Separately from using a memory safe language for most of the code, device drivers usually do not need to run in a privileged context. They can be run in an isolated process with the IOMMU containing the hardware. Exploiting a network driver shouldn't compromise a whole system.
Conversation
This Tweet was deleted by the Tweet author. Learn more
Even before IOMMU existed, the programming model of letting drivers setup DMA themselves rather than going through a safe public interface that could have imposed IOMMU on them with no source-level changes was bad design.
This Tweet was deleted by the Tweet author. Learn more
This Tweet was deleted by the Tweet author. Learn more
iOS implements TCP/IP in userspace and most operating systems have drivers at least partially implemented in userspace. Many of the secondary processors in a computer run a microkernel with isolated components. Most smartphones have *at least* one L4 implementation in them.
1
2
You talk about microkernels / isolated drivers and memory safe languages as if they're not already been broadly used in the wild. Most code is written in memory safe languages these days. Systems code is increasingly moving to them too. Kernels and drivers are *mostly* not yet.
1
1
This Tweet was deleted by the Tweet author. Learn more
Java is a traditional example of a type / memory safe language. It has a very poor quality type system, like C, and it's not good at safety beyond memory safety. It can't do automatic integer overflow checking either, but at least it doesn't lead right to memory corruption bugs.
1
Most languages are memory safe. That's not a unique thing about Rust. The unique aspect is that it's a memory safe low level language encoding ownership and lifetime concepts into the type system rather than relying on garbage collection or pervasive automatic reference counting.
1
1
Swift takes the approach of pervasive automatic (atomic) reference counting. Android heavily uses Java for much of the systems code on top of the kernel and drivers. iOS is increasingly using Swift for that. Most OS services above the kernel don't need a low-level language.
Go is only 95% memory safe since unlike Rust it still has data races and unlike Java it doesn't enforce the guarantee that data races can't lead to memory corruption. However, in practice, Go code is memory safe, and it's guaranteed to be when the runtime is using one OS thread.
1
So, Android's web browser is written in Java? That's news to me!
1
The browser is an application, not part of the OS code that I was talking about. By the way, Mozilla's interest in Rust (and why they adopted it as a project) was heavily based on their needs writing a web browser, since using C and C++ is a massive security and robustness issue.
1
Show replies