You cannot select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

341 lines
16 KiB

This file contains ambiguous Unicode characters!

This file contains ambiguous Unicode characters that may be confused with others in your current locale. If your use case is intentional and legitimate, you can safely ignore this warning. Use the Escape button to highlight these characters.

<!doctype html>
<meta charset="utf-8">
<title>Betrusted: Something-Something Secure</title>
<meta name="description" content="A framework for easily creating beautiful presentations using HTML">
<meta name="author" content="Sean &quot;xobs&quot; Cross">
<meta name="apple-mobile-web-app-capable" content="yes">
<meta name="apple-mobile-web-app-status-bar-style" content="black-translucent">
<meta name="viewport" content="width=device-width, initial-scale=1.0, maximum-scale=1.0, user-scalable=no">
<link rel="stylesheet" href="css/reveal.css">
<link rel="stylesheet" href="css/theme/lca2020.css" id="theme">
<!-- Theme used for syntax highlighting of code -->
<link rel="stylesheet" href="lib/css/zenburn.css">
<!-- Printing and PDF exports -->
var link = document.createElement('link');
link.rel = 'stylesheet';
link.type = 'text/css';
link.href = ? 'css/print/pdf.css' : 'css/print/paper.css';
<!--[if lt IE 9]>
<script src="lib/js/html5shiv.js"></script>
.reveal .slides section[data-transition=zoomrev],
.reveal.zoomrev .slides section:not([data-transition]) {
transition-timing-function: ease;
.reveal .slides > section[data-transition=zoomrev].past,
.reveal .slides > section[data-transition~=zoomrev-out].past,
.reveal.zoomrev .slides > section:not([data-transition]).past {
visibility: hidden;
-webkit-transform: scale(0.2);
transform: scale(0.2);
.reveal .slides > section[data-transition=zoomrev].future,
.reveal .slides > section[data-transition~=zoomrev-in].future,
.reveal.zoomrev .slides > section:not([data-transition]).future {
visibility: hidden;
-webkit-transform: scale(16);
transform: scale(16);
.reveal .slides > section > section[data-transition=zoomrev].past,
.reveal .slides > section > section[data-transition~=zoomrev-out].past,
.reveal.zoomrev .slides > section > section:not([data-transition]).past {
-webkit-transform: translate(0, 150%);
transform: translate(0, 150%);
.reveal .slides > section > section[data-transition=zoomrev].future,
.reveal .slides > section > section[data-transition~=zoomrev-in].future,
.reveal.zoomrev .slides > section > section:not([data-transition]).future {
-webkit-transform: translate(0, -150%);
transform: translate(0, -150%);
<!-- Start of main presentation -->
<div class="reveal">
<div class="footer">
<a class="url" href=""></a>
<span class="theme">Whos Watching</span><span class="hashtag"> | #LCA2020</span><span class="twitter"> |
<div class="commentary"></div>
<div class="slides">
<section data-background-image="css/theme/lca2019-title-bg-transparent.svg">
<h2 style="background-color: transparent;">Betrusted: Being Secure</h2>
<h5 style="background-color: transparent;">That's no Blackberry, it's a chat client!</h5>
<p align="right" style="margin-bottom: 0px; margin-top: 0px; line-height: 1;">
<small>bunnie - <a href=""></a> - @bunnievorpal</small>
<p align="right" style="margin-bottom: 0px; margin-top: 0px; line-height: 1;">
<small>Tom Marble - <a href=""></a></small>
<p align="right" style="margin-bottom: 0px; margin-top: 0px; line-height: 1;">
<small>Sean Cross - <a href=""></a> - @xobs</small>
<h2>Xous: Why another kernel?</h2>
<aside class="notes">
A big question that gets asked is -- why another kernel? Why don't we just
put Linux on it and be done with it? Or something else like Minix, TockOS,
or FreeRTOS?
<h2>Betrusted Goals</h2>
<li>&lt;=4 MB RAM</li>
<li>Process Isolation</li>
<li>Safe language</li>
<li class="fragment">Microkernel</li>
<aside class="notes">
With Betrusted, we wanted to reduce the code footprint. This will allow
us to run with less RAM -- ideally 4 MB or less. We also wanted to have
a full MMU, which is somewhat unusual in the embedded microcontroller
space, where a more limited Memory Protection Unit is preferred.
We would like to have full process isolation, so even if one process is
compromised, attackers will have a harder time boring through the system
to gain a more complete takeover.
Therefore, we would like Betrusted to run a Microkernel-style operating
system, with "servers" that provide features such as the display,
keyboard, and even basic task switching. These should all run in
userspace with the bare minimum permissions required to get the job done.
Finally, we would like to have the operating system written in a safe
systems language.
<h2>Rust: Safety, Speed, Concurrency</h2>
<aside class="notes">
The Rust programming language promises the holy trifecta: Safety, Speed,
Concurrency. Pick any three. If you're going to start over on a systems-
level project, choose Rust. There will be a lot of wailing and gnashing
of teeth to begin with, but the end result will be better.
When we started Betrusted, we decided that it should primarily use Rust
as the systems language. That way we can be sure that our code is sound.
Additionally, Rust has the ability to produce efficient binaries, and the
efficiency is only going to get better as time progresses.
This eliminates non-Rust choices such as Linux or Minix.
<h2>A Survey of Rust-based Operating Systems</h2>
<aside class="notes">
Having decided to use Rust, we did a survey of Rust-based operating
systems. There are several available, in various states of completeness.
The two biggest candidates are Redox and Tock.
<h2>Rust-based Operating Systems: Tock</h2>
<aside class="notes">
Tock is the most obvious choice, since it already has a RISC-V port
and is supported by a well-documented ABI. Tock supports multiple
tasks written in either Rust or C, which is a very nice feature.
However, Tock does not support an MMU. It would be possible to adapt
the MPU interface to work with an MMU, but a lot of design work has
gone into Tock to make it work well with only the standard MPU that
is present on most ARM chips. Using Tock would be asking it to do
something that it's not designed for. Instead, it's better to pick
the right tool for the job.
Additionally, the Tock message passing infrastructure assumes only
one server per process, which can limit flexibility.
<h2>Rust-based Operating Systems: Redox</h2>
<aside class="notes">
Redox is the other large Rust-based operating system, and is the most
compelling. Redox is currently limited to x86-64 (with a plan to
port it to AArch64), so we would need to port it ourselves to RISC-V.
The biggest problem with Redox is its size: It's a full Desktop
operating system, and supporting it on Betrusted would require us to
spend a lot of time cutting it down to just the bare microkernel,
at which point we can start to recreate everything ourselves. The
kernel itself is such a small part of Betrusted. Besides, we would
like the freedom to experiment, to randomize the syscall numbers and
have keepout areas of the screen and add IMEs to the input, which
would quickly introduce incompatibility with Redox.
Finally, we would like to be able to use stable Rust for our applications,
which we can almost do with Xous. We're just waiting for either the
"alloc_error_handler" attribute to be stabilized (issue 66740), or
defaulting handle_alloc_error to panic (issue 66741), which would give
us everything we'd need to use alloc on stable Rust.
In short, Tock is too small, and Redox is too big.
<h2>Other Alternatives and Inspirations</h2>
<aside class="notes">
There are many alternative operating systems. We can draw inspiration
from them, even if we don't use them directly.
For example, both the QNX microkernel and Solaris Doors implementation
allow for one process to pass a message to another, which then inherits
its remaining quantum and runlevel. This prevents priority inversions
and makes syscalls relatively cheap.
<h2>Xous: System Design</h2>
<aside class="notes">
Xous is, currently, very much under development. However, there has
been a lot of planning.
<h2>Xous: Memory Model</h2>
<aside class="notes">
Xous will base its memory model on the Rust borrow checker. That is,
shared memory will be used for IPC. If one process wishes to get a
response from another, it can pass pages via a mutable borrow. If
a process wishes to share pages across multiple process, then only an
immutable borrow may be made, and the sharing process cannot access
pages until all processes have returned the memory.
A process can move memory into another, which for example is how
process spawning works. In such a case, memory is no longer available
in the sending process.
<h2>Xous: Missing Features</h2>
<aside class="notes">
Xous has no fork(). Instead it will have spawn().
Shared libraries aren't available at the start, but may come later.
</div> <!-- class="reveal" -->
<!-- End of main presentation -->
<!-- Start of configuration section -->
<script src="lib/js/head.min.js"></script>
<script src="js/reveal.js"></script>
var presenter = !!Reveal.getQueryHash().s;
// More info
controls: presenter ? false : true,
progress: true,
history: true,
center: false,
controlsTutorial: presenter ? false : true,
slideNumber: presenter ? null : 'c/t',
// The "normal" size of the presentation, aspect ratio will be preserved
// when the presentation is scaled to fit different resolutions. Can be
// specified using percentage units.
width: 960,
height: 700,
// Factor of the display size that should remain empty around the content
margin: 0.1,
multiplex: {
url: '',
id: 'd03979a76e514b4c',
secret: Reveal.getQueryHash().s || null
// Bounds for smallest/largest possible scale to apply to content
minScale: 0.02,
maxScale: 5.5,
transition: 'slide', // none/fade/slide/convex/concave/zoom
// More info
dependencies: [
{ src: 'lib/js/classList.js', condition: function () { return !document.body.classList; } },
{ src: 'plugin/markdown/marked.js', condition: function () { return !!document.querySelector('[data-markdown]'); } },
{ src: 'plugin/markdown/markdown.js', condition: function () { return !!document.querySelector('[data-markdown]'); } },
{ src: 'plugin/highlight/highlight.js', async: true, callback: function () { hljs.initHighlightingOnLoad(); } },
{ src: 'plugin/search/search.js', async: true },
{ src: 'plugin/zoom-js/zoom.js', async: true },
{ src: 'plugin/notes/notes.js', async: true },
{ src: 'lib/js/', async: true },
src: presenter ?
'plugin/multiplex/master.js' :
'plugin/multiplex/client.js', async: true
Reveal.addEventListener( 'slidechanged', function( event ) {
// event.previousSlide, event.currentSlide, event.indexh, event.indexv
var commentaries = document.getElementsByClassName("commentary");, cmt => {
cmt.innerHTML = "";
// debugger;
event.currentSlide.childNodes.forEach(element => {
if ((element.nodeName == "ASIDE") && (element.className == "notes")) {, cmt => {
cmt.innerHTML = "<p>" + element.innerHTML.replace("\n\n", "</p><p>") + "</p>";
} );