ZeroOS: A Universal Modular Library OS for zkVMs

TL;DR

The paper tackles the incompatibility gap between ISA-level zkVMs and real-world software by proposing ZeroOS, a universal modular libOS that uses a language-agnostic syscall shim to run unmodified applications as verifiable vApps. By decoupling OS functionality from language-specific toolchains and enabling a pay-for-what-you-use modular kernel, ZeroOS reduces version hell and consolidates security auditing across zkVM projects. The design centers on a three-part architecture (build config, bootloader, kernel) with a minimal, pluggable runtime and a deterministic, auditable execution model suitable for zkVM proofs. While initial implementation targets single-process unikernels with non-preemptive threading, the approach lays a robust foundation for future enhancements such as virtual memory, multitasking, VFS, and networking, broadening the applicability of verifiable computation across zkVM ecosystems.

Abstract

zkVMs promise general-purpose verifiable computation through ISA-level compatibility with modern programs and toolchains. However, compatibility extends further than just the ISA; modern programs often cannot run or even compile without an operating system and libc. zkVMs attempt to address this by maintaining forks of language-specific runtimes and statically linking them into applications to create self-contained unikernels, but this ad-hoc approach leads to version hell and burdens verifiable applications (vApps) with an unnecessarily large trusted computing base. We solve this problem with ZeroOS, a modular library operating system (libOS) for vApp unikernels; vApp developers can use off-the-shelf toolchains to compile and link only the exact subset of the Linux ABI their vApp needs. Any zkVM team can easily leverage the ZeroOS ecosystem by writing a ZeroOS bootloader for their platform, resulting in a reduced maintainence burden and unifying the entire zkVM ecosystem with consolidated development and audit resources. ZeroOS is free and open-sourced at https://github.com/LayerZero-Labs/ZeroOS.

Figures (7)

• Figure 1: ZeroOS versus status quo. Prior zkVM toolchains patch each language's standard library (red), whereas ZeroOS patches the syscall trap handler (blue), which is a generic and language-agnostic solution.
• Figure 2: Version hell. Using a forked toolchain, each zkVM may need to maintain many different versions across multiple languages. Security patches also need to be rapidly backported to older versions to support customers who have not yet upgraded, creating a near-intractable long-term operational burden.
• Figure 3: ZeroOS minimizes platform-specific and language-specific code, improving security and simplifying maintenance.
• Figure 4: The ZeroOS package is a collection of packages, including libc (ZeroOS-runtime-musl), bootloader (ZeroOS-arch-riscV), syscall ABI (ZeroOS-os-linux), syscall wrappers (ZeroOS-core), and various implementations of OS primitives (e.g., freelist allocator) in separate modular sub-packages. Each zkVM platform must implement __platform_bootstrap which is called by bootloader _start. vApps automatically inherit this entire stack when they import the platform (zkVM) package into their project.
• Figure 5: The ZeroOS kernel includes the trap handler (handle_sys), wrapper interfaces for each syscall, and a set of imported syscall ops. The syscall ops primitives concretely implement all of the necessary low-level operations invoked by the abstract wrappers.