System Programming in Rust

Balasubramanian, Abhiram; Baranowski, Marek S.; Burtsev, Anton; Panda, Aurojit; Rakamarić, Zvonimir; Ryzhyk, Leonid

doi:10.1145/3102980.3103006

Cited by 39 publications

(14 citation statements)

References 26 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…We take three measures to reduce the attack surface from GService. First, we implement GService with a safe language, specifically Rust, which is type and memory safe [7]. Second, GService uses a statically allocated, private heap.…”

Section: ) Makementioning

confidence: 99%

“…We enhance the security/safety of GService with a three-pronged approach. First, we implement most of it in Rust, a safe language that guarantees software fault isolation by preventing unauthorized memory access and using a single ownership model [7]. Second, we minimize the unsafe part of GService to a small amount of assembly code, 190 lines in our implementation, which is amenable to formal verification by existing tools, e.g., Vale [9].…”

Section: Introductionmentioning

confidence: 99%

See 1 more Smart Citation

Ginseng: Keeping Secrets in Registers When You Distrust the Operating System

Yun

Lin

2019

Proceedings 2019 Network and Distributed System Security Symposium

View full text Add to dashboard Cite

Many mobile and embedded apps possess sensitive data, or secrets. Trusting the operating system (OS), they often keep their secrets in the memory. Recent incidents have shown that the memory is not necessarily secure because the OS can be compromised due to inevitable vulnerabilities resulting from its sheer size and complexity. Existing solutions protect sensitive data against an untrusted OS by running app logic in the Secure world, a Trusted Execution Environment (TEE) supported by the ARM TrustZone technology. Because app logic increases the attack surface of their TEE, these solutions do not work for third-party apps. This work aims to support third-party apps without growing the attack surface, significant development effort, or performance overhead. Our solution, called Ginseng, protects sensitive data by allocating them to registers at compile time and encrypting them at runtime before they enter the memory, due to function calls, exceptions or lack of physical registers. Ginseng does not run any app logic in the TEE and only requires minor markups to support existing apps. We report a prototype implementation based on LLVM, ARM Trusted Firmware (ATF), and the HiKey board. We evaluate it with both microbenchmarks and real-world secret-holding apps. Our evaluation shows Ginseng efficiently protects sensitive data with low engineering effort. For example, a Ginsengenabled web server, Nginx, protects the TLS master key with no measurable overhead. We find Ginseng's overhead is proportional to how often sensitive data in registers have to be encrypted and decrypted, i.e., spilling and restoring sensitive data on a function call or under high register pressure. As a result, Ginseng is most suited to protecting small sensitive data, like a password or social security number.

show abstract

Section: ) Makementioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

Ginseng: Keeping Secrets in Registers When You Distrust the Operating System

Yun

Lin

2019

Proceedings 2019 Network and Distributed System Security Symposium

View full text Add to dashboard Cite

show abstract

“…High-level type-safe programming languages have the potential to eliminate many classes of programming bugs that could be exploited [3,30]. Similarly, formal verification of OS kernels provides a fundamentally safe trusted computing base (TCB) [27,39].…”

Section: Motivation: Many Os Abstractions Are Problematicmentioning

confidence: 99%

“…These virtualization techniques incur performance and energy overheads. Furthermore, popular UNIX-based server OSes are inherently vulnerable to misbehaving applications because they are written in C which is not type-safe [3].…”

Section: Introductionmentioning

confidence: 99%

I/O Is Faster Than the CPU

Enberg

Rao

Tarkoma

2019

Proceedings of the Workshop on Hot Topics in Operating Systems

View full text Add to dashboard Cite

I/O is getting faster in servers that have fast programmable NICs and non-volatile main memory operating close to the speed of DRAM, but single-threaded CPU speeds have stagnated. Applications cannot take advantage of modern hardware capabilities when using interfaces built around abstractions that assume I/O to be slow. We therefore propose a structure for an OS called parakernel, which eliminates most OS abstractions and provides interfaces for applications to leverage the full potential of the underlying hardware. The parakernel facilitates application-level parallelism by securely partitioning the resources and multiplexing only those resources that are not partitioned.

show abstract

“…Developers do not manually handle exported states or transfer them to other modules; they are abstracted away and managed by the compiler. At first glance, the overhead of stateless communication sounds high, but Theseus leverages affine types in Rust to realize zero-copy communication [9] even between isolated entities, along with caching and shared mappings. Singularity also exploits linear types for zero-copy transfer [22], but Theseus can resolve communication to a function call with less overhead than Singularity channels.…”

Section: State Management Without Encapsulationmentioning

confidence: 99%

Theseus

Boos

Lin

2017

Proceedings of the 9th Workshop on Programming Languages and Operating Systems

View full text Add to dashboard Cite

In prior work, we have shown that the underdiagnosed problem of state spill remains a barrier to realizing complex systems that are easy to maintain, evolve, and run reliably. This paper shares our early experience building Theseus from scratch, an OS with the guiding principle of eliminating state spill. Theseus takes inspiration from distributed systems to rethink state management, and leverages Rust language features for maximum safety, code reuse, and efficient isolation. We intend to demonstrate Theseus as a runtime composable OS, in which entities are easily interchangeable and can evolve independently without reconfiguring or rebooting.

show abstract

System Programming in Rust

Cited by 39 publications

References 26 publications

Ginseng: Keeping Secrets in Registers When You Distrust the Operating System

Ginseng: Keeping Secrets in Registers When You Distrust the Operating System

I/O Is Faster Than the CPU

Theseus

Contact Info

Product

Resources

About