Oxidizing the Kernel

Abstract

The Linux operating system is one of the most significant and used projects globally. It is written in the C programming language, which has become almost the sole language for systems-level programming. C has achieved this status by providing direct and often complete control over the underlying hardware and memory to the developer. This allows the developer a lot of freedom which, for example, can be used to optimize execution performance to a high degree. However, this access is easily misused, which has led to several common bug patterns within C programs such as Linux. Particularly several of these bug patterns concern memory-safety such as buffer-overflows, double-free and use-after-free. Rust is a newer language which aims to operate on the same level as C but with compile-time protections against these memory-safety issues without sacrificing run-time performance.

This project aims to evaluate the viability of using Rust in the Linux kernel. To accomplish this, we have rewritten a read-only version of the exFAT file system driver in Rust and evaluated it in terms of security and performance. The security evaluation was split into two parts. For the first part, we have tried to determine the scope of memory-safety related issues in the kernel by looking at previous vulnerabilities. For the second, we have studied usages of the unsafe keyword, a way of circumventing the rules of Rust to perform memory-unsafe actions such as reading from random memory, in the implemented driver. A way of circumventing the rules of Rust to perform certain operations. Performance was measured using various benchmarking tools comparing the execution times of different systems calls in the two implementations.

Using these evaluations, we have been able to find that Rust is well suited to improve the security of Linux, with potentially 72% of all studied vulnerabilities being preventable by Rust. Furthermore, we have found that Rust can keep up with C in terms of performance being as fast or just slightly slower for the studied system calls.