Ownership is Theft: Experiences Building an Embedded OS in ...Ownership is Theft: Experiences...

57
ownership is theft: experiences building an embedded os in rust Amit Levy Michael P Andersen Bradford Campbell David Culler Prabal Dutta Branden Ghena Philip Levis Pat Pannuto October 4th, 2015 1

Transcript of Ownership is Theft: Experiences Building an Embedded OS in ...Ownership is Theft: Experiences...

Page 1: Ownership is Theft: Experiences Building an Embedded OS in ...Ownership is Theft: Experiences Building an Embedded OS in Rust Author: Amit Levy, Michael P Andersen, Bradford Campbell,

ownership is theft: experiences building anembedded os in rust

Amit Levy Michael P Andersen Bradford Campbell David CullerPrabal Dutta Branden Ghena Philip Levis Pat PannutoOctober 4th, 2015

1

Page 2: Ownership is Theft: Experiences Building an Embedded OS in ...Ownership is Theft: Experiences Building an Embedded OS in Rust Author: Amit Levy, Michael P Andersen, Bradford Campbell,

ownership is theft: experiences building anembedded os in rust

Amit Levy Michael P Andersen Bradford Campbell David CullerPrabal Dutta Branden Ghena Philip Levis Pat PannutoOctober 4th, 2015

2

Page 3: Ownership is Theft: Experiences Building an Embedded OS in ...Ownership is Theft: Experiences Building an Embedded OS in Rust Author: Amit Levy, Michael P Andersen, Bradford Campbell,

• TinyOS about 15 years old

• Lots of changes in embedded applications hardware since

• TinyOS written in nesC (a dialect of C)

• Decided to revisit the design of an embedded OS andwrite it in a safe language.

3

Page 4: Ownership is Theft: Experiences Building an Embedded OS in ...Ownership is Theft: Experiences Building an Embedded OS in Rust Author: Amit Levy, Michael P Andersen, Bradford Campbell,

• TinyOS about 15 years old

• Lots of changes in embedded applications hardware since

• TinyOS written in nesC (a dialect of C)

• Decided to revisit the design of an embedded OS andwrite it in a safe language.

3

Page 5: Ownership is Theft: Experiences Building an Embedded OS in ...Ownership is Theft: Experiences Building an Embedded OS in Rust Author: Amit Levy, Michael P Andersen, Bradford Campbell,

• TinyOS about 15 years old

• Lots of changes in embedded applications hardware since

• TinyOS written in nesC (a dialect of C)

• Decided to revisit the design of an embedded OS andwrite it in a safe language.

3

Page 6: Ownership is Theft: Experiences Building an Embedded OS in ...Ownership is Theft: Experiences Building an Embedded OS in Rust Author: Amit Levy, Michael P Andersen, Bradford Campbell,

• TinyOS about 15 years old

• Lots of changes in embedded applications hardware since

• TinyOS written in nesC (a dialect of C)

• Decided to revisit the design of an embedded OS andwrite it in a safe language.

3

Page 7: Ownership is Theft: Experiences Building an Embedded OS in ...Ownership is Theft: Experiences Building an Embedded OS in Rust Author: Amit Levy, Michael P Andersen, Bradford Campbell,

“When we ported TinyOS from C to nesC it only took a few weeks!”

4

Page 8: Ownership is Theft: Experiences Building an Embedded OS in ...Ownership is Theft: Experiences Building an Embedded OS in Rust Author: Amit Levy, Michael P Andersen, Bradford Campbell,

But here we are a year later...

We didn’t take into account how much our choice of languagewould affect our system’s design.

5

Page 9: Ownership is Theft: Experiences Building an Embedded OS in ...Ownership is Theft: Experiences Building an Embedded OS in Rust Author: Amit Levy, Michael P Andersen, Bradford Campbell,

But here we are a year later...

We didn’t take into account how much our choice of languagewould affect our system’s design.

5

Page 10: Ownership is Theft: Experiences Building an Embedded OS in ...Ownership is Theft: Experiences Building an Embedded OS in Rust Author: Amit Levy, Michael P Andersen, Bradford Campbell,

It can be convenient to think of operating system design andlanguage design as independent.

OS Designer

“If I simply port my bug-free C code into a safe language, myOS will be safe!”

PL Designer

“My new language abstraction provides safety, and all youhave to do is use it ubiquitously in your system!”

But we can’t forgot that system design and language designare actually co-dependent!

6

Page 11: Ownership is Theft: Experiences Building an Embedded OS in ...Ownership is Theft: Experiences Building an Embedded OS in Rust Author: Amit Levy, Michael P Andersen, Bradford Campbell,

It can be convenient to think of operating system design andlanguage design as independent.

OS Designer

“If I simply port my bug-free C code into a safe language, myOS will be safe!”

PL Designer

“My new language abstraction provides safety, and all youhave to do is use it ubiquitously in your system!”

But we can’t forgot that system design and language designare actually co-dependent!

6

Page 12: Ownership is Theft: Experiences Building an Embedded OS in ...Ownership is Theft: Experiences Building an Embedded OS in Rust Author: Amit Levy, Michael P Andersen, Bradford Campbell,

It can be convenient to think of operating system design andlanguage design as independent.

OS Designer

“If I simply port my bug-free C code into a safe language, myOS will be safe!”

PL Designer

“My new language abstraction provides safety, and all youhave to do is use it ubiquitously in your system!”

But we can’t forgot that system design and language designare actually co-dependent!

6

Page 13: Ownership is Theft: Experiences Building an Embedded OS in ...Ownership is Theft: Experiences Building an Embedded OS in Rust Author: Amit Levy, Michael P Andersen, Bradford Campbell,

It can be convenient to think of operating system design andlanguage design as independent.

OS Designer

“If I simply port my bug-free C code into a safe language, myOS will be safe!”

PL Designer

“My new language abstraction provides safety, and all youhave to do is use it ubiquitously in your system!”

But we can’t forgot that system design and language designare actually co-dependent!

6

Page 14: Ownership is Theft: Experiences Building an Embedded OS in ...Ownership is Theft: Experiences Building an Embedded OS in Rust Author: Amit Levy, Michael P Andersen, Bradford Campbell,

Overview

• Background• Microcontrollers• Tock: an new embedded OS• Rust

• Two Challenges• Conclusion

7

Page 15: Ownership is Theft: Experiences Building an Embedded OS in ...Ownership is Theft: Experiences Building an Embedded OS in Rust Author: Amit Levy, Michael P Andersen, Bradford Campbell,

background - microcontrollers

8

Page 16: Ownership is Theft: Experiences Building an Embedded OS in ...Ownership is Theft: Experiences Building an Embedded OS in Rust Author: Amit Levy, Michael P Andersen, Bradford Campbell,

Who uses Microncontrollers?

9

Page 17: Ownership is Theft: Experiences Building an Embedded OS in ...Ownership is Theft: Experiences Building an Embedded OS in Rust Author: Amit Levy, Michael P Andersen, Bradford Campbell,

Not Your Grandchildren’s Processor

• Very little memory• Range 16-512KB RAM

• Crashes are particularly expensive:• Cannot assume user intervation (no screen or keyboard)• High stakes: implanted medical devices, homeautomation…

• Limited hardwared protection:• Specifically, no virtual memory

10

Page 18: Ownership is Theft: Experiences Building an Embedded OS in ...Ownership is Theft: Experiences Building an Embedded OS in Rust Author: Amit Levy, Michael P Andersen, Bradford Campbell,

Limited Hardware Motivates Language Choice

• Too little memory to use processes for isolation• Crashes are expensive, so we should catch as many bugsas possible at compile-time.

11

Page 19: Ownership is Theft: Experiences Building an Embedded OS in ...Ownership is Theft: Experiences Building an Embedded OS in Rust Author: Amit Levy, Michael P Andersen, Bradford Campbell,

background - tock

12

Page 20: Ownership is Theft: Experiences Building an Embedded OS in ...Ownership is Theft: Experiences Building an Embedded OS in Rust Author: Amit Levy, Michael P Andersen, Bradford Campbell,

Tock is an embedded operating system we’ve been building forabout a year.

13

Page 21: Ownership is Theft: Experiences Building an Embedded OS in ...Ownership is Theft: Experiences Building an Embedded OS in Rust Author: Amit Levy, Michael P Andersen, Bradford Campbell,

Why a New OS?

• Existing systems: TinyOS, Contiki, FreeRTOS• New requirements• New hardware• New programming language(s)

14

Page 22: Ownership is Theft: Experiences Building an Embedded OS in ...Ownership is Theft: Experiences Building an Embedded OS in Rust Author: Amit Levy, Michael P Andersen, Bradford Campbell,

New Requirements

• Traditional embedded operating systems were design forsingle app devices.

• Software updated never or rarely.• Everything is trusted, including the app.

• New applications are platforms.• Software updates• Third-party apps

• Kernel extensions should really be isolated• Drivers may come from a variety of sources.• …like Linux drivers but for your defibrillator!

15

Page 23: Ownership is Theft: Experiences Building an Embedded OS in ...Ownership is Theft: Experiences Building an Embedded OS in Rust Author: Amit Levy, Michael P Andersen, Bradford Campbell,

New Hardware

Microcontrollers have improved drastically

• From 16-bit arch @ 6Mhz to 32-bit arch @ 48Mhz• More busses, more timers, AES encryption, etc in hardware• A system-call interfance no longer a performance barrier

Some limited support for hardware protection

• Memory Protection Unit in ARM Cortex-M series

16

Page 24: Ownership is Theft: Experiences Building an Embedded OS in ...Ownership is Theft: Experiences Building an Embedded OS in Rust Author: Amit Levy, Michael P Andersen, Bradford Campbell,

New Programming Language

Rust, a new safe language without the runtime overhead

• Memory and type safety• Eliminate large classes of bugs at compile time• Strong type-system can allow component isolation• Low-level primitives can enable rich security systems

17

Page 25: Ownership is Theft: Experiences Building an Embedded OS in ...Ownership is Theft: Experiences Building an Embedded OS in Rust Author: Amit Levy, Michael P Andersen, Bradford Campbell,

Tock Architecture

Rust

Syscall Interface

Kernel Core

Hardware Sandbox

Device Drivers(Rust language sandbox)

App1.cApp1.lua

App1.rs

18

Page 26: Ownership is Theft: Experiences Building an Embedded OS in ...Ownership is Theft: Experiences Building an Embedded OS in Rust Author: Amit Levy, Michael P Andersen, Bradford Campbell,

background - rust

19

Page 27: Ownership is Theft: Experiences Building an Embedded OS in ...Ownership is Theft: Experiences Building an Embedded OS in Rust Author: Amit Levy, Michael P Andersen, Bradford Campbell,

Why Rust?

Two distinguishing properties from other safe languages:

• Enforces memory and type safety without a garbagecollector

• Explicit separation of trusted vs. untrusted code• Untrusted code is strictly bound by the type system• Trusted code can circumvent the type system

20

Page 28: Ownership is Theft: Experiences Building an Embedded OS in ...Ownership is Theft: Experiences Building an Embedded OS in Rust Author: Amit Levy, Michael P Andersen, Bradford Campbell,

Rust avoids the runtime overhead of garbage collection byusing ownership to determine when to free memory atcompile-time.

21

Page 29: Ownership is Theft: Experiences Building an Embedded OS in ...Ownership is Theft: Experiences Building an Embedded OS in Rust Author: Amit Levy, Michael P Andersen, Bradford Campbell,

Ownership for Safety

Each Value has a Single Owner

Key PropertyWhen the owner goes out of scope, we can deallocate mem-ory for the value.

Memory for the value 43 is allocated and bound to the variablex.

{let x = 43

}

When the scope exits, x is no longer valid and the memory is“freed”

22

Page 30: Ownership is Theft: Experiences Building an Embedded OS in ...Ownership is Theft: Experiences Building an Embedded OS in Rust Author: Amit Levy, Michael P Andersen, Bradford Campbell,

Ownership for Safety

Each Value has a Single Owner

Key PropertyWhen the owner goes out of scope, we can deallocate mem-ory for the value.

Memory for the value 43 is allocated and bound to the variablex.

{let x = 43

}

When the scope exits, x is no longer valid and the memory is“freed”

22

Page 31: Ownership is Theft: Experiences Building an Embedded OS in ...Ownership is Theft: Experiences Building an Embedded OS in Rust Author: Amit Levy, Michael P Andersen, Bradford Campbell,

Each Value has a Single Owner

Single owner means no aliasing, so values are either copied ormoved between variables.

This is an error:

{let x = Foo::new();let y = x;println(”{}”, x);

}

because Foo::new() has been moved from x to y, so x is nolonger valid.

23

Page 32: Ownership is Theft: Experiences Building an Embedded OS in ...Ownership is Theft: Experiences Building an Embedded OS in Rust Author: Amit Levy, Michael P Andersen, Bradford Campbell,

Each Value has a Single Owner

Single owner means no aliasing, so values are either copied ormoved between variables.

This is an error:

{let x = Foo::new();let y = x;println(”{}”, x);

}

because Foo::new() has been moved from x to y, so x is nolonger valid.

23

Page 33: Ownership is Theft: Experiences Building an Embedded OS in ...Ownership is Theft: Experiences Building an Embedded OS in Rust Author: Amit Levy, Michael P Andersen, Bradford Campbell,

How Ownership Impacts fn()

Functions must explicitly hand ownership back to the caller:

fn bar(x: Foo) -> Foo {// Do stuffx // <- return x

}

24

Page 34: Ownership is Theft: Experiences Building an Embedded OS in ...Ownership is Theft: Experiences Building an Embedded OS in Rust Author: Amit Levy, Michael P Andersen, Bradford Campbell,

Borrows

Or can use borrows: a type of reference which does notinvalidate the owner.

fn bar(x: &mut Foo) {// Do stuff// the borrow is implicitly released.

}

fn main() {let mut x = Foo::new();bar(&mut x);println!(”{}”, x); // x still valid

}

25

Page 35: Ownership is Theft: Experiences Building an Embedded OS in ...Ownership is Theft: Experiences Building an Embedded OS in Rust Author: Amit Levy, Michael P Andersen, Bradford Campbell,

Borrows

Borrows are resolved at compile-time, with some constraints:

• A value can only be mutably borrowed if there are noother borrows of the value.

• Borrows cannot outlive the value they borrow.• Values cannot be moved while they are borrowed.

26

Page 36: Ownership is Theft: Experiences Building an Embedded OS in ...Ownership is Theft: Experiences Building an Embedded OS in Rust Author: Amit Levy, Michael P Andersen, Bradford Campbell,

challenges

27

Page 37: Ownership is Theft: Experiences Building an Embedded OS in ...Ownership is Theft: Experiences Building an Embedded OS in Rust Author: Amit Levy, Michael P Andersen, Bradford Campbell,

1. Ownership vs. Cycles2. Closures as Callbacks3. Memory allocation for long-lived closures (see paper)

28

Page 38: Ownership is Theft: Experiences Building an Embedded OS in ...Ownership is Theft: Experiences Building an Embedded OS in Rust Author: Amit Levy, Michael P Andersen, Bradford Campbell,

challenges - ownership vs. cycles

29

Page 39: Ownership is Theft: Experiences Building an Embedded OS in ...Ownership is Theft: Experiences Building an Embedded OS in Rust Author: Amit Levy, Michael P Andersen, Bradford Campbell,

Ownership vs. Cycles

Circular references between OS modules are ubiquitous.

RadioDriver has to notify IPStack of incoming packets,while IPStack uses the RadioDriver to send packets.

impl IPStack {fn send(&mut self, packet) {packet.concat_ip_header_to_pkt();self.radio.send(packet);

}}impl RadioDriver {fn on_receive(&mut self, packet) {self.ip_stack.incoming(packet);

}} 30

Page 40: Ownership is Theft: Experiences Building an Embedded OS in ...Ownership is Theft: Experiences Building an Embedded OS in Rust Author: Amit Levy, Michael P Andersen, Bradford Campbell,

Several Possible Solutions

1. Combine mutually dependent modules2. Message passing instead of shared state3. Use unsafe language features4. Use explicitly aliasable reference types

31

Page 41: Ownership is Theft: Experiences Building an Embedded OS in ...Ownership is Theft: Experiences Building an Embedded OS in Rust Author: Amit Levy, Michael P Andersen, Bradford Campbell,

Combine Mutually Dependent Modules

impl IPStackAndAlsoRadioDriver {fn send(&mut self, packet) {packet.concat_ip_header_to_pkt();// write packet to radio

}

fn on_receive(&mut self, packet) {// just handle here

}}

• No modularity/extensibility.• Least upper bound of trust

32

Page 42: Ownership is Theft: Experiences Building an Embedded OS in ...Ownership is Theft: Experiences Building an Embedded OS in Rust Author: Amit Levy, Michael P Andersen, Bradford Campbell,

Message Passing

impl IPStackfn send(&mut self, packet) {packet.concat_ip_header_to_pkt();self.packet_out_chan.send(packet);

}

fn do_work() {self.process_pkt(self.packet_in_chan.recv());

}}

Might work if you’re willing to have threads and dynamicallyallocate or block.

33

Page 43: Ownership is Theft: Experiences Building an Embedded OS in ...Ownership is Theft: Experiences Building an Embedded OS in Rust Author: Amit Levy, Michael P Andersen, Bradford Campbell,

Use unsafe Features

pub static mut IPSTACK : IPStack = ...;

impl UDP {fn send(&self, packet) {unsafe { // Unsafe to borrow a mutable static

IPSTACK.send(packet);}

}}

Requires including trusting virtually every component in thesystem.

34

Page 44: Ownership is Theft: Experiences Building an Embedded OS in ...Ownership is Theft: Experiences Building an Embedded OS in Rust Author: Amit Levy, Michael P Andersen, Bradford Campbell,

Explicitly Sharable Reference Types

• A small bit of unsafe to make a reference type that isaliasable.

• E.g. core::cell::RefCell dynamically checks borrowrules

• Loose compile-time guanratees

35

Page 45: Ownership is Theft: Experiences Building an Embedded OS in ...Ownership is Theft: Experiences Building an Embedded OS in Rust Author: Amit Levy, Michael P Andersen, Bradford Campbell,

Explicitly Sharable Reference Types

This is what we are using.

• Had to completely eliminate concurrency in the kernel• Be very cautious about who gets shared references.• Enqueue all interrupts to run in main kernel thread

• Avoid any work in interrupt handlers• Lose hardware interrupt priorities• Probably OK for performance, although still need tovalidate

36

Page 46: Ownership is Theft: Experiences Building an Embedded OS in ...Ownership is Theft: Experiences Building an Embedded OS in Rust Author: Amit Levy, Michael P Andersen, Bradford Campbell,

challenges - closures as callbacks

37

Page 47: Ownership is Theft: Experiences Building an Embedded OS in ...Ownership is Theft: Experiences Building an Embedded OS in Rust Author: Amit Levy, Michael P Andersen, Bradford Campbell,

Problem

Asyncornous code in C usually uses one of two mechanism:

• State-machines• Function pointers + stack ripping

Both are:

• Difficult to read/write/maintain• Bug prone

38

Page 48: Ownership is Theft: Experiences Building an Embedded OS in ...Ownership is Theft: Experiences Building an Embedded OS in Rust Author: Amit Levy, Michael P Andersen, Bradford Campbell,

Closures to the Rescue?

Event-driven application languages (e.g. JavaScript) addressthis problem by specifying callbacks as closures at the callsite.

var count = 0;

setInterval(function() {console.log(count + ” clicks”);

}, 2000);

onClick(function() {count += 1;

});

Rust has closures… so we can just do that!

39

Page 49: Ownership is Theft: Experiences Building an Embedded OS in ...Ownership is Theft: Experiences Building an Embedded OS in Rust Author: Amit Levy, Michael P Andersen, Bradford Campbell,

Closures to the Rescue?

Event-driven application languages (e.g. JavaScript) addressthis problem by specifying callbacks as closures at the callsite.

var count = 0;

setInterval(function() {console.log(count + ” clicks”);

}, 2000);

onClick(function() {count += 1;

});

Rust has closures… so we can just do that!

39

Page 50: Ownership is Theft: Experiences Building an Embedded OS in ...Ownership is Theft: Experiences Building an Embedded OS in Rust Author: Amit Levy, Michael P Andersen, Bradford Campbell,

Ownership Strikes Again

In Rust, closures have two options:

• Take ownership of closed over variables• Complete before returning to the caller

let mut x = 0;

setInterval(move ||println!(”{} clicks”, x);

}, 2000);

// x is no longer valid in this context, and we// cannot create the closure for onClick

40

Page 51: Ownership is Theft: Experiences Building an Embedded OS in ...Ownership is Theft: Experiences Building an Embedded OS in Rust Author: Amit Levy, Michael P Andersen, Bradford Campbell,

Result: Oversharing vs. Undersharing

We have to carefully partition state between caller andcallbacks. But that’s very hard to get right.

Overshare with the callback:

// No other code can access any LEDssetTimeout(|| {leds.activityToggle();

}, 2000);

Partition resources into tiny interfaces that are hard tomanage:

setTimeout(|| {activityLed.toggle();

}, 2000);41

Page 52: Ownership is Theft: Experiences Building an Embedded OS in ...Ownership is Theft: Experiences Building an Embedded OS in Rust Author: Amit Levy, Michael P Andersen, Bradford Campbell,

conclusion

42

Page 53: Ownership is Theft: Experiences Building an Embedded OS in ...Ownership is Theft: Experiences Building an Embedded OS in Rust Author: Amit Levy, Michael P Andersen, Bradford Campbell,

Conclusion

• Embedded systems have unique requirements• Rust seems well-suited for a resource constrained OS

• Type- and memory- safe with no garbage collector

• Tock: an embedded OS• Comines hardware and language protection

• Ownership is both the hero and the villan in our story• Closures not as powerful as we’re familiar from otherlanguages

In the paper

• Proposal to expose threads in the type system

43

Page 54: Ownership is Theft: Experiences Building an Embedded OS in ...Ownership is Theft: Experiences Building an Embedded OS in Rust Author: Amit Levy, Michael P Andersen, Bradford Campbell,

Conclusion

System design and language design are not independent.

Open Questions

How should we design operating systems to best leverage safelanguages?

How can we design safe languages to better target low-levelsystems?

Thanks!

http://tockos.orghttp://github.com/helena-project/tock

44

Page 55: Ownership is Theft: Experiences Building an Embedded OS in ...Ownership is Theft: Experiences Building an Embedded OS in Rust Author: Amit Levy, Michael P Andersen, Bradford Campbell,

Conclusion

System design and language design are not independent.

Open Questions

How should we design operating systems to best leverage safelanguages?

How can we design safe languages to better target low-levelsystems?

Thanks!

http://tockos.orghttp://github.com/helena-project/tock

44

Page 56: Ownership is Theft: Experiences Building an Embedded OS in ...Ownership is Theft: Experiences Building an Embedded OS in Rust Author: Amit Levy, Michael P Andersen, Bradford Campbell,

Conclusion

System design and language design are not independent.

Open Questions

How should we design operating systems to best leverage safelanguages?

How can we design safe languages to better target low-levelsystems?

Thanks!

http://tockos.orghttp://github.com/helena-project/tock

44

Page 57: Ownership is Theft: Experiences Building an Embedded OS in ...Ownership is Theft: Experiences Building an Embedded OS in Rust Author: Amit Levy, Michael P Andersen, Bradford Campbell,

Conclusion

System design and language design are not independent.

Open Questions

How should we design operating systems to best leverage safelanguages?

How can we design safe languages to better target low-levelsystems?

Thanks!

http://tockos.orghttp://github.com/helena-project/tock

44