Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Embedded Recipes 2019 - Overview of Fuchsia, a new operating system

586 views

Published on

Fuchsia is a radically new open-source operating system actively developed by Google since 2016. Its first targets are supposed to be IoT devices but multiple form-factors, including laptops, are already supported. It may be challenging to grasp what is really new or interesting in this OS, and from different points of view (system developer, user app developer, security enthusiast or end user). The purpose of this talk is to highlight and explain some interesting features and architecture choices, what is similar or different from other mainstream operating systems, what can we expect from Fuchsia, along with some insights on the development (from an outside point of view).
Mickaël Salaün

Published in: Software
  • Be the first to comment

Embedded Recipes 2019 - Overview of Fuchsia, a new operating system

  1. 1. Overview of Fuchsia, a new operating system Mickaël Salaün French National Cybersecurity Agency (ANSSI) September 23, 2019
  2. 2. Introduction Started in 2015 and open-sourced in 2016, Fuchsia is mainly developed by Google, with some private parts: roadmap and issue tracker (Atlassian). What is Fuchsia? OS targeting end-user devices (e.g. smartphone, laptop, IoT, extended reality devices?) main goals: security, reliability and modularity future-proof: designed to be updatable for a long time ANSSI Overview of Fuchsia, a new operating system 2/17
  3. 3. Introduction Started in 2015 and open-sourced in 2016, Fuchsia is mainly developed by Google, with some private parts: roadmap and issue tracker (Atlassian). What is Fuchsia? OS targeting end-user devices (e.g. smartphone, laptop, IoT, extended reality devices?) main goals: security, reliability and modularity future-proof: designed to be updatable for a long time Warning Fuchsia is a moving target right now, this talk might be partially outdated soon. A lot of new things are developed for this OS, but I don’t have time to cover all aspecs of them in this talk. ANSSI Overview of Fuchsia, a new operating system 2/17
  4. 4. Screenshot of Fuchsia: greeter
  5. 5. Screenshot of Fuchsia: apps
  6. 6. Major properties Open and supported mainly open-source supported by a big company, already developing Android and Chrome OS ANSSI Overview of Fuchsia, a new operating system 5/17
  7. 7. Major properties Open and supported mainly open-source supported by a big company, already developing Android and Chrome OS Support big existing ecosystems (WIP) Flutter apps, Android apps, Chromecast apps Linux VM (file transferts, Wayland bridge) ANSSI Overview of Fuchsia, a new operating system 5/17
  8. 8. Major properties Open and supported mainly open-source supported by a big company, already developing Android and Chrome OS Support big existing ecosystems (WIP) Flutter apps, Android apps, Chromecast apps Linux VM (file transferts, Wayland bridge) Connected composable apps and task-centric distributed data storage: Ledger bridges with other systems (overnet/gRPC): iOS and Android ANSSI Overview of Fuchsia, a new operating system 5/17
  9. 9. Implementation
  10. 10. IPC Capability reference (handle) to a kernel object (e.g. memory, interrupt, process) associated with a set of access rights unforgeable communicable (e.g. through channels) ANSSI Overview of Fuchsia, a new operating system 7/17
  11. 11. IPC Capability reference (handle) to a kernel object (e.g. memory, interrupt, process) associated with a set of access rights unforgeable communicable (e.g. through channels) FIDL static definition of protocols (inspired by Chromium’s Mojo) enables to transfert (typed) data and handles (including other protocols) generates serialization and deserialization libraries ⇒ agnostic to the underlying languages ⇒ consistent and unique entry point to audit and test services ⇒ defines semantics (e.g. user-defined capability, revocation, state machine) ANSSI Overview of Fuchsia, a new operating system 7/17
  12. 12. Zircon Microkernel well suited for security: small TCB (running in ring 0) origin: Little Kernel (32-bits, no syscall, no MMU. . . ) 64-bits only 150+ syscalls, mainly called with handles, mostly asynchronous vDSO: mandatory entry point to the kernel partial POSIX compatibility (e.g. no UID, no fork()) hypervisor, realtime 98K+ SLOC: subset of C++ 17 (e.g. no exception, casting and inheritance restrictions) ANSSI Overview of Fuchsia, a new operating system 8/17
  13. 13. Zircon Microkernel well suited for security: small TCB (running in ring 0) origin: Little Kernel (32-bits, no syscall, no MMU. . . ) 64-bits only 150+ syscalls, mainly called with handles, mostly asynchronous vDSO: mandatory entry point to the kernel partial POSIX compatibility (e.g. no UID, no fork()) hypervisor, realtime 98K+ SLOC: subset of C++ 17 (e.g. no exception, casting and inheritance restrictions) Drivers shared libraries (ELF) API/ABI defined with Banjo and Binding Instructions composables (relative addresses/routes) ANSSI Overview of Fuchsia, a new operating system 8/17
  14. 14. Modularity Components basic unit of executable software (e.g. app) sandboxed: principle of least privilege ANSSI Overview of Fuchsia, a new operating system 9/17
  15. 15. Modularity Components basic unit of executable software (e.g. app) sandboxed: principle of least privilege Packages set of files, including component(s) integrity checked with Merkle tree hash for each file, thanks to a content-addressed FS: blobfs OTA updates: TUF and Omaha ANSSI Overview of Fuchsia, a new operating system 9/17
  16. 16. Modularity Components basic unit of executable software (e.g. app) sandboxed: principle of least privilege Packages set of files, including component(s) integrity checked with Merkle tree hash for each file, thanks to a content-addressed FS: blobfs OTA updates: TUF and Omaha Customization and derivability derivable board and product definitions with GN and Jiri stable system ABI with FIDL permissive licences (BSD-like) ANSSI Overview of Fuchsia, a new operating system 9/17
  17. 17. Security mitigations Good development practices strict language guidelines, sane/safe API, tests, doc., code review fuzzing (libraries, drivers, services): libFuzzer, syzkaller sanitizers: Address (ASAN), Undefined Behavior, Coverage. . . ANSSI Overview of Fuchsia, a new operating system 10/17
  18. 18. Security mitigations Good development practices strict language guidelines, sane/safe API, tests, doc., code review fuzzing (libraries, drivers, services): libFuzzer, syzkaller sanitizers: Address (ASAN), Undefined Behavior, Coverage. . . Hardening ASLR with PIC/PIE, full RELRO, stack protector (strong), SafeStack, W⊕X memory strong typing (e.g. user space vs. kernel space addresses) use of object destructors for security: auto-closing (pointer, handle, FD, lock), memory zeroing, type-confusion checks (debug-only) ANSSI Overview of Fuchsia, a new operating system 10/17
  19. 19. Development
  20. 20. Commits per month1 0 500 1000 1500 2000 2500 3000 Jul.2016 Jan.2017 Jul.2017 Jan.2018 Jul.2018 Jan.2019 Jul.2019 commits 1Generated from the public repositories (excluding bots) the 19th September, 2019. ANSSI Overview of Fuchsia, a new operating system 12/17
  21. 21. Authors per month2 0 50 100 150 200 250 300 350 Jul.2016 Jan.2017 Jul.2017 Jan.2018 Jul.2018 Jan.2019 Jul.2019 authors 2Generated from the public repositories (excluding bots) the 19th September, 2019. ANSSI Overview of Fuchsia, a new operating system 13/17
  22. 22. Commits per author3 1 10 100 1000 100 200 300 400 500 600 700 800 commits authors Googlers others 3Generated from the public repositories (excluding bots) the 19th September, 2019. ANSSI Overview of Fuchsia, a new operating system 14/17
  23. 23. Source codes Fuchsia’s own code Language Files Share C++/C 11.7k+ 80% Rust 1.5k+ 10% Dart/Flutter 1.0k+ 7% Go 400+ 3% ANSSI Overview of Fuchsia, a new operating system 15/17
  24. 24. Source codes Fuchsia’s own code Language Files Share C++/C 11.7k+ 80% Rust 1.5k+ 10% Dart/Flutter 1.0k+ 7% Go 400+ 3% Third parties musl libc (stripped), jemalloc, scudo e1000, iwlwifi, brcm80211, ath10k. . . BoringSSL, Cairo, FreeType, ICU, Mesa, Roughtime, OpenSSH, Dash. . . Chromium ANSSI Overview of Fuchsia, a new operating system 15/17
  25. 25. Conclusion
  26. 26. Takeaway Great properties capability-based security OS with nice IPC specifications very modular architecture microkernel with stable device driver ABI ANSSI Overview of Fuchsia, a new operating system 17/17
  27. 27. Takeaway Great properties capability-based security OS with nice IPC specifications very modular architecture microkernel with stable device driver ABI Limitations performance: balance with security, safety and patents (e.g. RCU?) hardware (in)security can still undermine software (e.g. side channels, Spectre) some coarse-grained rights (e.g. ZX_KIND_RSRC_ROOT) no security proof of critical components ⇒ not stable yet: opportunity for experiments, feedbacks and improvements ANSSI Overview of Fuchsia, a new operating system 17/17
  28. 28. Takeaway Great properties capability-based security OS with nice IPC specifications very modular architecture microkernel with stable device driver ABI Limitations performance: balance with security, safety and patents (e.g. RCU?) hardware (in)security can still undermine software (e.g. side channels, Spectre) some coarse-grained rights (e.g. ZX_KIND_RSRC_ROOT) no security proof of critical components ⇒ not stable yet: opportunity for experiments, feedbacks and improvements https://fuchsia.dev ANSSI Overview of Fuchsia, a new operating system 17/17
  29. 29. Misc
  30. 30. Processes (partial) bootsvc component_manager devcoordinator zircon-drivers devhost:sys - hid, rtc, ps2. . . devhost:root - null, zero devhost:misc - console, dmctl, ptmx sysinfo, acpi, pci. . . devhost:pci#1 - display devhost:pci#2 - block/fvm devhost:pci#3 - ethernet zircon-services svchost fshost netsvc virtual-console blobfs:/blob pkgfs minfs:/data fuchsia appmgr (from /pkgfs) . . . *.cmx ANSSI Overview of Fuchsia, a new operating system 2/6
  31. 31. File System(s) Full root directories bin cache config blob boot bootsvc data dev hub install pkg pkgfs svc system tmp volume ANSSI Overview of Fuchsia, a new operating system 3/6
  32. 32. Some syscalls bti_create cache_flush channel_call channel_create channel_read channel_read_etc channel_write clock_adjust clock_get cprng_add_entropy cprng_draw eventpair_create fifo_create futex_wait guest_create handle_close interrupt_bind iommu_create ioports_request job_create job_set_policy nanosleep object_get_info process_create socket_create system_mexec task_kill thread_create ticks_get vcpu_create vmar_allocate vmo_create ANSSI Overview of Fuchsia, a new operating system 4/6
  33. 33. FIDL example (partial) library fuchsia.overnet; using fuchsia.overnet.protocol; [ Discoverable ] protocol Overnet { ListPeers(uint64 last_seen_version ) -> (uint64 version , vector <Peer > peers ); RegisterService (string service_name , ServiceProvider provider ); ConnectToService (fuchsia.overnet.protocol.NodeId node , string service_name , handle <channel > chan ); }; struct Peer { fuchsia.overnet.protocol.NodeId id; bool is_self; fuchsia.overnet.protocol. PeerDescription description; }; ANSSI Overview of Fuchsia, a new operating system 5/6
  34. 34. Package: *.cmx 1.1k+ packages "program ": { "data ": "data/ermine" }, "sandbox ": { "pkgfs ": [ "packages" ], "services ": [ "fuchsia.bluetooth.control.Control", "fuchsia.cobalt. LoggerFactory ", "fuchsia.fonts.Provider", "fuchsia.logger.LogSink", ... "fuchsia.modular.Clipboard", ... "fuchsia.power. BatteryManager ", "fuchsia.sys. Environment ", "fuchsia.sys.Launcher", ... ], "system ": [ "data/sysui" ] } ANSSI Overview of Fuchsia, a new operating system 6/6

×