I’ve seen this video of Timothy Roscoe at USENIX ATC '21 recently and was very interested in multikernel OSes.
While Barrelfish is abandoned, it seems that Kirsch is his successor.
However, since I’ve seen this video I wonder what changed since the keynote, why it doesn’t seem to be a thing for mainstream kernels and if there was any roadmap/will to expand mainstream kernels like linux to embrace the whole hardware.
Do you have any pointers/ideas or resources to share on this?
To answer your post title question, I suspect that at this point it seems counterintuitive to introduce complexity in an environment already rife with exploits.
It’s not like it’s a new idea either. Microsoft published research on this in 2009, 16 years ago.
The abstract on that link holds the promise of many benefits, but it appears to carefully avoid specific claims, which makes me wonder if the idea ran into unexpected hurdles, which is common in software development.
The abandonment of the Barrelfish project is probably an indicator that this is an idea that didn’t pan out.
Having said that, I haven’t dug into kernel development over the past 40 years of my career, so it might well be that aspects and nuances of this idea were adopted and are in common use.
What exactly does the statement that Linux does not already “embrace the whole hardware” mean?
This guy (Roscoe) is one of my professors and I’ve heard him give a few talks related to this before, so I’ll try to summarize the problem:
Basically, modern systems do not really match with the classic model of “there’s a some memory and perhipheral devices attached to a bus, and they’re all driven by the CPU running a kernel which is responsible for controlling everything”. Practically every component has it’s own memory and processor(s), each running their own software independently of the main kernel (sometime even with their own separate kernel!), there are separate buses completely inaccessible to the CPU specifically for communicating between components, often virtually every component is directly attached to the memory bus and therefore bypasses the CPU’s memory protection mechanisms, and a lot of these hidden coprocessors are completely undocumented. A modern smartphone SoC can have 10s of separate processors all running their own software independently of each other.
This is bad for a lot of reasons, most importantly that it becomes basically impossible to reason about the correctness or security of the system when the “OS kernel” is actually just one of many equally privileged devices sharing the same bus. An example of what this allows: it is (or was) possible to send malformed WiFi packets and trigger a buffer overrun in certain mobile WiFi modems, allowing an attacker to get arbitrary code execution on the modem and then use that to overwrite the linux kernel in main memory, thus achieving full kernel-level RCE with no user interaction required. You can have the most security-hardened linux kernel you want, but that doesn’t mean a damn thing if any one of dozens of other processors can just… overwrite your code or read sensitive data directly from applications!
As I understand it, the goal of these projects is basically to make the kernel truly control all the hardware again, by having them also provide the firmware/control software for every component in the system. Obviously this requires a very different approach than conventional kernel designs, which basically just assume they rule the machine.
Interesting! I had not even realized that this was a problem, though it makes sense now after your description. How realistically feasible is this type of approach, though, given that the manufactures can always just ignore the kernel’s request to reprogram them and continue to access the bus and memory directly?
The system is complex plus a lot of legacy history. APTs for example (Advanced Persistent Threats). I think I have heard, that you can no longer guarantee that wiping the system and reinstalling the OS will eliminate them in all cases. They could for example burrow into the Firmware and Microcode.
Or look at Windows, MS has had huge problem with old drivers and other stuff they run at very high permission levels. Windows is full of stuff from 25 years ago when security did not matter.
Highly unrealistic without significantly redesigning the entire architecture, meaning all your existing equipment will not be compatible.
Roscoe is one of my professors at ETH, and he gave a keynote at VISCon a few months ago where he discussed this stuff and what his department is working on. Apparently a lot of their (they being the systems department at ETH) current work is related to formally modeling which parts of a system have access to what other parts, and then figuring out which of those permissions are actually needed and then deriving the strictest possible MPU configuration while still having a working system. The advantage of this approach over an entirely new kernel is that, well, it doesn’t require an entirely new kernel, but can be built into an existing system, while still allowing them to basically eliminate the entire class of vulnerabilities they’re targeting.
That is generally called the principle of least privilege.
What’s the use case?
Well, first you have the security view point as @DaPorkchop_@lemmy.ml explained with cross-SOC attacks. Then, if you consider the OS definiton given by Roscoe (which, imo, is a good one), then your OS is not FOSS at all! For instance, in your OS you would have to consider the DSP chip, with his bootloader and kernel as a part of your OS.
Huawei Harmony OS is multi kernel.
In the sense that it can run android Linux and I think . Exe files. Kinda cool tbh. Not sure if this is in the same boat as the projects you mentioned.
Too bad the sale of these is banned in the USA. I really want to try out the os.
