
loop {}
}

[bash]
pub extern "C" fn _start() -> ! {
// Kernel entry point - runs in Ring 0
// Initialize paging, IDT, GDT, etc.
loop {}
}

This is the skeleton of a Rust kernel—no standard library, no main function, just bare‑metal execution. nanokrnl extends this with real x86‑64 long‑mode setup, interrupt handling, and driver loading.

4. Browser Sandbox as a Kernel Testing Ground

Running a kernel inside a browser tab isn’t just a parlor trick—it has serious implications for security research and training:

  • Zero‑infrastructure kernel testing – No need for VMs, cloud instances, or physical hardware. Open a tab, and you have a kernel to experiment with.
  • Safe exploitation practice – Since the kernel runs inside WebAssembly’s sandbox, even a complete kernel panic won’t crash your host machine. You can test memory corruption primitives, null dereferences, and privilege escalation techniques without risk.
  • Reproducible environments – The entire kernel and emulator are static assets. Every researcher gets the identical environment, eliminating “works on my machine” problems.

Microsoft’s LiteBox: The Enterprise Cousin

Microsoft’s open‑source LiteBox project takes a similar approach but at the library‑OS level: a sandboxing library OS that drastically cuts down the interface to the host, reducing attack surface. LiteBox exposes a Rust‑y nix/rustix‑inspired interface and supports both kernel and non‑kernel scenarios. While nanokrnl targets browser‑based demonstration, LiteBox targets enterprise sandboxing—but both leverage Rust’s safety guarantees to minimize attack surface.

5. Practical Commands for Kernel & Boot Analysis

Windows: Analyzing Boot Performance

 View boot performance metrics
Get-WinEvent -LogName Microsoft-Windows-Diagnostics-Performance/Operational | 
Where-Object { $_.Id -eq 100 } | 
Select-Object TimeCreated, Message

Check if Fast Startup is enabled via Registry
Get-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\Power" -1ame "HiberbootEnabled"

Disable Fast Startup via Registry
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\Power" -1ame "HiberbootEnabled" -Value 0

Linux: Kernel Boot Analysis

 View kernel boot messages with timestamps
dmesg -T | less

Check kernel command-line parameters
cat /proc/cmdline

View systemd boot performance
systemd-analyze blame
systemd-analyze critical-chain

Detecting Cold Boot vs. Fast Startup in Windows Drivers (C):

// Inside a kernel-mode driver's power IRP handler
PSYSTEM_POWER_STATE_CONTEXT context = &irpSp->Power.SystemPowerStateContext;

if (context->TargetSystemState == PowerSystemHibernate &&
context->EffectiveSystemState == PowerSystemHibernate) {
// This is a wake-from-hibernation
} else if (context->TargetSystemState == PowerSystemShutdown &&
context->EffectiveSystemState == PowerSystemHibernate) {
// This is a fast startup
} else {
// This is a cold boot
}

What Undercode Say:

  • Key Takeaway 1: The browser is becoming a first‑class platform for kernel‑level security research. With nanox’s 65 KB WebAssembly footprint, we can now distribute fully functional 64‑bit kernel test environments that run anywhere with a modern browser—no installation, no virtualization overhead, no risk to the host.

  • Key Takeaway 2: Rust is not just a “nice‑to‑have” for kernel development; it’s a necessity for safe, browser‑sandboxed kernel execution. The memory‑safety guarantees that eliminate 70% of Microsoft’s historical vulnerabilities are the same guarantees that allow a kernel to run inside a browser tab without compromising the host. As Microsoft integrates Rust into Windows drivers and Linux officially supports Rust in the kernel since 6.1, we’re witnessing a fundamental shift in how system‑level software is written and deployed.

Analysis: Alexandre Borges’ nanokrnl project is more than a technical curiosity—it’s a proof of concept for the future of security training and exploit development. Traditional kernel debugging requires complex setups: VirtualBox or VMware, kernel debugging over serial or network, symbol servers, and crash dump analysis. nanokrnl reduces this to a URL. For red teams, this means instant, disposable kernel testbeds. For blue teams, it means accessible, reproducible environments for practicing detection and response. The four‑megabyte memory footprint is particularly significant: it enables the kernel to run on low‑end devices, including phones and tablets, opening up mobile security research to kernel‑level analysis. The use of Rust is equally critical—it’s not just about performance; it’s about correctness. In a world where browser sandbox escapes are a top‑tier exploit category, running a kernel in the same sandbox that’s supposed to contain untrusted JavaScript is a bold statement about Rust’s safety guarantees. If Microsoft’s own LiteBox project is any indication, this pattern—small, safe, sandboxed kernels—is the future of secure computation.

Prediction:

  • +1 Browser‑based kernel emulation will become a standard tool in cybersecurity training curricula within 18–24 months, replacing many traditional VM‑based labs due to lower cost, instant accessibility, and zero maintenance overhead.

  • +1 Rust will become the dominant language for Windows kernel driver development by 2028, as Microsoft continues to port critical kernel components and third‑party vendors adopt memory‑safe practices to reduce liability.

  • -1 The availability of browser‑sandboxed kernels will lower the barrier to entry for kernel‑level exploit development, potentially increasing the number of zero‑day discoveries—and the number of malicious actors capable of finding them.

  • +1 WebAssembly’s sandbox model will evolve to support more fine‑grained kernel‑level isolation, enabling multi‑tenant kernel testing platforms where multiple researchers can safely run concurrent kernel instances in the same browser session.

▶️ Related Video (76% Match):

https://www.youtube.com/watch?v=_8T9T6MQ1fU

🎯Let’s Practice For Free:

🎓 Live Courses & Certifications:

Join Undercode Academy for Verified Certifications

🚀 Request a Custom Project:

Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands

IT/Security Reporter URL:

Reported By: Aleborges Cybersecurity – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow UndercodeTesting & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky