Betrusted: Being Secure

That's no Blackberry, it's a chat client!

Sean Cross - https://xobs.io/ - @xobs

Betrusted: A Security Chip with I/O

Xous: A Betrusted OS

Betrusted Goals

  1. <=4 MiB RAM
  2. Safe language
  3. Process Isolation
  • Microkernel
  • Auditable by one person

Microkernels

FlexSC: Flexible System Call Scheduling with Exception-Less System Calls

Too Many Cooks

if there is one primary contributor, the chances for a file to be buggy decreases significantly
Source: Microsoft Research

Felix' Rule of Thumb

The largest amount of security-related code that one person can reasonably audit is about 64 KiB of binary data

Principles of Software

  • Safety
  • Concurrency
  • Speed
  • Size

Rust OS Landscape

Rust-based OS: Tock

  • Active Project
  • RISC-V Port
  • C and Rust Libs
  • No MMU Support
  • No runtime spawn()
  • Limited messaging

Rust-based OS: Redox

  • Active Project
  • Full Rust stdlib
  • Full Userspace
  • x86_64 only
  • Unix-like
  • Desktop-focused

Rust-based OS: Tifflin

?
  • Active Project
  • Rust stdlib
  • Full Userspace
  • nightly only
  • Mainly x86_64
  • ???

Other Alternatives and Inspirations

  • ChibiOS - Embedded RTOS
  • HelenOS - Everything is a message
  • Solaris - Doors
  • QNX - Traditional Microkernel
Microkernels isolate and make IPC cheap

Xous: System Design

Xous: Memory Model

  • Rust Borrow Checker
  • Message passing
  • Inter-process borrowing
  • Borrow types:
    • Mutable   ^ Immutable
    • No Access | Read Only
Image CC-BY Tammy

Xous: Memory Model

  1. Mutable Borrow
    • draw()
  2. Immutable Borrow
    • Mapping font database
  3. Move
    • Encrypting a string

Xous: Interrupts

fn setup_int2() -> xous::Result {
    let gpio = xous::syscall::map_physical(
            Some(0xe0000000), None, 4096)?;

    xous::syscall::claim_interrupt(2, |_int_num, gpio| {
        unsafe {
          let val = gpio.read_volatile();
          gpio.write_volatile(val + 1);
        };
    }, gpio)
}
All in userspace

Xous: Missing Features

  • fork()
  • Filesystem
  • Scheduler
  • Threads
  • Locking primitives
  • Shared libraries

Xous: Everything in Userspace

  • Small Kernel
  • Message Passing
  • Protected Memory


Understandable by one human
Made by many

Developing Xous

Renode: C: The Good Parts