Great talk! Very clear communication of Hubris’s design, and of specific cases where Rust enables patterns that statically prevent bugs. Also, I love the mindset that lead to developing the Humility debugger. Oxide seems poised to have a big impact.
It looked interesting enough: the design appears to be basically Rust-assisted key tenets of MISRA and isolation of tasks. So I cloned and built it. The binary and an STM32 board are now waiting for, uh, me finding that usb-c to usb-a dongle.
Excellent talk. It’s great to see alternative design and novel (?) approaches to OS design. I did enjoyed the part about the nice properties of synchronicity, and the drawbacks of asynchronous systems, which are all the modern rage.
Several aspects remind me of Separation Kernels, a design from 1973 or so. See muen.sk for a modern take
I have not seen Separation Kernels before.
Thanks for sharing that.
After a quick look, I would like your opinion. What is the difference between a Separation Kernel and a hypervisor?
Hypervisors are generally built for maximizing resource utilization while Separation Kernels assign fixed resources to VMs even if they don’t use them if that helps isolate them from one another, so that even two cooperating VMs can’t communicate (e.g. through side-channels) unless the SK explicitly allows it as part of the active policy.
Memory ballooning, shared NIC bandwidth, shared I/O bandwidth, CPU cache behavior, various properties around GPU resources can be abused as a side-channel (even if very low bandwidth - although once identified, researchers usually manage to increase that considerably) but all of that still makes sense for “normal” hypervisor setups.
(Correction to my earlier post: Separation Kernels were discussed in 1981. The more general Security Kernel concept was discussed in 1975 and Bell & LaPadula “Secure Computer System: A Mathematical Model” appeared in 1973. I haven’t been very active in that space for quite a few years so I mixed up the timeline.)
This is excellent. Thank you.