Tock: Multiprogramming a 64kB Computer Safely and Efficiently

• Paper
• Source Code
• Conference: SOSP’17
• Tag: System Security, Rust, IoT, Embedded System

Embedded Softwares are not Ready

Classic embedded systems like TinyOS, FreeRTOS, Contiki are common in:

• All code in a single address space rather than multi-programming
• Trust all code
• Monolithic image
• No fault recovery and fault isolation (basically only watchdog timers)

New isolation tools

• MPU: protection bits for 8 memory regions
• Rust

Tock’s Design Goals

• Isolate drivers
• Isolate applications
• Concurrent applications & IO without virtual memory

Tock’s Isolation Mechanisms

• Capsules: A Rust module and structs, event-driven execution with async IO
• Processes
  • Capsules and processes interact via IPC
  • Each process maintains a kernel heap, called Grants
• Use of MPU to protect memory regions without virtualization

An example of capsules is shown below:

struct DMAChannel {
    length: u32,
    base_ptr: *const u8,
}

impl DMAChannel {
    fn set_dma_buffer(&self, buf: &'static [u8]) {
        self.length = buf.len();
        self.base_ptr = buf.as_ref();
    }
}

Thoughts

• 高级抽象，比如 C++11 里的 Lambda、Rust 里的闭包会给系统级别的编程模型带来变化吗？

Reference

• https://stackoverflow.com/questions/63164973/why-does-rust-allow-calling-functions-via-null-pointers