A zero kernel operating system : rethinking microkernel design by leveraging tagged architectures and memory-safe languages

Author(s)
Restivo, Justin(Justin P.)
Thumbnail
Download1237530380-MIT.pdf (642.0Kb)
Other Contributors
Massachusetts Institute of Technology. Department of Electrical Engineering and Computer Science.
Advisor
Howard Shrobe, Hamed Okhravi and Samuel Jero.
Terms of use
MIT theses may be protected by copyright. Please reuse MIT thesis content according to the MIT Libraries Permissions Policy, which is available through the URL provided. http://dspace.mit.edu/handle/1721.1/7582
Metadata
Show full item record
Abstract
A secure kernel is the keystone upon which all software systems are built. Historically, memory corruption errors have accounted for a large portion of kernel bugs. These bugs are difficult to detect and avoid in memory-unsafe languages such as C. To mitigate such bugs, we build on top of an operating system written in a memory-safe language, Rust. Rust provides memory-safety guarantees while remaining as fast and flexible as other systems languages. Yet, some operations within operating systems, such as hand-written assembly for interrupt handling, do not fit within the scope of a language memory-safety model. To reduce the scope of these errors, microkernels isolate and reduce privilege by moving much of the traditional kernel into userspace services. However, their effectiveness is limited by the inflexibility of modern hardware. The Zero Kernel Operating System (ZKOS) emphasizes the high-level ideas of compartmentalization and least privileges on a tagged architecture. In particular, instead of relying on the Ring model and paging, which coarsely limit privilege and isolation granularity, a tagged architecture allows ZKOS to isolate at the memory word level and provide truly disjoint privileges. To this end, ZKOS slices kernelspace and userspace into fine-grained components based on function. Then, ZKOS defines specific entry and exit points between components and composes policies to limit component transitions and privileges. This increases the precision of isolation and privilege, and complements the local compile-time and runtime checks Rust performs to reduce the scope of bugs.
Description
Thesis: M. Eng., Massachusetts Institute of Technology, Department of Electrical Engineering and Computer Science, February, 2020
 
Cataloged from student-submitted PDF of thesis.
 
Includes bibliographical references (pages 54-60).
 
Date issued
2020
URI
https://hdl.handle.net/1721.1/129858
Department
Massachusetts Institute of Technology. Department of Electrical Engineering and Computer Science
Publisher
Massachusetts Institute of Technology
Keywords
Electrical Engineering and Computer Science.
Collections