% // vim: set ft=tex: \chapter{Concrete Research Tasks} \section{Definition Of Additional Analysis Rules To Extend Safety Checks} % TODO: Business Logic Checks % Examples: % TLB needs to be reset on Task Change % ISR-Stack-Frame needs to be updated on context-switch \section{Software Fault Isolation} % TODO: content from \cite{Balasubramanian2017} % TODO Which language items help with managing memory? % TODO How generic can the memory allocators be written? % TODO Guarantees to be statically checked: % TODO * Control access to duplicates in page tables % TODO * Tasks can't access unallocated (physical) memory % TODO * Tasks can't access other tasks memory \chapter{An Introduction To Rust} \label{context::rust} Described by the maintainers, it is a "systems programming language that runs blazingly fast, prevents segfaults, and guarantees thread safety.", (www.rust-lang.org) \section{Compiler Architecture} - TODO: Tokens? AST? LLVM? (http://embed.rs/articles/2016/arm-inline-assembly-rust/) - TODO: BSYS SS17 GITHUB IO Rust Memory Layout - 4 \subsection{Static Analyser} - TODO: mention electrolyte, formal verification for Rust \section{Language Features} - TODO: How does static typing help with preventing programming errors - TODO: How does the Rust's static analysis work, theoretically and practically - TODO: How can memory be dynamically allocated and still safety checked? \subsection{Ownership And Borrows} - TODO: Who owns global 'static variables? \subsection{Lifetimes} - TODO: Where are global 'static variables allocated? \subsection{Type Safety} - TODO: demonstrate casts - TODO: demonstrate raw pointers - TODO: discuss the equivalents of void*? \subsection{Inner- and Outer Mutability} - TODO: describe Rc, Arc, and {Ref,}Cell - https://nercury.github.io/rust/guide/2015/01/19/ownership.html \subsection{Zero-Cost Abstraction} \section{Language Extension} \subsection{Syntax Extension} \subsubsection{Macros} \subsubsection{Annotations} \subsection{Compiler Plugins} \section{Idioms And Patterns} \subsection{The Newtype Pattern} https://aturon.github.io/features/types/newtype.html \section{Limitations} * TODO: deadlock example * TODO: cyclic reference memory leak example \chapter{Weakness Mitigation Evaluation} \label{rnd::weakness-mitig-eval} \section{CWE Mitigation Suggestions Evaluation} \label{rnd::weakness-mitig-eval::cwe-mitig-suggestion-eval} \section{Porting \glsentrytext{C} Vulnerabilities} \label{rnd::weakness-mitig-eval::porting-c-vulns} In this chapter, the weakness manifestations given in \cref{context::weaknesses-mem-safety::manifestations} are rewritten in \gls{Rust} to examine if these are mitigated just by porting them. This is done incrementally by first porting the vulnerability to unsafe Rust, followed by a rewrite to drop all unsafe code but keeping the intended functionality. % TODO official CWE-119 examples \section{Stack Protection} \label{rnd::weakness-mitig-eval::stack-protection} The goal of this chapter is to learn about \gls{Rust}'s stack protection mechanisms. \subsection{Return Address Manipulation Experiments} \label{rnd::weakness-mitig-eval::stack-protection::ret-addr-experiments} The following manifestations are minimal constructions, supposedly to easy to understand. They should allow to get a grasp of what vulnerabilities might look like, and at the same time display weaknesses of the \gls{C} language. \Cref{code::context::examples::sf-modification-simple} is a little example program in \gls{C}, which manipulates the return function address stored on the \gls{stack}. This is done by simple and legal pointer arithmetic. It abuses the address of the first local variable to create references into the \gls{sf} below on the \gls{stack}. Since the first variable is in the beginning of the \gls{sf} of the called function, it can be used to guess the position of the return address on the \gls{stack}. Depending on the \gls{compiler} settings, the return address is stored either one or two stack entries in front of the first local variable for a function with no arguments. In a brute-force manner the program simply overwrites both entries with the address of \code{simple_printer}. By writing a different function address at these entries, the \code{ret} instruction will jump there, since the original return address has been overwritten. \begin{figure}[ht!] \begin{subfigure}[T]{0.60\textwidth} \centering \begin{minted}[linenos,breaklines]{c} void modifier(void) { uint64_t *p; *(&p + 1) = (uint64_t *)simple_printer; *(&p + 2) = (uint64_t *)simple_printer; } \end{minted} \subcaption{C code} \end{subfigure} \begin{subfigure}[T]{0.39\textwidth} \centering \begin{minted}[linenos,breaklines]{objdump} movabs rax,0x400690 mov QWORD PTR [rsp],rax mov QWORD PTR [rsp+0x8],rax ret \end{minted} \subcaption{ASM code} \end{subfigure} \caption{Stack-Frame Modification in C} \label{code::context::examples::sf-modification-simple} \end{figure} \Cref{TODO-callstack-manipulation} is an attempt to visualize what happens in memory and with the \gls{stack} and the \gls{cpu}'s RIP {64-Bit Instruction Pointer} register. \begin{figure} \includegraphics[width=\textwidth]{gfx/TODO-callstack-manipulation} \caption{TODO-callstack-manipulation} \label{TODO-callstack-manipulation} \end{figure} \FloatBarrier \subsection{Rust and the Stack Clash} \label{rnd::weakness-mitig-eval::stack-protection::rust-stack-clash} This subsection determines if \gls{Rust} can solve the issue described in \cpnameref{context::weaknesses-mem-safety::manifestations::stack-clash} from userspace and \gls{os} perspectives. % TODO https://github.com/rust-lang/rust/issues/16012 \chapter{\glsentrytext{LX} Modules Written In \glsentrytext{Rust}} The numerous \gls{LX} vulnerabilities are a great motivator for using \gls{Rust} for \gls{LX} drivers. This chapter presents the attempt to use \gls{Rust} for a simple buffer that is presented to userspace as a character device. - TODO: explain the difficulty to use the Kernel's C Macros, which are required to expose a character device \chapter{Existing \glsentrytext{os}-Development Projects Based On Rust} \label{rnd::existing-os-dev-with-rust} \section{Libraries} \subsection{Libfringe} % TODO: https://github.com/edef1c/libfringe \section{Systems} \subsection{intermezzOS} \subsection{Blog OS} \subsection{Redox} \subsection{Tock} %TODO: mention paper's by tockos team \chapter{\glsentrytext{imezzos}: Adding Preemptive \glsentrytext{os}-Level Multitasking} \label{rnd::imezzos-preemptive-multitasking} \section{Timed Interrupts For Scheduling and Dispatching} \section{Simple Stack Allocation Scheme} \section{Risk Of Stack-Overflow} % TODO: The compiler doesn't check for stack overflows. % TODO: Describe possible implementation. % Parameters: % Stack limit for each function: user defined constant, % Stack size for each function: calculated, % Call-Tree: calculated,