safely and efficiently programming a 64kb computer · safely and efficiently programming a 64kb...
TRANSCRIPT
![Page 1: Safely and Efficiently Programming a 64kB Computer · Safely and Efficiently Programming a 64kB Computer Amit Levya, Branden Ghenab, Bradford Campbellb, Pat Pannutob, Prabal Duttab,](https://reader030.vdocuments.us/reader030/viewer/2022041211/5dd0e3c5d6be591ccb63316f/html5/thumbnails/1.jpg)
Safely and Efficiently Programming a 64kB Computer
Amit Levya, Branden Ghenab, Bradford Campbellb, Pat Pannutob, Prabal Duttab, Philip Levisa
MSR UW Summer Institute August 2, 2017
aStanford University bUniversity of Michigan
![Page 2: Safely and Efficiently Programming a 64kB Computer · Safely and Efficiently Programming a 64kB Computer Amit Levya, Branden Ghenab, Bradford Campbellb, Pat Pannutob, Prabal Duttab,](https://reader030.vdocuments.us/reader030/viewer/2022041211/5dd0e3c5d6be591ccb63316f/html5/thumbnails/2.jpg)
Secure Internet of Things Project (SITP)
Securing the Internet of Things
• Secure Internet of Things Project▶ 5 year project (just started second year)▶ 12 faculty collaborators▶ 3 universities: Stanford, Berkeley, and Michigan
• Rethink IoT systems, software, and applications from the ground up
• Make a secure IoT application as easy as a modern web application
2
![Page 3: Safely and Efficiently Programming a 64kB Computer · Safely and Efficiently Programming a 64kB Computer Amit Levya, Branden Ghenab, Bradford Campbellb, Pat Pannutob, Prabal Duttab,](https://reader030.vdocuments.us/reader030/viewer/2022041211/5dd0e3c5d6be591ccb63316f/html5/thumbnails/3.jpg)
e-WEAR Affiliates Program
Dawson EnglerStanfordSoftware
3
Philip LevisStanford
Embedded Systems
Mark HorowitzStanfordHardware
Christopher RéStanford
Data Analytics
Dan BonehStanford
Cryptography
Keith WinsteinStanfordNetworks
Prabal DuttaBerkeley/Michigan
Embedded Hardware
David MazièresStanfordSecurity
Björn HartmannBerkeley
Prototyping
Raluca Ada PopaBerkeleySecurity
Steve EglashStanford
Executive Director
Philip LevisStanfordFaculty Director
Team
David CullerBerkeley
Low Power Systems
Peter BailisStanford
Database Systems
![Page 4: Safely and Efficiently Programming a 64kB Computer · Safely and Efficiently Programming a 64kB Computer Amit Levya, Branden Ghenab, Bradford Campbellb, Pat Pannutob, Prabal Duttab,](https://reader030.vdocuments.us/reader030/viewer/2022041211/5dd0e3c5d6be591ccb63316f/html5/thumbnails/4.jpg)
There’s no such thing as a secure embedded OS today.
![Page 5: Safely and Efficiently Programming a 64kB Computer · Safely and Efficiently Programming a 64kB Computer Amit Levya, Branden Ghenab, Bradford Campbellb, Pat Pannutob, Prabal Duttab,](https://reader030.vdocuments.us/reader030/viewer/2022041211/5dd0e3c5d6be591ccb63316f/html5/thumbnails/5.jpg)
There’s no such thing as a secure embedded OS today.
Let’s research why and write one.
![Page 6: Safely and Efficiently Programming a 64kB Computer · Safely and Efficiently Programming a 64kB Computer Amit Levya, Branden Ghenab, Bradford Campbellb, Pat Pannutob, Prabal Duttab,](https://reader030.vdocuments.us/reader030/viewer/2022041211/5dd0e3c5d6be591ccb63316f/html5/thumbnails/6.jpg)
Embedded Systems“An embedded system is a computerized system that
is purpose-built for its application.”
Elicia WhiteMaking Embedded Systems, O’Reilly
![Page 7: Safely and Efficiently Programming a 64kB Computer · Safely and Efficiently Programming a 64kB Computer Amit Levya, Branden Ghenab, Bradford Campbellb, Pat Pannutob, Prabal Duttab,](https://reader030.vdocuments.us/reader030/viewer/2022041211/5dd0e3c5d6be591ccb63316f/html5/thumbnails/7.jpg)
But the World is Changing…“An embedded system is a computerized system that
is purpose-built for its application.”
Elicia WhiteMaking Embedded Systems, O’Reilly
![Page 8: Safely and Efficiently Programming a 64kB Computer · Safely and Efficiently Programming a 64kB Computer Amit Levya, Branden Ghenab, Bradford Campbellb, Pat Pannutob, Prabal Duttab,](https://reader030.vdocuments.us/reader030/viewer/2022041211/5dd0e3c5d6be591ccb63316f/html5/thumbnails/8.jpg)
But the World is Changing…“An embedded system is a computerized system that
is purpose-built for its application.”
Elicia WhiteMaking Embedded Systems, O’Reilly
� � � � � � � � �� � � � � � � � � � �
� � � � �
� � �� � �
� � � � �
� � � � �
� � � � �� � �
� � � � � � � �
� � � � � � � � � � � �
� �� �
� � � � � � {� I
� � � � � � � � � � � � � �
�� � � � � � � �
� � � � � � � � � � � � � � � �
� � �
� � � � � U� U�
U�� � 2 U�� � � U�� F�
F� � � � � � � � �� � � � � �
� � � � � �F� � � � � � �
n� � � � �
�
![Page 9: Safely and Efficiently Programming a 64kB Computer · Safely and Efficiently Programming a 64kB Computer Amit Levya, Branden Ghenab, Bradford Campbellb, Pat Pannutob, Prabal Duttab,](https://reader030.vdocuments.us/reader030/viewer/2022041211/5dd0e3c5d6be591ccb63316f/html5/thumbnails/9.jpg)
But the World is Changing…“An embedded system is a computerized system that
is purpose-built for its application.”
Elicia WhiteMaking Embedded Systems, O’ReillyMaking Embedded Systems, O’Reilly
���� � � � � � �
� � � � � � � � � � �
� � � � �
� � �� � �
� � � � �� � � � �
� � � � �
� � � � �� � �
� � � � � � � �
� � � � � � � � � � � �
� �� �
� � � � � � {� I
� � � � � � � � � � � � � � � � � � �
� � �
� � � � � � � � � � � � � � � �
� � �
� � � � � U�
� � 2 � � � � F�
F� � � � � � � � �� � � � � �
� � � � � �F� � � � � � �F� � � � � � �
� � � � �
A new class of embedded devices, that act as platforms supporting loadable programs within a particular application domain.
![Page 10: Safely and Efficiently Programming a 64kB Computer · Safely and Efficiently Programming a 64kB Computer Amit Levya, Branden Ghenab, Bradford Campbellb, Pat Pannutob, Prabal Duttab,](https://reader030.vdocuments.us/reader030/viewer/2022041211/5dd0e3c5d6be591ccb63316f/html5/thumbnails/10.jpg)
Tock Operating System• Safe, multi-tasking operating system for memory-
constrained devices
• Core kernel written in Rust, a safe systems language▶ Small amount of trusted code (can do unsafe things)
- Rust bindings for memory-mapped I/O- Core scheduler, context switches
• Core kernel can be extended with capsules▶ Safe, written in Rust▶ Run inside kernel
• Processes can be written in any language (asm, C) ▶ Leverage Cortex-M memory protection unit (MPU)▶ User-level, traps to kernel with system calls
![Page 11: Safely and Efficiently Programming a 64kB Computer · Safely and Efficiently Programming a 64kB Computer Amit Levya, Branden Ghenab, Bradford Campbellb, Pat Pannutob, Prabal Duttab,](https://reader030.vdocuments.us/reader030/viewer/2022041211/5dd0e3c5d6be591ccb63316f/html5/thumbnails/11.jpg)
Tock Architecture
HAL Scheduler Config
SPI
I2C
GPIO
Console
UART
Timer
Core kernel(Trusted)
Capsules(Untrusted)
Proc
esse
s(A
ny la
ngua
ge)
Kern
el(R
ust)
…heapstack
textdata
grant
heapstack
textdata
grant
RAM
Flash
ProcessAccessible
Memory
![Page 12: Safely and Efficiently Programming a 64kB Computer · Safely and Efficiently Programming a 64kB Computer Amit Levya, Branden Ghenab, Bradford Campbellb, Pat Pannutob, Prabal Duttab,](https://reader030.vdocuments.us/reader030/viewer/2022041211/5dd0e3c5d6be591ccb63316f/html5/thumbnails/12.jpg)
Challenge: System Calls
• System calls need to dynamically allocate memory▶ Create a timer, kernel needs to keep timer’s state▶ Enqueue a packet to send, kernel needs reference to packet
• For dependability, kernel has no heap▶ Otherwise a process can exhaust kernel memory▶ Fragmentation▶ Cleaning up after process failures
• How does the kernel handle system calls if it has no heap?
![Page 13: Safely and Efficiently Programming a 64kB Computer · Safely and Efficiently Programming a 64kB Computer Amit Levya, Branden Ghenab, Bradford Campbellb, Pat Pannutob, Prabal Duttab,](https://reader030.vdocuments.us/reader030/viewer/2022041211/5dd0e3c5d6be591ccb63316f/html5/thumbnails/13.jpg)
System Call Insight
HAL Scheduler Config
���
���
����
����� �
��
����
Core kernel(Trusted)
Capsules(Untrusted)
Proc
esse
s(A
ny la
ngua
ge)
Kern
el(R
ust)
…heapstack
textdata
grant
heapstack
textdata
grant
RAM
Flash
ProcessAccessible
Memory
grantgrant
• Processes given block of memory
• Dynamically allocated when process loaded
• Kernel can allocate memory from process
![Page 14: Safely and Efficiently Programming a 64kB Computer · Safely and Efficiently Programming a 64kB Computer Amit Levya, Branden Ghenab, Bradford Campbellb, Pat Pannutob, Prabal Duttab,](https://reader030.vdocuments.us/reader030/viewer/2022041211/5dd0e3c5d6be591ccb63316f/html5/thumbnails/14.jpg)
Memory Grants
• Each process has a growable container of grant memory
• Kernel can allocate objects from the grant block
• References to objects cannot escape the block▶ Process failure/crash does not lead to dangling pointers
• Users pass a function to the container with enter
grant container
callerfunction
self.apps.enter(appid, |app, _| { app.read_buffer = Some(slice); app.read_idx = 0; 0}).unwrap_or(-1)
![Page 15: Safely and Efficiently Programming a 64kB Computer · Safely and Efficiently Programming a 64kB Computer Amit Levya, Branden Ghenab, Bradford Campbellb, Pat Pannutob, Prabal Duttab,](https://reader030.vdocuments.us/reader030/viewer/2022041211/5dd0e3c5d6be591ccb63316f/html5/thumbnails/15.jpg)
Programs to the Edge
luaFirmware
Application programming model Application-to-application authenticationNetwork security policies
python
C
20-year cryptography/software update
![Page 16: Safely and Efficiently Programming a 64kB Computer · Safely and Efficiently Programming a 64kB Computer Amit Levya, Branden Ghenab, Bradford Campbellb, Pat Pannutob, Prabal Duttab,](https://reader030.vdocuments.us/reader030/viewer/2022041211/5dd0e3c5d6be591ccb63316f/html5/thumbnails/16.jpg)
Tock Operating System
• Safe, multi-tasking operating system for memory-constrained devices
• Core kernel written in Rust, a safe systems language▶ Small amount of trusted code (can do unsafe things)
- Rust bindings for memory-mapped I/O
- Core scheduler, context switches
• Many new system design and research challenges▶ Writing a kernel in a type safe, not garbage collected language▶ Memory isolation and allocation
• Come learn how to use it!
![Page 17: Safely and Efficiently Programming a 64kB Computer · Safely and Efficiently Programming a 64kB Computer Amit Levya, Branden Ghenab, Bradford Campbellb, Pat Pannutob, Prabal Duttab,](https://reader030.vdocuments.us/reader030/viewer/2022041211/5dd0e3c5d6be591ccb63316f/html5/thumbnails/17.jpg)
Thanks!
https://www.tockos.org/Amit Levy <[email protected]>
↑ Amit will be on thejob market this year - help me make him smile!