I’ve seen this video of Timothy Roscoe at USENIX ATC '21 recently and was very interested in multikernel OSes.
While Barrelfish is abandoned, it seems that Kirsch is his successor.
However, since I’ve seen this video I wonder what changed since the keynote, why it doesn’t seem to be a thing for mainstream kernels and if there was any roadmap/will to expand mainstream kernels like linux to embrace the whole hardware.
Do you have any pointers/ideas or resources to share on this?
This guy (Roscoe) is one of my professors and I’ve heard him give a few talks related to this before, so I’ll try to summarize the problem:
Basically, modern systems do not really match with the classic model of “there’s a some memory and perhipheral devices attached to a bus, and they’re all driven by the CPU running a kernel which is responsible for controlling everything”. Practically every component has it’s own memory and processor(s), each running their own software independently of the main kernel (sometime even with their own separate kernel!), there are separate buses completely inaccessible to the CPU specifically for communicating between components, often virtually every component is directly attached to the memory bus and therefore bypasses the CPU’s memory protection mechanisms, and a lot of these hidden coprocessors are completely undocumented. A modern smartphone SoC can have 10s of separate processors all running their own software independently of each other.
This is bad for a lot of reasons, most importantly that it becomes basically impossible to reason about the correctness or security of the system when the “OS kernel” is actually just one of many equally privileged devices sharing the same bus. An example of what this allows: it is (or was) possible to send malformed WiFi packets and trigger a buffer overrun in certain mobile WiFi modems, allowing an attacker to get arbitrary code execution on the modem and then use that to overwrite the linux kernel in main memory, thus achieving full kernel-level RCE with no user interaction required. You can have the most security-hardened linux kernel you want, but that doesn’t mean a damn thing if any one of dozens of other processors can just… overwrite your code or read sensitive data directly from applications!
As I understand it, the goal of these projects is basically to make the kernel truly control all the hardware again, by having them also provide the firmware/control software for every component in the system. Obviously this requires a very different approach than conventional kernel designs, which basically just assume they rule the machine.
Interesting! I had not even realized that this was a problem, though it makes sense now after your description. How realistically feasible is this type of approach, though, given that the manufactures can always just ignore the kernel’s request to reprogram them and continue to access the bus and memory directly?
The system is complex plus a lot of legacy history. APTs for example (Advanced Persistent Threats). I think I have heard, that you can no longer guarantee that wiping the system and reinstalling the OS will eliminate them in all cases. They could for example burrow into the Firmware and Microcode.
Or look at Windows, MS has had huge problem with old drivers and other stuff they run at very high permission levels. Windows is full of stuff from 25 years ago when security did not matter.
Highly unrealistic without significantly redesigning the entire architecture, meaning all your existing equipment will not be compatible.