Title	
Towards a Safe and Sound Operating System

Authors	
Martin Kröning, Stefan Lankes, Jonathan Klimt

E-Mail	
martin.kroening@eonerc.rwth-aachen.de

Affiliation	
RWTH Aachen

Abstract	

As computers increasingly integrate into everyday life and the number of cyberattacks by malicious actors increases, cybersecurity is more important than ever. Aside from logic errors, security vulnerabilities may arise due to memory access bugs such as use-after-free errors, integer overflows, and out-of-bounds accesses. In giant projects that are written in the classic systems programming languages C or C++, experience shows more than two thirds of the security vulnerabilities to be caused by memory access bugs. We migrated our Hermit unikernel project from C to Rust in 2018, as the young Rust programming language systematically avoids memory access bugs. While safe Rust guarantees memory safety (the absence of memory access bugs), there is also unsafe Rust for things that the compiler cannot check. When developing an operating system, unsafe Rust is unavoidable. Rust's fundamental principle that makes unsafe Rust work is the safety property: “No matter what, safe Rust can’t cause undefined behavior.” In this talk, we will present our experience with migrating from C to Rust and the problems of thinking about Rust the same way we did with C. We will motivate the existence of undefined behavior, safety, and soundness before highlighting a few of our initial mistakes. Specifically, we will touch on a few patterns that we adapted that are Rust-specific solutions to increasing safety and soundness. In the end, we'll describe how far we have come and give an outlook on what is to come.

Language of the Presentation	
English