Hacker News new | ask | show | jobs
by AlotOfReading 224 days ago
Interesting project. I'm curious about the limits of formal verification of worst case execution time. There are other formally verified kernels like seL4 and atmosphere, as well as layers you can stack on top to get a mostly compatible posix-ish layer like genode. You can also go out and find completely compatible kernels with enough maturity that (full) formal verification isn't a major value-add, like QNX or VxWorks.

I'm not aware of much that combines WCET + formal verification + POSIX compatibility though. The verification page here is mostly at stone level, which from my understanding of SPARK terminology just means it passes validation, but might have runtime errors where most of Ada's WCET nondeterminism comes from. I'm skeptical that this is actually production usable for the hard real-time use cases all over their documentation at the current stage, but nothing on the website gives any clue as to the actual maturity short of reading the code myself.
2 comments
indolering 224 days ago
Any government can get RCE on any OS with the change in their couch. Formal verification of process isolation is REALLY important when lives depend on it. That's a huge value add!

My main concern is speed and the lack of capability based security. seL4 is faster than Linux by a mile and I'm guessing that this is much slower. You can put a POSIX layer on seL4 but POSIX is inherently flawed too. MAC separates privileges from code and is too clunky to use in practice (see seLinux).

link
SahAssar 224 days ago
> Any government can get RCE on any OS with the change in their couch.

Do you really believe that? That seems extremely implausible based on just simple observations like all governments using COTS OS for military/intelligence work or standard OS:es being used for critical infrastructure like power/water/finance/transportation.

If your statement was even remotely true then why is this not used in conflicts to devastating effect?

link
indolering 224 days ago
The publicly available exploit prices put a browser zero day at $200k-$500k. That's the same cost as firing a few Javalin missiles. OS RCE runs into $1-$2 million. Much less than a cheap Russian tank. [1]

The cost of internally developed exploits is probably much lower. They aren't one shot assets either, they can be used until someone plugs the hole.

There are private companies selling devices to law enforcement that can extract information from locked phones [2]. Availability of that sort of access to anyone's phone by local law enforcement is absurdly cheap.

[1]: https://opzero.ru/en/prices/

[2]: https://arstechnica.com/gadgets/2025/10/leaker-reveals-which...

link
SahAssar 223 days ago
> [1]: https://opzero.ru/en/prices/

Those are the prices that they are buying for, they do not indicate at all that these are common or how large the market is for RCE on any OS.

> [2]: https://arstechnica.com/gadgets/2025/10/leaker-reveals-which...

Those are (mostly) not RCE, and are for consumer devices configured in a default way.

---

The parent stated that "Any government can get RCE on any OS with the change in their couch."

That implies that Kiribati currently could easily buy RCE on for example hardened Linux or OpenBSD running the most sensitive infra in the world. I just don't buy that, since if it was true any current conflict would look much different.

Of course there are security holes and major fuckups do happen, but not at the scale the parent implied.

link
indolering 223 days ago
These prices are consistent (actually more costly) than public bounties by (now defunct) western based exploit brokers and manufacturer bounties.

> Those are (mostly) not RCE, and are for consumer devices configured in a default way.

I'm more worried about activists and journalists in developing counties without the financial means to afford flagship phones. But even Google can't manage to keep out a pedestrian mid sized security outfit selling to the cops and the FBI.

When activists lobbying for a fucking sugar tax in Mexico get hacked, then the bar is too fucking low.

Let's not talk about the nightmare that is old networking equipment or IoT devices.

link
SahAssar 223 days ago
Come on, you said:

> Any government can get RCE on any OS with the change in their couch

If you were extremely hyperbolic for effect that's fine, that's why I asked if you actually believed that, but what you are saying now is not at all arguing the same point.

link
lossolo 223 days ago
This shouldn't be downvoted because it's stating facts. RCEs for critical infrastructure/OSes are very rare, they don't just grow on trees. I agree that OP exaggerated by saying that any government can buy whatever RCE they want and get access to any system they want, like buying candy in a candy shop. That's not reality.
link
indolering 223 days ago
Thankfully, there are regulatory regimes that require physically segregated systems for most cars, airplanes, power stations, etc

However, safety critical is not limited to cars: it also includes the phones of activities and journalists living under authoritarian regimes.

Monolithic kernels written in portable assembly mean that such bugs DO grow on trees [1] and the lack backporting means they just drop to the ground: the poor are sold phones that may never receive a security update. So even sugar tax activists in Mexico are the target of spyware!

We have seen the sophistication of these attacks ramp up as cryptocurrency has made them profitable and the North Koreans have made a killing exploiting these bugs.

Maybe you are right and it is very difficult to find these bugs but that just means low demand is what is keeping the price down. But that's probably because there enough LPEs and known RCEs that they are not needed most of the time.

[1]: https://www.cvedetails.com/vulnerability-list/vendor_id-33/L...

link
irundebian 223 days ago
Just because the market would buy something for X$, doesn't mean that you could buy that if you have more than X$.
link
indolering 223 days ago
Militaries have billion dollar budgets.
link
irundebian 216 days ago
That doesn't mean anything.
link
Veserv 223 days ago
You are claiming that every major OS is unhackable by governments. Can you point to literally any specific system that is demonstrably unhackable? Can you find literally anybody who would publicly claim their systems are unhackable by governments? Can you find literally anybody who would publicly claim that no competent team of 5 working for 3 years full-time (~1 tank worth of dollars, not even a basic company, just 1 tank) could not breach their systems? And that is just demonstrating for a single vendor, let alone your claim that it is true for everybody.

Your proof is that it would be really bad if everything were horribly insecure therefore it must not be true. Proof by wishful thinking has never been a valid argument.

In contrast, a few years ago I worked with a vulnerability broker who had literally hundreds of unsold zero-days with tens in each major commercial OS with zero-click RCEs only being a few million each. That is just one vendor in a sea of vulnerability brokers. That is the state of reality. We just live in the metaphorical equivalent of the pre-9/11 world where you can easily kill a lot of people by flying a plane into a building, but nobody has figured it out yet.

link
SahAssar 223 days ago
> You are claiming that every major OS is unhackable by governments.

I did no such thing. I claimed that it's implausible that every government can buy RCE for every OS.

link
Veserv 223 days ago
Yes you did, you said: "all governments using COTS OS for military/intelligence work" and then argued: "If your statement was even remotely true then why is this not used in conflicts to devastating effect?". You are clearly arguing that the operating systems they use, which you clearly admit are standard COTS operating systems, must be unhackable by other governments otherwise we would be seeing devastating effects (or at least require more than pocket change to a potential US adversary to attack, i.e. at least more than a single tank (~10 M$), at least more than a single fighter jet (~100 M$), probably at least more than a aircraft carrier (~1 G$) before not being pocket change).
link
irundebian 223 days ago
No, he didn't. Learn to discuss properly. OP stated that any government could get RCE for any OS. And that is highly unlikely, since budget above market rates does not imply that you can easily get RCEs. The market rates are high because there is scarcity of such vulnerabilites.

Governments using COTS operating systems does not imply that these systems are unackable. If the statement of OP would be true, we would just see constant exploitation of RCE zero days, or at the least the impact of that. But that is not the case.

link
mjlee 223 days ago
> why is this not used in conflicts to devastating effect?

The systems with devastating impact are air-gapped. They're designed, audited, validated and then never touched again. Ports are disabled by cutting the traces on the motherboard and adding tamper protection to the case, which is in a secure facility protected by vetted people with guns, who are in a security facility protected by different vetted people with guns.

No system is perfect, but the time and effort is better spent on the generic case that the military understands well.

link
jacquesm 223 days ago
> The systems with devastating impact are air-gapped.

You wish. More often than not the people building these think they are very clever by using their bullet proof fire walls rather than a physical disconnect. Or SLIP over a serial port because for some reason serial ports are fine.

I've seen this kind of crap in practice in systems that should be airgapped, that they said were airgapped but that in fact were not airgapped.

link
cedilla 223 days ago
If I had a dollar for each time I was told that they would get me a firewall exception to get to the air gapped system...

It does make it much easier to do stuff but kinda defeats the purpose.

link
jacquesm 223 days ago
And a firewall is not an airgap.

And a WiFi connection even though it goes 'through the air' is not an airgap.

The same for BT and any other kind of connectivity.

An airgap is only an airgap if you need physical access to a device to be able to import or export bits using a physical connection, and the location of the device is secured by physical barriers. Preferably a building that is secure against non-military wannabe intruders.

link
jandrewrogers 223 days ago
> firewall exception to get to the air gapped system

Any system accessible with a firewall exception is not "air-gapped" by definition.

A level below that is diode networks, which are not air-gapped but provide much stronger system isolation than anything that is accessible with a "firewall exception".

Far below either of these is vanilla network isolation, which is what you seem to be talking about.

link
mjlee 223 days ago
While I can't talk to all the systems out there, I am talking about systems I have worked on.
link
numpy-thagoras 224 days ago
Yes, I believe that.

> If your statement was even remotely true then why is this not used in conflicts to devastating effect?

It has been, it continues to be.

Where have you been?

link
SahAssar 223 days ago
It really hasn't to the scale that you imply. Why hasn't ukraine and russia both used this to completely shut down each others infrastructure? Why isn't russia just hacking all the ukrainian COTS drones? Why hasn't anyone hacked a nuclear power plant?
link
indolering 223 days ago
There is power in restricting access and air gapping helps a lot. A drone (for example) can fall back to basic cryptography to limit access.

Air gapping is a baseline requirement in most safety critical systems. Nuclear power plants in particular have lots of redundant layers of safety. AFAIK Russia hasn't physically tried to cause a meltdown, presumably due to the political blow back (although they have attacked Chernobyl's sarcophagus). I assume this limits their digital espionage attacks too.

We do get glimpses of the use of such malware, like when Saudi Arabia hacked Jeff Bezos' phone. But we don't hear about most of it because there is a benefit to keeping a hack secret, so as to keep access.

Finally, it's usually cheaper to social engineer someone into loading a PowerPoint presentation and doing a local privilege escalation. They burn those for things as petty as getting embarrassing political information.

link
irundebian 223 days ago
I doubt that most critical systems are air gapped. Even if there are, most part of Russians economy is not, but is still using IT based on COTS systems. Why wouldn't the Ukraine DoS or compromise the whole non air-gapped IT infrastructure of Russia to hit the economy if they could have easy access to RCE just because they are a government?
link
exe34 224 days ago
Do you have any resources that go deeper into this? It's a fascinating frontier for war!
link
virtue3 223 days ago
USA was providing Ukrainian operatives Russian officer locations via soldier's using their cellphones

https://oe.tradoc.army.mil/product/smart-phones-playing-prom...

link
emmelaich 224 days ago
In djb's course at UIUC, I recal he said that students were required to find a vulnerability as part of the course requirements.
link
SahAssar 223 days ago
Finding a vulnerability is not at all the same as "RCE on any OS". Vulnerabilities are common, the ones that have the impact implied are not.
link
jacquesm 223 days ago
Let me help a bit by trying to explain the situation. If you produce something that is a million lines of code you will most likely have at least a few hundred to a few thousand bugs in there. Some of those cause crashes, some of them cause hangs, and a small percentage will cause you to increase your privileges. Combine enough of those and sooner or later you end up with RCE. The problem is that you as a defender don't necessarily have the same budget to audit the code and to close it all down to the degree that an attacker has.

You need to do an absolutely perfect job in always spotting those RCE capable issues before an attacker does. And given the numbers involved this becomes a game of statistics: if there are 200 ways to get RCE on OS 'X' then you need to find and fix all of them before attackers do. Meanwhile, your system isn't a million lines but a multitude of that, there are your applications to consider (usually of a lesser quality than the OS), the risk of a purposeful insertion of a backdoor and so on.

So I don't think it is unreasonable to presume that any OS that is out there most likely has at least a couple of these that are kept 'on ice'.

link
SahAssar 223 days ago
I work in security. I know all of the above. But the parent said that "any government can by RCE on any OS", that is not at all the same as saying that it is plausible that a few of the more advanced countries probably have a few critical exploits "on ice". They also stated it as a fact, not as a possibility.

You are not arguing the same point.

link
jchw 223 days ago
> Do you really believe that? That seems extremely implausible based on just simple observations like all governments using COTS OS for military/intelligence work or standard OS:es being used for critical infrastructure like power/water/finance/transportation.

I do, but have a slightly different take: even though COTS software is pretty much unilaterally full of bugs that will be exploitable and could be found, it is still possible to compose layers of security that compliment each other in such a way that a compromise in any one layer wouldn't mean game over. Done very carefully, I think you can make a stack vastly more secure than the sum of its parts. Moreover, it's very possible to make exploiting the software both more annoying and easier to detect, which would dissuade attempting to use exploits.

> If your statement was even remotely true then why is this not used in conflicts to devastating effect?

I think the costs, risks and incentives need to line up properly to actually see things play out. Even though software exploits in COTS software is relatively cheap by government money standards, they do still take time and money. Not to mention the actual software exploit part may not even be the most expensive or complicated part of an operation, especially if you desperately need to evade detection for a long time, and especially if your adversary is going to have sufficient auditing to know something is wrong early.

Stuxnet is old, but surely one of the most fascinating uses of malware in geopolitics. But wow, the amount of work involved and knowledge needed to make something like that happen makes the exploit part feel rather small.

Formally verified software seems to have a lot of promise, then, to make deep exploits even more convoluted, expensive and rare. Surely there will still be bugs, but it leaves a lot less room for error, and very well could shift the calculus on security threats a bit.

link
DANmode 223 days ago
Knowledge that humans plug shit into computers without knowing what it is?
link
jchw 223 days ago
Stuxnet targeted the specific PLCs used at Iranian nuclear facilities, and had to be able to function in an airgapped environment. I reckon the logistics were far and away more complicated than finding Windows exploits, especially at that time.
link
DANmode 223 days ago
It's probably more impressive than that. Probably targeted a range of potential PLCs.

But what's all this have to do with the ongoing conversations about pwning Windows-based networks inside major consumer utility assets?

link
DANmode 224 days ago
1) Those things are being hardened right now

2) You haven’t seen a hot conflict yet

link
sim7c00 224 days ago
it is used here n there but unlike bullets the attacks if they remain unknown have no armer to defend against them, but are single use.

since the 2010s atleast more than 140 countries spend over 10 mil a year on purly offensive cyber. most of those countries spend astronomical amounts more than that. that includes purchase of attack tools and exploits

link
vacuity 223 days ago
Note: IPC performance isn't the only factor in overall OS performance. Especially for a "traditional microkernel", where programs are split up into separate processes liberally, performance degrades due to the sheer number of cross-boundary interactions. A whole system is performant if the design of the whole system, not just the design of the kernel, is aligned with performance. This is not to put down seL4; on the other hand, it continues the trend of L4 microkernels demonstrating the viability of stricter designs. But keep in mind that more time and effort is necessary to implement larger systems well.

I'm bullish on capabilities too, but I don't know much about MAC. Can you explain your last sentence?

link
indolering 223 days ago
seL4 has the lowest IPC overhead of any kernel and it's an order of magnitude faster than Linux [1]. But you are correct: switching cost amounts of noise when architectured correctly. LionsOS [2] (which is based on seL4) has some benchmarks showing improved performance over Linux [3].

I am betting you know what mandatory access control is ; ). They basically amount to a firewall that is placed on applications restricting what they can do. The rules are generally written by downstream distros and are divorced from the implementation. The problem is that it's hidden control flow, so the program just dies and can't fall back gracefully. Capability oriented APIs make broker processes and narrowing of permissions tractable.

[1]: https://sel4.systems/performance.html

[2]: https://lionsos.org/

[3]: https://trustworthy.systems/publications/papers/Heiser_25%3A...

link
dathinab 223 days ago
they mean "mandatory access controls (MAC)" https://en.wikipedia.org/wiki/Mandatory_access_control

through what exactly people mean with it is often vague

Like e.g. both seLinux and AppAmore are technically MAC but people tend to only mention seLinux when speaking about how cumbersome it is and treat AppAmore as something different as it's not so cumbersome.

link
johnisgood 224 days ago
It does not have to remain at stone level, and it can get legit certifications, too.

Looking forward to it. A formally verified OS is a great step towards better security.

link
AlotOfReading 224 days ago
That really depends on what formal verification means in context. I don't see any interesting specifications in the repo, just basic stuff like this MD5 spec [0] that doesn't verify whether the MD5 implementation is correct. This is one of the areas where formal verification is listed as completed/gold level.

It's common for the interesting OS proofs to take more code than the kernel itself. Take a look at the seL4 proofs [1], or those for CertiKOS as examples.

If you're actually interested in alternative OSes in memory safe languages, you might like TockOS, which is more production-ready at this point. Formal verification work of the isolation model is still ongoing, because it's difficult work.

[0] https://codeberg.org/Ironclad/Ironclad/src/branch/main/sourc...

[1] https://github.com/seL4/l4v

link
johnisgood 224 days ago
There is none in [0]. :P
link