RedLeaf: Isolation and Communication in a Safe Operating System

Cite

FOSDEM VZW

Narayanan, Vikram Burtsev, Anton

Formal Metadata

Title

RedLeaf: Isolation and Communication in a Safe Operating System

Title of Series

FOSDEM 2022

Number of Parts

287

Author

Narayanan, Vikram

Burtsev, Anton

Contributors

Söntgen, Josef

License

CC Attribution 2.0 Belgium:
You are free to use, adapt and copy, distribute and transmit the work or content in adapted or unchanged form for any legal purpose as long as the work is attributed to the author in the manner specified by the author or licensor.

Identifiers

10.5446/56916 (DOI)

Publisher

FOSDEM VZW

Release Date

2022

Language

English

Content Metadata

Subject Area

Computer Science

Genre

Conference/Talk

Abstract

At least since the final Multics report in 1977, researchers identified the ability to isolate kernel subsystems as a critical mechanism for increasing the reliability and security of the kernel. Unfortunately, despite many attempts to introduce isolation to the kernel, modern systems remain monolithic. Historically, software and hardware mechanisms introduce a prohibitively high overhead for the isolation of subsystems with the tightest performance budgets. Today, however, the balance of isolation and performance is starting to change with the development of Rust, arguably, the first practical programming language that achieves safety without garbage collection. RedLeaf is a new operating system developed from scratch in Rust with the goal to explore the impact of language safety on operating system organization, and specifically on the ability to utilize fine-grained isolation and its benefits in the kernel. In contrast to commodity systems, RedLeaf does not rely on hardware address spaces for isolation and instead uses only type and memory safety of the Rust language. Departure from costly hardware isolation mechanisms allows us to explore the design space of systems that embrace lightweight fine-grained isolation of kernel subsystems. We develop a new abstraction of a language-based isolation domain that implements a unit of information hiding and isolation of faults. Domains can be dynamically loaded and cleanly terminated. Building on RedLeaf isolation mechanisms, we demonstrate the possibility to implement end-to-end zero-copy, fault isolation, and transparent recovery of device drivers. To evaluate the practicality of RedLeaf abstractions, we implemented a subset of the POSIX interface as a collection of RedLeaf domains. RedLeaf's isolation mechanisms allow us to support the transparent recovery of device drivers. To demonstrate that Rust and fine-grained isolation introduce a practically-acceptable overhead, we develop efficient versions of 10Gbps network and PCIe-attached solid state-disk NVMe device drivers that match the performance of carefully-optimized kernel-bypass device drivers used in modern network and storage processing frameworks.