Betrusted: Better Security

That's no Blackberry, it's a chat client!

bunnie - https://bunniestudios.com/ - @bunniestudios

Tom Marble - http://tmarble.info9.net/ - @tmarble

Sean Cross - https://xobs.io/ - @xobs



https://betrusted.io

p.xobs.io/lca20-bt ⬇️

Motivation: Hardware You Can Trust With Your Life

Issue #1: Complex Things are Hard to Analyze

Issue #2: Software Isolation is Dead

Speed or safety: pick one

Issue #3: Motivated Adversaries

Issue #4: Untrustable Supply Chains

Issue #5: There is no HMAC for Hardware

State of the Art: Secure Enclaves

The I/O Problem

Bottom Line: Want Trust?
There are Tradeoffs

Betrusted: Verification Requires Simplicity. Simplicity Requires Focus.

  • The solution depends on the context
    • Mobile? Server? Type of user?
    • What is the minimum viable verifiable product?

The Betrusted Design Context

  • What:
    • Mobile device
  • Why:
    • Communication, authentication, wallet
  • Who:
    • "At-risk" end-users: high value targets (politically or financially); devs & enthusiasts
    • Global demographic (not just English-speaking)

Betrusted: A Security Chip with I/O

Simple and Verifiable by Design

  • 'Single-chip' design target
    • Minimize hardware attack surface
  • End-user verifiable I/O
    • Physical keyboard
    • Black and white LCD

Single-Chip Constraints

  • Cost v. RAM creates a Goldilocks zone
    • >90nm a "few" MiB on-chip RAM makes die size too large
    • <40nm drives up-front costs too high; also no eFLASH options

Design Envelope Summary

  • Compute environment
    • "100-ish MHz" CPU
    • "Few" MiB RAM
  • I/O
    • Physical keyboard
    • Black/white LCD
    • SPI bridge to untrusted network coprocessor
  • Verifiable at point of use
  • Application requirements:
    • Text chat
    • Voice chat or calling
    • Authenticator
    • Wallet

Sorry, LCA: Linux Isn't Going to Cut It

  • 25+ million lines of code
  • 19,000 authors
    • Won't fit in the hardware
    • Impossible to audit

Xous: A Betrusted OS

Betrusted Goals

  1. <=4 MiB RAM
  2. Safe language
  3. Process Isolation
  • Microkernel
  • Auditable by one person

Microkernels

FlexSC: Flexible System Call Scheduling with Exception-Less System Calls

Too Many Cooks

if there is one primary contributor, the chances for a file to be buggy decreases significantly
Source: Microsoft Research

Felix' Rule of Thumb

The largest amount of security-related code that one person can reasonably audit is about 64 KiB of binary data

Principles of Software

  • Safety
  • Concurrency
  • Speed
  • Size

Rust OS Landscape

Rust-based OS: Tock

  • Active Project
  • RISC-V Port
  • C and Rust Libs
  • No MMU Support
  • No runtime spawn()
  • Limited messaging

Rust-based OS: Redox

  • Active Project
  • Full Rust stdlib
  • Full Userspace
  • x86_64 only
  • Unix-like
  • Desktop-focused

Rust-based OS: Tifflin

?
  • Active Project
  • Rust stdlib
  • Full Userspace
  • nightly only
  • Mainly x86_64
  • ???

Other Alternatives and Inspirations

  • ChibiOS - Embedded RTOS
  • HelenOS - Everything is a message
  • Solaris - Doors
  • QNX - Traditional Microkernel
Microkernels isolate processes and make syscalls cheap

Xous: System Design

Xous: Memory Model

  • Rust Borrow Checker
  • Message passing
  • Inter-process borrowing
  • Borrow types:
    • Mutable   ^ Immutable
    • No Access | Read Only
Image CC-BY Tammy

Xous: Memory Model

  1. Mutable Borrow
    • draw()
  2. Immutable Borrow
    • Mapping font database
  3. Move
    • Encrypting a string

Xous: Interrupts

fn setup_int2() -> Result<(), XousError> {
    let gpio = sys_memory_allocate(
            Some(0xe0000000), None, 4096)?;

    sys_interrupt_claim(2, move |_int_num| {
        unsafe {
          let val = gpio.read_volatile();
          gpio.write_volatile(val + 1);
        };
    })
}
All in userspace

Xous: Missing Features

  • fork()
  • Filesystem Syscalls
  • Scheduler
  • Threads
  • Locking Primitives
  • Shared Libraries

Xous: Everything in Userspace

  • Small Kernel
  • Message Passing
  • Protected Memory


Understandable by one human
Made by many

Betrusted: Software

  • Voice chat/calling
  • Authenticator
  • Wallet
  • Notepad
  • Text Chat
    • essential building blocks
 

Rust Development progression

  1. Start on Linux / amd64
  2. Basic chat use cases
  3. Transitive dependency analysis
  4. Memory analysis
  5. Migrate to Xous / Risc-V
 

i18n: output

  • English
  • French, German (Latin-1)
  • Chinese
  • Arabic, Hebrew (RTL)

Emojis!

i18n: input

  • Localized, replaceable keyboards
  • Multiple planes (meta keys)
  • Dynamic word predication/correction
  • Input Method Editors
QWERTY
 
AZERTY
 
QWERTZ
 
 
 



  • CI
  • Simulation
  • On Target
  • UI Robot
 

How can I get involved?

  • Help us reimagine the UX for secure messaging
  • Stay tuned for mtxcli
  • Contribute (leverage our CI!)
 
 
 

Summary

  • Follow Betrusted online
    • betrusted.io
    • github.com/betrusted-io
  • Join our channel on Matrix: #betrusted:matrix.org

  • Questions?


The Betrusted project is made possible with financial support from NLnet and the NG10 Privacy & Trust Enhancing Technologies Fund.
4