RedLeaf: Isolation and Communication in a Safe Operating System

1 minute read

Published:

Contribution

Rv6: a POSIX-subset OS.

A language-based isolation domain mechanism which:

  • can be dynamically loaded and cleanly terminated
  • is zero-copy, fault isolation & transparent recovery of device drivers

IDL (in some way a prototype of Fuchsia’s FIDL)

  • Compilation rather than runtime

Background

About OS

About Rust

  • The only runtime overhead of Rust is bound checking that can be concealed by Out-of-Order of modern computer.
  • Language safety alone cannot guarantee fault-isolation and termination of untrusted subsystems.
  • A mechanism isolates faults: terminate a faulting or misbehaving computation and leave the system in a clean state.
    • deallocate all previously-used resources
    • preserve the objects that has been passed through communication channels
    • future invocations are prohibited

Trust Base

  • Rust compiler
  • Rust core libraries
  • Non-malicious devices (can be spared by IOMMU)

Implementation

Core Ideas

  • Heap isolation
    • private and shared heap
    • memory allocation on the domain heap
  • Exchangeable types
  • Ownership tracking
    • RRef<T>
  • Interface validation:
  • Cross-domain call proxying
    • based on IDL compiler
    • static analysis on AST of interfaces

Others

  • Dynamic Domain Loading
  • Safe Device Drivers
    • non-priviledged domains
  • Device Driver Recovery
    • transparent device driver recovery with shadow drivers

Evaluation

  • Competiable versus traditional hardware mechanisms on cross-domain calls
    • seL4: 834 cycles
    • VMFUNC: 169 cycles
    • VMFUNC-based call/reply: 396 cycles
    • RedLeaf…: 124-297 cycles
  • Efficient Device Drivers with improved security
  • Real-world applications
    • Maglev: <40% overhead
    • KV Store: 61%-86% of performance of C implementation
    • Nginx: 2x improvement compared with Linux-based server

Insights

  • How to evaluate a secure operating system? … & fault isolation.
  • From language safety to system safety: more isolation features.
  • Related works: J-Kernel, Kaffee OS, Singularity OS …

You May Also Enjoy

ARM Permission Indirection

3 minute read

Published:

In 2022, ARM introduced a new way to control memory permissions. Instead of directly encoding the permission in the Translation Table Entry (TTE), fields in the TTEs are used to index into an array of permissions specified in a register. This indirection provides greater flexibility, greater encoding density and enables the representation of new permissions.

Build Kernel Module from a Customized Kernel

1 minute read

Published:

In recent projects, we need to hack on Linux Kernel with various customization on multiple architectures. However, common distros like Fedora/Debian/Centos will not provide compatible kernel development headers (staffs under /lib/modules/$version) required by building kernel modules.

Run Debian in QEMU

3 minute read

Published:

One need we recently met was to directly trigger syscalls in QEMU. To achieve this, we have to run Linux with pre-installed dev tools such as vim and gcc, and most importantly, package managers like apt. Thanks to debootstrap, such a subsystem can be setup within minutes.

Faster Compression by zstd

less than 1 minute read

Published:

Recently I was required to transfer a bulk of data containing millions of sparse files, where the archive and compression algorithms became a must yet bottleneck to my server. A compression algorithm with full parallelism, zstd, can better address the problem. Some tips are recorded in post.