kwast-os / kwast Goto Github PK
View Code? Open in Web Editor NEWRust operating system running WebAssembly as userspace in ring 0
License: MIT License
Rust operating system running WebAssembly as userspace in ring 0
License: MIT License
We need it soon because the wasm part of the kernel really depends on it.
We can use something like slab allocation as described by Jeff Bonwick for small objects.
The bigger objects can be allocated from a different allocator, something like a linked list or skip list.
Note: use multiple PMM stacks for this
Holds one or more SIPs.
Also, lazily allocate part of the stack?
Increase limit of interrupt stack?
Specialised caches for the compilation is a nice optimisation to have.
Idea for the far future:
We have a microkernel architecture, which means that every service runs as a server. We could create a program that acts as a proxy for those servers.
The proxy intercepts the traffic between user program <-> server and could send it over network to another computer.
Could be used so other computers could interact with a device on another computer using such proxy server, could happen transparently.
Options:
Some quick benchmarks show that a FPU store+restore takes about 32ns on my system (i7 4th gen 3.6GHz).
A single FPU store requires about 16ns.
Pingpong IPC requires two context switches, which means a 64ns overhead on FPU state.
Doing a lazy FPU store + restore the classic way requires disabling the FPU and relying on an ISR to re-enable and restore.
However, this approach has more overhead than what you get back (> 32ns) as I measured.
Besides the overhead issue, there's also the lazy FPU restore vulnerability. If a lazy mechanism is implemented, it can only be applied to storing the FPU state: the current task must always have its own FPU state loaded.
An alternative method to implement FPU lazy store is relying in the compiler.
If we could detect the use of FPU instructions in a basic block, we could insert an instruction in that basic block which sets a flag, something like this:
movb $1, %fs:0 // With fs the TLS register, assuming offset 0 is the flag offset
This would mean that the hardware overhead for lazy FPU store is replaced by a single move instruction, which should be pretty cheap.
So panics, memory allocation can be recovered from.
lock_api
, hardware lock elisionNote: I'm not sure about all of this.
Using classification of https://arxiv.org/pdf/1811.05441.pdf
Processes can run in the same hardware protection domain, or in a seperate domain. In case of the same domain, we rely on software isolation.
We give each process a 4GiB slice, to be used as a data heap. Processes can only address in this slice because memory accesses are represented as a "64-bit heap offset" + "32-bit user offset". We control the 64-bit offset, so it is impossible to address outside of your own slice. The code the processes are executing is located elsewhere in memory.
Microcode and compiler mitigations inside Cranelift may help (Cranelift currently doesn't do that)?
This is about leaking kernel memory. As far as I know, you need to be able to construct an address pointing to the kernel memory you want to leak. Due to the way processes are set up, this is not possible.
?
Architecture system registers cannot be represented in WebAssembly. System registers are accessed inside the kernel itself, so I'm not sure if that can be used in a way.
Solution: Always restore the FP state, don't use the lazy restore mechanism.
Most applications nowadays use SIMD optimisations anyways, so the impact is not too bad.
Does this require the creation of an arbitrary pointer, or can it be exploited in another way?
?
Software doesn't have direct access to the instructions required to trigger a "Bound Range Exceeded" exception. If this is ever exposed, the kernel will have to be involved, so this could maybe be mitigated there?
The vulnerabilities need (at least) microcode updates.
Should figure out what locks to take, especially when modifying page table structures.
May not be necessary because each process will have their own virtual memory regions stored outside of the page tables.
If a service wants to map a MMIO area, we would have to make sure that no one else mapped this, but doing this in the page tables is probably not a good idea.
Locks will be needed when modifying tables (creating tables, removing, changing used count)
Currently WIP.
We need a safe stack to execute interrupts (for example in case of a page fault).
For loading basic modules. tar? cpio archive?
This includes multiple sub-issues, some todo items that come to my mind (items missing):
wasm_test
This helps the case of multiple address spaces.
We should correctly map the kernel (and boot modules), now everything is read+write+execute.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.