I think it's interesting work with performance tradeoff and such. I've even used this same approach at the library level where some are optimized for speed and some safety depending on app they're integrated with. Yet, there's two things going against it for system protection: (a) OS's have so many potential vulnerabilities and covert channels that it's best to isolate them entirely into a protection domain with careful interfaces to other partitions; (b) the protection schemes on code, hardware or software, have gotten much better than the limited guarantees this scheme offers with performance hit that we can live with. Regarding (b), they even referenced one (SVA-OS) I considered building a medium-assurance design on. Softbound for full, C memory safety is also interesting and Control Pointer Integrity if you have segments.
Many interesting tech for turning exploits into mere exceptions or things that don't compile in the first place. Also many tech's for isolating all that mess in a box with low overhead and easier-to-check interface protection. I'd rather take a combination of those than a split kernel.
All this does is clear the stack area prior to each Linux kernel call and check, at the instruction level, for stack pointer problems. That's nice, but narrow. The approach is to do this at boot time, which is kind of strange and may introduce more security errors.
It might be more useful to do this for all kernel calls other than the top 10. Vulnerabilities are more likely to be present in less-used system calls, where the code isn't exercised much. We know now that the "with many eyes, all bugs are shallow" meme is bogus. Much code in open source software barely gets looked at by anybody.
If this is useful, Linux kernel call code is very buggy.
This is, of course, a C problem. We've really got to get rid of C for anything security-critical.
This is, of course, a C problem. We've really got to get rid of C for anything security-critical.
On the other hand, it must be noted that there's a ton of subtle timing-related attacks in crypto where low-level control of memory layout strongly benefits their mitigation [1]. I don't know how mechanisms provided by languages like Rust fare into this, though C has definitely been tried and tested well.
Then the idea of moving away GNU, the Linux kernel, Freedesktop projects and all the other myriad software from C is a pipe dream, anyway. It might have been attainable if something like Cyclone won out which extended C only to a minimum for security purposes, but otherwise the task is immense.
> On the other hand, it must be noted that there's a ton of subtle timing-related attacks in crypto where low-level control of memory layout strongly benefits their mitigation [1]. I don't know how mechanisms provided by languages like Rust fare into this, though C has definitely been tried and tested well.
Rust has the same control over memory layout.
And Cyclone used a GC; it wasn't as minimal as you think. The stuff needed to actually get rid of a GC while maintaining memory safety (retaining dynamic memory allocation) didn't really get developed in a practical way (IMHO, anyway) until Rust came along.
The expression "non-C OS that can run Docker containers" reeks of magical thinking through and through, but for what it's worth the purpose of Docker is application containerization, which is more concerned with logical resource partitioning, infrastructure granularity and an escape from the broader state-related issues of the shared library context in the host OS.
Sandboxing is orthogonal. It so happens that some of the techniques of OS-level virtualization overlap with those of sandboxing on Linux, but Docker is nonetheless not a security tool.
Not that Docker's current libcontainer work is even at all portable. It's questionable what the current ruckus about companies backing the Open Container Project will lead to.
I'll let Theo take it from here:
"You are absolutely deluded, if not stupid, if you think that a worldwide collection of software engineers who can't write operating systems or applications without security holes, can then turn around and suddenly write virtualization layers without security holes."
There's been many highly-secure virtualization prototypes or production systems that leveraged tiny kernels with minimally-complex trusted software. Kernel-mode code for modern ones was around 10Kloc. On a virtualizable architecture, this is way easier to do than a whole OS given the complexity of the latter. Plus, it's best to entrust the best security engineers and software engineers to build it with similar to certify it rather than "a worldwide collection of software engineers" unqualified for the job.
Right people, right tools, right architecture, and right processes for knocking out defects. That's what it takes. Virtualization's well-studied enough to tackle it. Only one's trying in FOSS that I'm aware of are L4 community: esp TU Dresden Nizza architecture w/ L4 Linux, OK Labs OKL4/seL4 / OK Linux, and GenodeOS on Nova microhypervisor or OKL4. Google separation kernel, Nizza and Genode architectures to see what I mean.
What about Linux-Branded Zones? They let you natively execute Linux binaries on any IllumOS-based operating system. Zones themselves have a proven security record that easily make up for the lack of real security in the container space.
That isn't to say that IllumOS and Zones are perfect, but if something that robust can be implemented in C/C++, we can do the same or better in Rust.
It's happened before: Ada Secure Operating System, LISP machines, Pascal machines, BiiN, System/38, Oberon System, and so on. It's why I love online comments speculating about whether it's possible to use a type-safe or memory-safe language to write a full OS. Lol. I try to remind them of what's been done before enough so hopefully they'll try to do it again.
I agree a modern take supporting mainstream deployment tech would be a great advance. The language itself might need to be modern. They'll reject Ada, LISP, etc. I liked JX just because there were many Java developers plus various verification tech on Java subsets. Figured Java-2-native was only shot before Rust, Go, and SWIFT showed up. Things are indeed starting to happen. :)
Anyone who is really interested in a mature, industrial strength, system programming language without the fundamental flaws of C have been able to crank up an Ada compiler for years (including the free, GNU licensed GNAT compiler). And along the way there have been a lot of other solid options that have been used to build reliable systems (personally, I think Modula-3 should have gotten a lot more love than it did, especially since it had a free compiler as well...alas).
The reality is, there's a bunch of people who spend a lot of time furiously wanking over the NextCoolLanguage du jour, espousing how it's obviously going to displace C and cure all our ills, while the people who are actually writing things people use are by-and-large content to keep doing it in C. If the people that really matter in this debate wanted a better language than C, they'd have picked one a long time ago.
Many interesting tech for turning exploits into mere exceptions or things that don't compile in the first place. Also many tech's for isolating all that mess in a box with low overhead and easier-to-check interface protection. I'd rather take a combination of those than a split kernel.