msc-thesis/src/docs/parts/research_and_development/research_and_development.tex

% // vim: set ft=tex:
\chapter{Concrete Research Tasks}

\section{Definition Of Additional Analysis Rules To Extend Safety Checks}
% TODO: Business Logic Checks
% Examples: 
% TLB needs to be reset on Task Change
% ISR-Stack-Frame needs to be updated on context-switch

\section{Software Fault Isolation}
% TODO: content from \cite{Balasubramanian2017}

% TODO Which language items help with managing memory?
% TODO How generic can the memory allocators be written?

% TODO Guarantees to be statically checked:
% TODO * Control access to duplicates in page tables
% TODO * Tasks can't access unallocated (physical) memory
% TODO * Tasks can't access other tasks memory

\chapter{An Introduction To Rust}
\label{context::rust}
Described by the maintainers, it is a "systems programming language that runs blazingly fast, prevents segfaults, and guarantees thread safety.", (www.rust-lang.org)

\section{Compiler Architecture}
- TODO: Tokens? AST? LLVM? (http://embed.rs/articles/2016/arm-inline-assembly-rust/)

- TODO: BSYS SS17 GITHUB IO Rust Memory Layout - 4

\subsection{Static Analyser}
- TODO: mention electrolyte, formal verification for Rust

\section{Language Features}
- TODO: How does static typing help with preventing programming errors

- TODO: How does the Rust's static analysis work, theoretically and practically

- TODO: How can memory be dynamically allocated and still safety checked?

\subsection{Ownership And Borrows}
- TODO: Who owns global 'static variables?


\subsection{Lifetimes}
- TODO: Where are global 'static variables allocated?

\subsection{Type Safety}
- TODO: demonstrate casts

- TODO: demonstrate raw pointers

- TODO: discuss the equivalents of void*?

\subsection{Inner- and Outer Mutability}
- TODO: describe Rc, Arc, and {Ref,}Cell

- https://nercury.github.io/rust/guide/2015/01/19/ownership.html

\subsection{Zero-Cost Abstraction}
\section{Language Extension}
\subsection{Syntax Extension}
\subsubsection{Macros}
\subsubsection{Annotations}
\subsection{Compiler Plugins}

\section{Idioms And Patterns}

\subsection{The Newtype Pattern}
https://aturon.github.io/features/types/newtype.html

\section{Limitations}
* TODO: deadlock example
* TODO: cyclic reference memory leak example

\chapter{Weakness Mitigation Evaluation}
\label{rnd::weakness-mitig-eval}

\section{CWE Mitigation Suggestions Evaluation}
\label{rnd::weakness-mitig-eval::cwe-mitig-suggestion-eval}

\section{Porting \glsentrytext{C} Vulnerabilities}
\label{rnd::weakness-mitig-eval::porting-c-vulns}

In this chapter, the weakness manifestations given in \cref{context::weaknesses-mem-safety::manifestations} are rewritten in \gls{Rust} to examine if these are mitigated just by porting them.
This is done incrementally by first porting the vulnerability to unsafe Rust, followed by a rewrite to drop all unsafe code but keeping the intended functionality.
% TODO official CWE-119 examples

\section{Stack Protection}
\label{rnd::weakness-mitig-eval::stack-protection}
The goal of this chapter is to learn about \gls{Rust}'s stack protection mechanisms. 

\subsection{Return Address Manipulation Experiments}
\label{rnd::weakness-mitig-eval::stack-protection::ret-addr-experiments}
The following manifestations are minimal constructions, supposedly to easy to understand. 
They should allow to get a grasp of what vulnerabilities might look like, and at the same time display weaknesses of the \gls{C} language.

\Cref{code::context::examples::sf-modification-simple} is a little example program in \gls{C}, which manipulates the return function address stored on the \gls{stack}.
This is done by simple and legal pointer arithmetic.
It abuses the address of the first local variable to create references into the \gls{sf} below on the \gls{stack}.
Since the first variable is in the beginning of the \gls{sf} of the called function, it can be used to guess the position of the return address on the \gls{stack}.
Depending on the \gls{compiler} settings, the return address is stored either one or two stack entries in front of the first local variable for a function with no arguments.
In a brute-force manner the program simply overwrites both entries with the address of \code{simple_printer}.
By writing a different function address at these entries, the \code{ret} instruction will jump there, since the original return address has been overwritten.

\begin{figure}[ht!]
\begin{subfigure}[T]{0.60\textwidth}
\centering
\begin{minted}[linenos,breaklines]{c}
void modifier(void) {
  uint64_t *p;
  *(&p + 1) = 
      (uint64_t *)simple_printer;
  *(&p + 2) = 
      (uint64_t *)simple_printer;
}
\end{minted}
\subcaption{C code}
\end{subfigure}
\begin{subfigure}[T]{0.39\textwidth}
\centering
\begin{minted}[linenos,breaklines]{objdump}
movabs rax,0x400690
mov    QWORD PTR [rsp],rax
mov    QWORD PTR [rsp+0x8],rax
ret    
\end{minted}
\subcaption{ASM code}
\end{subfigure}
\caption{Stack-Frame Modification in C}
\label{code::context::examples::sf-modification-simple}
\end{figure}

\Cref{TODO-callstack-manipulation} is an attempt to visualize what happens in memory and with the \gls{stack} and the \gls{cpu}'s RIP {64-Bit Instruction Pointer} register.

\begin{figure}
    \includegraphics[width=\textwidth]{gfx/TODO-callstack-manipulation}
    \caption{TODO-callstack-manipulation}
    \label{TODO-callstack-manipulation}
\end{figure}
\FloatBarrier

\subsection{Rust and the Stack Clash}
\label{rnd::weakness-mitig-eval::stack-protection::rust-stack-clash}
This subsection determines if \gls{Rust} can solve the issue described in \cpnameref{context::weaknesses-mem-safety::manifestations::stack-clash} from userspace and \gls{os} perspectives.

% TODO https://github.com/rust-lang/rust/issues/16012

\chapter{\glsentrytext{LX} Modules Written In \glsentrytext{Rust}}
The numerous \gls{LX} vulnerabilities are a great motivator for using \gls{Rust} for \gls{LX} drivers.
This chapter presents the attempt to use \gls{Rust} for a simple buffer that is presented to userspace as a character device.

- TODO: explain the difficulty to use the Kernel's C Macros, which are required to expose a character device

\chapter{Existing \glsentrytext{os}-Development Projects Based On Rust}
\label{rnd::existing-os-dev-with-rust}

\section{Libraries}

\subsection{Libfringe}
% TODO: https://github.com/edef1c/libfringe

\section{Systems}
\subsection{intermezzOS}
\subsection{Blog OS}
\subsection{Redox}
\subsection{Tock}
%TODO: mention paper's by tockos team
 
\chapter{\glsentrytext{imezzos}: Adding Preemptive \glsentrytext{os}-Level Multitasking}
\label{rnd::imezzos-preemptive-multitasking}

\section{Timed Interrupts For Scheduling and Dispatching}

\section{Simple Stack Allocation Scheme}

\section{Risk Of Stack-Overflow}
% TODO: The compiler doesn't check for stack overflows.
% TODO: Describe possible implementation. 
%    Parameters:
%        Stack limit for each function: user defined constant,
%        Stack size for each function: calculated,
%        Call-Tree: calculated,