Conversation

This Tweet was deleted by the Tweet author. Learn more

Replying to

Separately from using a memory safe language for most of the code, device drivers usually do not need to run in a privileged context. They can be run in an isolated process with the IOMMU containing the hardware. Exploiting a network driver shouldn't compromise a whole system.

This Tweet was deleted by the Tweet author. Learn more

Replying to

Even before IOMMU existed, the programming model of letting drivers setup DMA themselves rather than going through a safe public interface that could have imposed IOMMU on them with no source-level changes was bad design.

This Tweet was deleted by the Tweet author. Learn more

Replying to

iOS implements TCP/IP in userspace and most operating systems have drivers at least partially implemented in userspace. Many of the secondary processors in a computer run a microkernel with isolated components. Most smartphones have *at least* one L4 implementation in them.

Replying to

You talk about microkernels / isolated drivers and memory safe languages as if they're not already been broadly used in the wild. Most code is written in memory safe languages these days. Systems code is increasingly moving to them too. Kernels and drivers are *mostly* not yet.

This Tweet was deleted by the Tweet author. Learn more

Replying to

That's not at all based in reality. Splitting things up into smaller, more easily understood components that are isolated from each other isn't something poorly understood. Monolithic kernels with shared everything threads have far more communication / concurrency complexity.

10:04 PM · Apr 17, 2019Twitter Web Client

Replying to

Threads sharing data structures, synchronizing together with locking and passing data between each other are obviously communicating. Everything is shared and accessible across them. There are no clear boundaries or communication protocols. It's very complex and not understood.

Replying to

There's a reason

mentioned lockdep, but concurrency / communication in Linux is a lot more complicated than just getting locking right. twitter.com/billhuey/statu Sharing far more and communicating far more in poorly defined / understood ways is not simpler or easier.

Quote Tweet

bill huey (hui)

@billhuey

Apr 17, 2019

Replying to @DanielMicay @vyodaiken and 5 others

It's like that for Linux kernel as well. There are classes of bugs that defy casual static analysis and you have to basically make your own runtime correctness checking tools (lockdep etc)

Show replies

This Tweet was deleted by the Tweet author. Learn more

Replying to

Okay, and the Linux kernel doesn't even try and just has millions of lines of code in the same address with no isolation, no security boundaries, no actual design or protocols for communication between them, etc. It's not at a human scale of understanding at all. It's far beyond.

Show replies