CSE Colloquium: RedLeaf: Isolation and Communication in a Safe Operating System

ZOOM INFORMATION: Join from PC, Mac, Linux, iOS or Android: https://psu.zoom.us/j/99602277315?pwd=UDU2dEpFL3N2a20xRWl6ZkNsNTNYQT09 Password: 296169 

or iPhone one-tap (US Toll): +13017158592,99602277315# or +13126266799,99602277315# 

or Telephone: Dial: +1 301 715 8592 (US Toll) +1 312 626 6799 (US Toll) +1 646 876 9923 (US Toll) +1 253 215 8782 (US Toll) +1 346 248 7799 (US Toll) +1 669 900 6833 (US Toll) Meeting ID: 996 0227 7315 Password: 296169 International numbers available: https://psu.zoom.us/u/abLxagt1t9 

ABSTRACT: Four decades ago, early operating system designs identified the ability to isolate kernel subsystems as a critical mechanism for increasing the reliability and security of the entire system. Unfortunately, despite many attempts to introduce fine-grained isolation to the kernel, modern systems remain monolithic. Historically, software and hardware mechanisms remain prohibitively expensive for isolation of subsystems with tightest performance budgets. Fortunately, today, the balance of isolation and performance is changing with the development of Rust, arguably, the first practical language that achieves safety without garbage collection. RedLeaf is a new operating system developed from scratch in Rust to explore the impact of language safety on operating system organization, and specifically the ability to utilize fine-grained isolation and its benefits in the kernel. In contrast to commodity systems, RedLeaf does not rely on hardware address spaces for isolation and instead uses only type and memory safety of the Rust language. Departure from costly hardware isolation mechanisms allows us to explore the design space of systems that embrace lightweight fine-grained isolation. We introduce an abstraction of a language-based isolation domain that provides a unit of information hiding and fault isolation. Domains can be dynamically loaded and cleanly terminated, i.e., errors in one domain do not affect the execution of other domains. Isolation boundaries introduce minimal overhead even in the face of semantically-rich interfaces typical for language systems. We implement RedLeaf as a microkernel system in which a collection of isolated domains implements functionality of the kernel: typical kernel subsystems, POSIX-like interface, device drivers, and user applications. RedLeaf provides typical features of a modern kernel: multi-core support, memory management, dynamic loading of kernel extensions, POSIX-like user processes, and blazingly fast device drivers. Building on RedLeaf isolation mechanisms, we demonstrate the possibility to transparently recover crashing device drivers. Finally, to demonstrate that Rust and fine-grained isolation introduces a practically-acceptable overhead, we develop efficient versions of 10Gbps Intel Ixgbe network and PCIe-attached solid state-disk NVMe drivers that match the performance of carefully-optimized user-level equivalents (DPDK and SPDK) developed in an unsafe language. 

BIOGRAPHY: Anton Burtsev received his B.S. and M.S. in Applied Mathematics from the National Technical University of Ukraine in 2000 and 2002, and his PhD in Computer science from the University of Utah in 2013. Prior to joining the faculty of the University of California, Irvine as an Assistant Adjunct Professor in 2016, he was a Research Assistant Professor and a research staff member at the University of Utah. Dr. Burtsev is a systems researcher with many years of first-hand experience in designing and building operating systems. His research interests include 1) operating systems, 2) cloud and operating system security, and 3) operating system support for modern low-latency datacenters and heterogeneous hardware.