Tock: Multiprogramming a 64kB Computer Safely and Efficiently
Published:
- Paper
- Source Code
- Conference: SOSP’17
- Tag: System Security, Rust, IoT, Embedded System
Embedded Softwares are not Ready
Classic embedded systems like TinyOS, FreeRTOS, Contiki are common in:
- All code in a single address space rather than multi-programming
- Trust all code
- Monolithic image
- No fault recovery and fault isolation (basically only watchdog timers)
New isolation tools
- MPU: protection bits for 8 memory regions
- Rust
Tock’s Design Goals
- Isolate drivers
- Isolate applications
- Concurrent applications & IO without virtual memory
Tock’s Isolation Mechanisms
- Capsules: A Rust module and structs, event-driven execution with async IO
- Processes
- Capsules and processes interact via IPC
- Each process maintains a kernel heap, called Grants
- Use of MPU to protect memory regions without virtualization
An example of capsules is shown below:
struct DMAChannel {
length: u32,
base_ptr: *const u8,
}
impl DMAChannel {
fn set_dma_buffer(&self, buf: &'static [u8]) {
self.length = buf.len();
self.base_ptr = buf.as_ref();
}
}
Thoughts
- 高级抽象,比如 C++11 里的 Lambda、Rust 里的闭包会给系统级别的编程模型带来变化吗?
Reference
- https://stackoverflow.com/questions/63164973/why-does-rust-allow-calling-functions-via-null-pointers