back to article Another Rust-y OS: Theseus joins Redox in pursuit of safer, more resilient systems

Rust, a modern system programming language focused on performance, safety and concurrency, seems an ideal choice for creating a new operating system, and several such projects already exist. Now there is a new one, Theseus, described by creator Kevin Boos as "an Experiment in Operating System Structure and State Management." …

  1. Version 1.0 Silver badge

    Security is a word

    Writing a secure operating system with a secure language means that No Such Agency and others will be writing code in Rust to help out. Will we be seeing secure access in the future? While this may fix some security problems, it guarantees nothing - trusting an operating system just because it's written in Rust is the same as assuming that your code is fine and bug free because there were no compiler errors.

    Yes, I'd be very happy to see a completely secure operating system but when it's released, how long before it needs to be patched?

    1. Anonymous Coward
      Anonymous Coward

      Re: Security is a word

      I'm not sure what you're talking about (you really lost me), but as for "security" and while I really like Rust, the article title is VERY naive...

      "This one is not just written in Rust – its design is based on Rust features"

      Yep, and when there was an OS first written in C, people hailed that it had to use particular features to be competitive... wait for it... WAIT FOR ITt.......... _POINTERS*_!!. And here we go, doing it all over again. The ASM people must be having deja vu (or an ironic laugh).

      Rust is great, I really do like it. However, it will not be better than what we already have in C or C++ as we're 40 years in with those and Rust just isn't that "next level" (or at all) to be considered for a migration.

      1. mevets

        Re: Security is a word

        C was written for UNIX, then used to re-implement UNIX.

        1. Wilhelm Schickhardt

          Re: Security is a word

          UNIX was "given away for free" in order to squeeze out of the market the much more robust and secure ALGOL Mainframes of ICL, Unisys and MCST.

          See this, if you want more insight into the Algol machines:

          https://www.infoq.com/presentations/Null-References-The-Billion-Dollar-Mistake-Tony-Hoare/

          https://www.bloorresearch.com/2020/08/when-is-a-mainframe-not-a-mainframe/

    2. DrXym

      Re: Security is a word

      Rust is safe, not secure. The two things are orthogonal although there is some overlap.

      For example, many C/C++ exploits are due to things like buffer over/underflows. Rust makes it very hard to write code that is vulnerable to that form of attack - at worst you'll get a panic rather than an exploit. Likewise for other exploitable things like null pointer exceptions, heap corruption etc.

      However Rust isn't going to help if the function was supposed to verify a certificate's trust chain but didn't.

      So I would consider it an extremely useful foundation for any secure software or operating system, but it does not mean in and of itself that code will be secure.

      1. Wilhelm Schickhardt

        Re: Security is a word

        Memory safety will neuter 70% of the CVE database exploits. You are mistaken.

        1. DrXym

          Re: Security is a word

          I'm not sure what you're referring to here, memory safety practices of programmers, or special compilers / post processing, or the kernel itself rearranging memory.

          Whichever you're talking about or all of them, it is obvious that the the easiest way to have safe code is to not allow unsafe code to be generated in the first place rather than applying sticky plasters after the fact. And aside from the security aspect, safe code means it doesn't crash all over the place because the compiler stopped the developer from writing something that has the potential to data race or corrupt.

          1. Wilhelm Schickhardt

            Re: Security is a word

            This is the point of the Rust language:

            + no undetected buffer index errors (underflows or overflows)

            + no use after free

            + no double free

            + no multithreaded data races

            The rust compiler and the generated code will ensure this. C does NOTHING of the like. Man-coded programs typically have these bugs, even if the software engineer is a seasoned expert. That includes the Linux kernel and exploits in gethostbyname() and similar. HPUX ping of death and a plethora of C based exploits in the Windows kernel.

            Regarding efficiency of Rust

            + stack allocation

            + destructors, RAII

            + value arrays

            +soft realtime capable heap memory using refcounting

            Java and C# are somewhat memory safe, but not as efficient and realtime capable as Rust.

    3. A.P. Veening Silver badge

      Re: Security is a word

      Yes, I'd be very happy to see a completely secure operating system but when it's released, how long before it needs to be patched?

      About as long as you can trust the compiler.

      1. Wilhelm Schickhardt

        Re: Security is a word

        1.) Supply chain attacks happen then and now. But at probably 1000th the frequency of exploitable programming errors being discovered.

        2.) Just because supply chain attacks (in this case the compiler) are possible, does NOT mean we can lay back and ignore the security problems that come from human programming errors.

        3.) As your organizations systems-fortress should have multiple layers of defence; the firewall log analyzer/the security team should detect improper traffic which exfiltrates data.

        Memory safe programs are one layer of security and arguably one of the most important ones.

    4. Wilhelm Schickhardt

      Rationality

      ...suggests we all should be happy to seriously reduce the number of errors and their severity. About 70% of exploitable Bugs are related to C memory unsafety effects. Buffer oberflow, use after free, double free etc.See the CVE database.

      Your suggestion of "all or nothing" is counterproductive.

    5. StrangerHereMyself Silver badge

      Re: Security is a word

      It sounds to me you're talking about something entirely different, namely that governments can always mandate access no matter how secure your code is. That's something beyond the scope of most operating systems, however.

      Using a secure language makes it, save for logical errors, virtually impossible for any three-letter-agency or anyone else to hack the operating system or its applications (providing these are written in secure languages as well).

  2. A Non e-mouse Silver badge

    Success

    To determine if an operating system is a success depends on what its aims are and how easy it is to port the relevant programs to it.

    If it's to run databases, Postgres & Mysql are going to be important. Or if it's a web server, Apache/NGnix plus plugins is important.

    etc.

    1. Wilhelm Schickhardt

      Re: Success

      You can already run high security applications on Redox OS. E.g. a database of users and passwords. A proper software engineer will be able to implement this without a complicated and bugprone RDBMS server written in the unsafe/insecure C language.

  3. Pascal Monett Silver badge

    "There are others, but most are not very active"

    Which sounds to me just like most forks of existing projects on GitHub.

    There are a lot of people who have an idea and are willing to try to start a project.

    There are a lot less people who are willing and capable of bringing that project to term, not to speak of maintaining it in the long run.

    The fact that a new OS might have trouble rubbing shoulders with the entrenched versions is not an excuse. When Torvalds unleashed Linux on the world, he had no idea he was the guy who was going to allow the Internet to function, most IoT crap to exist and be the father of dozens of similar distros.

    He just did it, and thank God he did.

    You make a new OS that actually works and does what is says on the tin, and you make something that will find its way organically into the IT infrastructure of the world.

    Take the market into account and you might as well not start.

    1. Anonymous Coward
      Anonymous Coward

      Re: "There are others, but most are not very active"

      Linux got a boost in interest at a key moment because of a crisis in the BSD Unix world. Just as the first BSD projects were getting into their stride, AT&T sued BSDi alleging there was some of their copyrighted code in BSDi's products. This put a chill on the FreeBSD project since they were relying on the same BSD codebase, and quite a few developers switched to Linux citing its genesis as a ground up implementation of a Unix kernel.

    2. FIA Silver badge

      Re: "There are others, but most are not very active"

      When Torvalds unleashed Linux on the world

      Via the internet....

      , he had no idea he was the guy who was going to allow the Internet to function, most IoT crap to exist and be the father of dozens of similar distros.

      I suspect some of the GNU contributers might be worth a mention too....

      He just did it, and thank God he did.

      Well, that depends on your views on things like the GPL. :) I'd've been equally happy to see one of the BSDs fulfil the same role,and were it not for lawyers, one probably would.

      I think there's a strong argument to make that Linux is where it is now, from a technical point of view, due to the feedback from it's popularity; 20-25 years ago you could argue the BSDs were better designed, and perhaps back then 'better *nixs'. As someone who cut their teeth on NetBSD I remember constantly being annoyed at the poor linux man pages for example. (These are now fine, but are they fine because...... Linus.... or because momentum made a boat load of people put in the effort (and money) to make them fine.)

      Had the BSDs had the same momentum they'd be in a similar position now.

  4. Elledan
    Happy

    Lack of developers

    One of the great strengths of C is that anyone who does serious kernel and OS development is familiar with it, and the quirks are well-known after half a century of C playing a pivotal role in software development.

    Meanwhile Rust is a hobbyist language with few professional developers. That's a pretty small pool to draw developers from who would want to invest hours of their time each week on working on Yet Another Operating System. As evidenced by the large pile of Rust-y projects on Github.

    The proclaimed benefits of Rust do not weigh up against those of Go (which is arguably more security & safety-focused), nor those of a language which actually has been certified by the DoD and similar for safety-critical applications.

    Still, anyone has got to have a hobby, no?

    1. Wilhelm Schickhardt

      Lack Of Chefs

      Means we should continue to only eat at McDonalds and Burger King, correct ?

      We should ignore all the nasty effects of C memory bugs and continue to write easily exploitable software ?

  5. Ozzard
    Mushroom

    Oh look, the principles don't hold in the real world

    "Yeah, it almost works, but we had to break the principles for the filesystem."

    Well... yes. And anywhere else you need to drive hardware concurrently and across multiple calls. Good luck getting a multi-tenant GPU driver working entirely in a principled way, such that you can have some cores used for (say) a physics sim, some more to render to textures for an external display that ships pixels across USB, and the rest for a game.

    1. Elledan

      Re: Oh look, the principles don't hold in the real world

      Indeed, that was the same kind of idealism that made everyone think that micro-kernels were going to be the new hot thing in what, the 90s? Only it turns out to have so many compromises (outside of specific applications like RTOSes, hi QNX) that a hybrid kernel like that of Windows (NT) is the best one can do there without ending up with an OS that's too impractical to use.

      1. mevets

        Re: Oh look, the principles don't hold in the real world

        You don't happen to use an iphone, do you? NT is not a hybrid; or at least that is what its author claimed at USENIX micro-kernels and other architectures when unveiling NT.

      2. Wilhelm Schickhardt

        SeL4

        You might have a look at this microkernel. It is actively developed and in use for security critical applications. Hensoldt (ex Airbus Germany Systems) continues development and provides commercial support.

        In the last 10 years, the Americans (General Dynamics, DARPA and others) developed several projects based on SeL4.

        https://hensoldt-cyber.com/wp-content/uploads/2020/05/seL4-whitepaper.pdf

        SeL4 is proven to be memory safe, which was a big effort as it is coded in C. For example, a bug in the tcp stack does not open the entire system, but just the tcp stack. With Linux, Unix or Windows, a single kernel bug hands the crown jewels to the attacker.

        Hensoldt now also uses Rust for application development.

  6. very angry man

    look at the daisy cutters

    Windows is fat and lazy, not to mention disease ridded, Apple/ mac is well DAH, Linux has it's own problems.

    bring on something new, sure the Dev's will have to actually do some work, so what.

    Microsoft has had to go for so long now, I applaud the guys doing this work, sure some / most will crash and burn But if just one fights it's way through then the whole world will be better off.

    KEEP IT UP!

    1. Wilhelm Schickhardt

      Re: look at the daisy cutters

      Read this for the consequences of Windows insecurity:

      https://www.qwant.com/?q=Maersk%20cyber%20attack&t=web

      https://www.qwant.com/?q=Sony%20cyber%20attack&t=web

      Entire corporations had their entire intranets wiped out by powerful malware.

  7. StrangerHereMyself Silver badge

    Rust is the future

    I've been a proponent of using Rust for writing operating systems for a long time since the C language is almost literally eating the world with its vulnerabilities and insecure memory management. We desperately need a language like Rust.

    All three of these Operating Systems written in Rust are excellent and viable and Theseus is an interesting experiment to see if state-spill free operating systems bring something useful to the game.

    However, looking at KolibiOS and MenuetOS recently, I also believe it might be worthwhile to write a micro-kernel in assembly language to reduce size and increase execution speed. Due to its small size it may be feasible to write this by hand without significant errors.

    1. Crypto Monad Silver badge

      Re: Rust is the future

      I think you are making contradictory points there. C is, to all intents and purposes, portable assembly language. It exposes all the fundamental underlying architectural things: pointers, integer overflow etc. Issues around memory management and buffer overruns are the same whether you write in C or assembly.

      The only real difference is that if you write in C, then your code gets to run on more processors. A modern compiler can pick a more efficient set of assembly instructions than a human can.

      Aside: my first computer had 1KiB of EPROM and 128 bytes of RAM, later expanded to 4KiB. Having an *assembler* was a huge upgrade from writing directly in hex :-)

      1. StrangerHereMyself Silver badge

        Re: Rust is the future

        The *real* problem is that C is a systems programming language, but we're using it as an application programming language.

        Systems programming languages are for writing operating systems, device drivers and low-level stuff. However, some people think they need the last ounce of speed a machine is capable of for their trivial applications and insist on using an unsafe language.

        That, in a nutshell, is why C / C++ is eating the world.

        Since it's almost impossible to wean application programmers off the notion that they need that last ounce of speed the only way to correct this is to introduced a safe systems programming language which everyone knows will be used for application development as well.

        1. Wilhelm Schickhardt

          Re: Rust is the future

          The Linux kernel is now in the order of 10s of millions of lines of code. A single bug in this code will typically hand the attacker full control of the computer/embedded system.

          This practice should be stopped and memory safe code should be used in the kernel as much as possible. Or the kernel should be as minimal as possible and also compartmentalized, like SeL4.

          Rust-based kernels (which will of course include some unsafe sections) look like a very promising approach.

  8. Wilhelm Schickhardt

    Static Analysis, Strong Typing, Robust Software Engineering / Algol, Pascal, Modula, Ada, Rust

    There is a long line of programming languages which were designed with robustness in mind. It started with the ALGOL versions, created by some of the greatest minds of computer science: Hoare, Wirth, Dijkstra, Bauer and people of similar caliber.

    Several successful mainframe computer product lines were using Algol as a systems and as an application programming language. ICL VME, Burroughs large, MCST.

    As Algol68 turned out to be too complex, Wirth started to create smaller languages in the same spirit: Pascal, Modula, Oberon. Rust has found the spirit of these robust languages again and expanded strong typing to mulltithreading.

    On the commercial side, the hamburger of programming languages, C, took over the world, as Unix was given away for free. Software Engineers and System admins now have to pray every day their brittle Unix or Windows systems (all coded in C) are not destroyed by some cyber Mafia or hostile Army.

    C's lack of memory safety had catastrophic consequences (e.g. Maersk, Sony) and the language should therefore be retired as much as possible. Regardless whether some C developers have to learn a new language or whether corporations need to spend money on retraining. Cyber insecurity is much more expensive in many ways.

    1. Wilhelm Schickhardt

      Other Measures

      To achieve cyber security, software engineers certainly need to apply other state of the art techniques such as properly defined interfaces (using EBNF) and semantic checks. All information flowing into a system from the outside must be thoroughly checked for syntax, grammar and semantic correctness. Any failure must lead to a rejection of the message. KISS should be used.

      Other powerful approaches such as firewall traffic logging/monitoring, Sandboxing will still be useful and required.

      Strong typing is one very powerful measure, but it must work in concert with other proven measures such as LL(1) parser construction.

    2. Crypto Monad Silver badge

      Re: Static Analysis, Strong Typing, Robust Software Engineering / Algol, Pascal, Modula, Ada, Rust

      Memory safety is one class of security problems, and there are tools to deal with them. However, many security issues stem from higher layers - SQL injection and CSRF are just two examples.

      Put it another way: PHP is a memory-safe environment, but I think you'd be hard pressed to claim that everything written in PHP is secure :-)

      The programmer's mindset and approach are far more important. Treat software engineering as a branch of *engineering*.

      1. Wilhelm Schickhardt

        Wrong

        The lack of variable and function parameter type checking is the main reason for the insecurity of real world PHP programs. The idea that programmers can be extremely lazy and do not even have to think about the type of variables has been proven insecure by PHP.

        The fact that they have other hairraising stuff such as "all HTTP GET parameters become global PHP variables" does introduce further exploit opportunities.

        Then they interpret any string as you "might" want to really have this done then and now. One more mad idea.

        So - PHP is not type safe and its memory safety is superficial as they have no proper type system to speak of. Their other crazy ideas make matters worse, that is true.

        1. Wilhelm Schickhardt

          JavaScript, TypeScript, Rust in the Browser

          With JS, the lack of strong typing is a big reliability and potential security issue, too. TypeScript is one attempt to fix this.

          Another option is to program for the browser in Rust and use LLVM to compile it into asm.js

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like