►
From YouTube: Building Secure Systems using RISC V and Rust
Description
Presentation by Arun Thomas at Draper Labs on June 12, 2019 at the RISC-V Workshop Zurich at ETH Zurich in Zurich, Switzerland. To view the slides from this session, please visit: https://content.riscv.org/wp-content/uploads/2019/06/14.05-building_secure_systems-1.pdf
B
Let's
never
here
hi
I'm,
maroon
Thomas.
My
talk
is
titled
building
secure
systems
using
risk
five
and
rust.
So
here's
a
roadmap
for
my
talk,
I
will
talk
about
building
secure
systems.
My
take
is
you
might
expect
from
the
title
of
my
talk.
Is
that
risk
five
and
rust
are
a
good
foundation
for
building
secure
computer
systems,
so
in
particular,
I'm
not
necessarily
saying
that
risk
if
you
use
risk
five
and
rust
that
all
your
security
problems
will
go
away,
but
I
think
it
does
provide
a
good
foundation.
B
So,
in
particular
the
the
advantages
of
risk.
Five
hardware
or
the
openness,
simplicity
and
flexibility
provides
a
good
platform
for
doing
your
hardware
for
building
secure
hardware
and
a
rust
software
provides
the
state
you
have
the
safety
performance
and
productivity
of
a
safe
systems,
language
that
makes
your
system
software
much
more
secure.
B
Antivirus
I
would
say
is
not
the
answer,
so
just
putting
endpoint
protection
or
adding
some
sort
of
security
product
on
top
is
not
the
right
way
to
go.
You
can
ask
project
zero
about
this.
The
Google
folks
have
made
a
sort
of
a
career
out
of
breaking
endpoint
protection
systems
to
like
hilarious
effect,
so
instead
you
need
to
design
security.
As
you
security
needs
to
be
a
first-class
design
constraint.
It
needs
to
pervade
for
me
at
your
whole
design
process
and
in
particular,
security.
B
Securing
computer
systems
is
complicated
because
you
security
spans
all
the
layers
in
your
system,
so
the
hardware
operating
systems,
programming,
languages,
applications
all
of
the
layers
in
your
system.
So
a
flaw
in
any
layer
can
compromise
your
systems,
security
requirements
and,
in
particular,
flaws
and
lower
layers
or
even
more
serious.
B
So
how
are
we
doing?
It
turns
out
as
an
industry,
security
is
hard
right,
I
mean
there's
a
lot
of
things.
I
mean
we've
seen
a
number
of
these
new
attacks
on
Hardware
speculative
execution
attacks.
Things
like
heartbleed,
it's
very
challenging
to
secure
computer
systems,
especially
since
we're
building
on
legacy
technologies.
B
So
can
we
do
better
I
believe
we
can
I
think
in
the
21st
century
we
can
start
looking
beyond
these
legacy
technologies.
I
think
we
can
start
looking
at
things
like
risk
v
and
rust,
and
use
that
to
build
a
secure
foundation
for
building
Hardware
secure
systems
in
the
21st
century
and
I'll
talk
more
about
what
the
advantages
verse,
5
and
rust
are
so.
First
I'll
talk
about
verse,
5
worth
the
risk
5
workshops.
B
Of
course,
I'm
gonna
plug
risk
5
for
doing
secure
systems,
so
risk
5,
as
we've
heard
in
the
last
couple
days,
opening
up
the
hardware
ecosystem
having
a
simple
open
customizable
is
a
is
a
big
deal,
so
there's
no
more
homegrown
custom
bespoke
is
aise,
everyone
can
have
standardized
and
the
one
is
a
that's
supposed
to
span
everything
you
might
remember.
Krista's
goal
to
have
this
one
I
say
it
spans
all
computing
devices
and
we'd
all
work
together
on
standardizing
interfaces
for
extensions
that
we
need
and
we're
seeing
a
lot
of
open
hardware
implementations
now.
B
So
we
saw
we
heard
about
the
low
risk,
Pulp
chips,
Alliance
and
the
open
hardware
group
so
you're,
starting
to
see
a
number
of
open
risk,
5
implementations,
so
it's
great,
and
so
by
having
this
open,
I
say
these
open
hardware,
limitations,
industry
and
academia
can
collaborate
more
effectively.
So
you
don't
need
any
NDA's.
You
just
need
to
clone
and
get
repo,
and
we
can
all
work
together
collectively
in
solving
these
problems
and
I
think
this
is
critical
for
making
progress
in
solving
hard
security
problems.
B
So
this
is
a
quote
from
a
risk
v
foundation.
State
now
I
think,
is
really
sort
of
after
a
specter
meltdown,
I
kind
of
like
the
quotes,
I've
included
and
talked
it
says.
The
risk
v
community
has
a
historic
opportunity
to
do
security
right
from
the
get-go,
with
the
benefit
of
up-to-date
knowledge,
so
I
think
we
we
all
work
together.
We
can
solve
some
of
these
problems
by
leveraging
these
the
open
eyes
say
and
the
open
implications,
but
there's
a
lot
of
work
to
do
and
a
require
it
will
require
all
of
us.
B
So
that's
sort
of
a
call
to
action
for
all
of
us,
so
risk
five
is
sorting
becoming
the
kind
of
de-facto
platform
for
security
research.
The
center
of
mass
is
starting
to
shift.
There's
several
groups
exploring
new
security
ideas
on
verse.
Five,
this
folks
working
on
tagged,
architectures
much
like
my
group.
A
Hardware
enforced
capability
is
formally
verified,
risk
five
implementations,
secure
enclaves,
there's
also
a
bunch
of
interesting
work
going
on
in
the
that
you'll
see
in
the
security
session.
That
is
right
after
the
break.
B
My
colleague
Chris
guess
you
know,
was
talk
about
something
work,
we're
doing
at
my
employer
and
so
I
think,
like
there's
a
lot
of
pretty
interesting
stuff
happening,
our
risk,
five
on
rust
and
I-
think
it'll
sort
of
continue
as
people
start
doing
more
research
on
over
Skype.
So
why
is
rust
interesting
from
a
security
perspective?
B
I'll
first,
we'll
start
talking
about
systems
programming.
So
this
is
a
quote
from
James
Mickens
he's
a
professor
at
Harvard
now
used
to
be
a
researcher
at
Microsoft
and
so
I'll
read
out
the
quote.
It
says
a
systems
programmer
has
seen
the
terrors
of
the
world
and
understood
the
intrinsic
horror
of
existence.
So
I
think
this
is
true.
You
see
some
gnarly
stuff
when
you're
doing
systems
programming
when
you're,
when
you're
working
in
kernel
code
and
like
in
low-level
systems
I
recommend
the
whole
article
it's
hilarious.
B
So
why
is
system
software
challenging?
So
a
lot
of
the
challenges
have
to
do
with
you
doing
low-level
system
software
you're
programming
without
a
net
you,
the
software,
has
it's
critical
to
enforcing
security
safety
requirements.
There
aren't
particularly
great
debugging
tools
so
and
you're
working
on
things
like
operating
systems,
hypervisors
runtimes
drivers
from
where
browsers
and
web
servers.
So
this
is,
you,
know,
kind
of
like
low-level
system
software
and
typically
this
code
is
written
in
c
and
c++
for
performance.
The
problem
with
that
is
that
C
and
C++
are
not
memory
safe.
B
So
you
see
a
lot
of
these
memory
of
errors.
You
see
crazy
kernel,
panics
and
things
like
that.
You
see
memory,
corruption,
vulnerabilities
and
these
are
often
exploited.
Our
recent
Microsoft
study
has
estimated
that
70%
of
their
security
bugs
are
due
to
memory
safety
issues.
So
this
is
a
real
problem,
but
we
can
do
better,
I
mean
so
systems
typically
system.
Software
is
still
mostly
written,
see
some
c++
as
well.
It
turns
out
that
languages
have
evolved
in
the
last
50
years.
B
Programming
li
languages,
researchers
have
done
a
lot
of
work
and
rust
is
sort
of
a
distillation
of
some
promising
ideas
from
programming
language
research
into
a
production,
a
productive
production
language.
So
rust
is
a
safe
performance
systems,
programming
language.
So
the
thing
that's
cool
about
it
is
its
low-level
enough
to
do
systems
programming,
but
high-level
enough.
It
has
a
lot
of
the
memory,
safety
and
productivity
of
a
high
level
language.
So
it's
actually
a
nice
platform
for
writing
system
software,
so
Russ
originates
in
Mozilla.
B
It
was
originally
created
by
Mozilla
research
on
the
initial
use
case
for
rust
was
a
developing
experimental.
An
experimental
browser
engine
called
servo
and
Brazil
is
actually
using
this.
If
you're
using
Firefox
today
you're
using
rust
code,
so
Mozilla
began
shipping
rust
components
in
Firefox
48
in
2016
and
Mozilla
has
this
process
they
call
oxidization
were
they
are
rusting
out
components,
I
think
that's
clever,
I,
like
the
term
and
rust
code,
has
actually
improved
Firefox
as
security
and
performance.
B
So
with
respect
to
security,
they're,
looking
at
rewriting
parsers
and
rust
to
prevent
vulnerabilities,
for
instance,
they
have
a
new
mp4
metadata
parser
that
replaced
live
stage
right.
You
might
recall
the
stage
fright
vulnerability
from
a
couple
years
ago,
that
was
pretty
serious,
so
rust
is
actually
improving
the
safety
of
Firefox.
It's
also
improving
the
performance,
so
they
were
able
to
rewrite
a
new
parallel,
cascading
style
sheet
engine
that
speeds
up
page
loads,
because
rust
has
very
nice
support
for
concurrency
and
it
protects
you
from
doing
for
from
data
races,
and
things
like
that.
B
B
You
get
memory
safety
without
the
overhead
of
garbage
collection,
which
is
important
in
some
applications,
particularly
embedded
and
sub
networking
applications
and
kernel,
so
the
programmer
still
has
fine-grained
control
over
memory.
Rust
also
provides
thread
safety.
This
is
what
the
rest
people
call
a
fearless
concurrency,
so
you
don't
have
concurrency
bugs,
and
data
races
associated
with
multi-threaded
code
and
the
way
this
works
is
rust,
has
a
power
type
system
that
enforces
memory
and
thread
safety
at
compile
time.
B
So
if
your
code
compiles,
you
have
a
good
confidence,
that's
gonna
work
and
not
have
any
of
these
bugs.
It
also
really
has
a
really
good
development
environment.
So
it
is
an
excellent
package
manager
and
generally
really
good
tools
more
so
than
much
more
so
than
legacy
systems
languages,
and
so
because
of
these
advantages,
rust
is
gaining
popularity
in
the
systems
community,
so
you're
seeing
rust
based
operating
systems.
The
TOC
microcontroller
OS
is
particularly
interesting.
B
Sir
redox
Intermezzo
s--
and
some
others
Amazon
and
Google
have
developed
rust,
based
virtual
machine
monitors,
cross
VM
and
fire
cracker.
The
coreboot
developers,
I
learned
yesterday
are
exploring
a
rust,
rewrite,
they're,
calling
it
or
boot.
So
it's
a
fork
of
core
boot
with
C
removed,
so
I
thought
that
was
amusing
and
then
there
are
number
of
projects
exploring
rusty,
OS
components
for
the
Linux
kernel,
the
freebsd
kernel
SEL
for
and
fuchsia
OS.
So
the
nice
thing
about
rust
is
that
it
has
good
interoperability
with
C
and
C++.
B
So
you
don't
have
to
rewrite
your
full
system.
You
can
actually
just
rewrite
parts
of
it,
so
this
is
also
something
that
we're
exploring
on
my
team.
So
what's
the
status
of
rust
on
risk?
5
there's
been
a
lot
of
progress
in
the
last
couple
last
year,
so
there
is
now
support
for
a
32-bit
risc
rust
risk
5
support
for
a
bare
metal.
This
went
in
late
last
year
and
just
one
month
ago,
there's
now
a
bare
metal
support
for
RB
64.
B
So
if
you
want
to
do
bare
metal
hacking
on
rust,
you
can
do
that
now.
There's
a
handy
QuickStart
template
for
doing
bare
metal
risk
by
development.
You
can
target
the
high
five
one
I
think
you
can
target
the
Kendra
borer
and
you
can
also
target
qmu.
You
can
grab
this
link
and
start
playing
with
stuff
and
includes
several
example
projects
you
can
do.
You
know
hello
world.
You
are
and
blinks
melodies
and
things
like
that,
and
if
you
want
more
details
on
this,
you
can
check
out
my
oxidize
19
talk.
B
So
what
about
OS
targets?
What,
if
you
don't?
If
you
actually
want
to
run
an
operating
system,
so
Linux
RB
64
is
up
next,
we
don't
have
support
it.
Sort
of
in
progress.
This
is,
as
you've
heard
from
other
talks
is
important
for
Linux
distributions
and
for
the
Firefox
port
since
Firefox
use
this
rust
now
so
I'm
hoping
we
kind
of
gather
people
from
the
community
to
work
on
this
there's
a
softer
meeting
tomorrow
during
the
foundation
day.
I
hope
we
can
talk
about
Russ
and
other
things
coordinating
on.
B
You
know
bring
up
Linux
and
stable
distributions
and
LVM
on
all
that
stuff,
but
I'm
definitely
interested
talking
more
about
Russ
as
well
that
there's
a
talk,
microcontroller,
iOS
port
in
progress
talk
is
this
OS
kernel,
that's
written
in
rust
and
it
provides
a
secure
foundation
for
IOT
devices,
I'm,
pretty
enthusiastic
about
talk
for
building
these
kinds
of
systems,
so
yeah
I.
Think
overall,
like
the
rust
risk,
five
ecosystem
is
coming
a
long
way.
There's
more
work
to
do
I,
hope,
you'll,
kind
of
help,
flush
that
out
and
yeah
I
think
risk.
B
A
C
Hey,
so
my
question
is:
what
changes
do
you
do
to
the
core
that
use
risk?
Five
or
it
is
just
you
use,
reused,
rust
to
write
the
firmware,
because
the
way
we
discussed
it
in
2017
during
the
birth
of
feather
room
at
FOSDEM
forest
and
then
at
least
my
perception
from
like
my
idea-
was
essentially
make
harder
acceleration
for
the
fact
that
rust
allows
you
to
have
safe,
unsafe
and
so
on
that
you
can
distinguish
when
you
dereference
row
pointer
to
memory.
So
just
just
you
know,
my
perception
was
the
moment.
C
We
have
unsafe
that
actually,
let's
say
triggers
a
bit
flip
and
you
switch
the
mode
of
the
CPU.
You
know
it
sounds
a
bit
crazy,
but
still
you
know
the
fact
that
you
can
actually
have
a
CPU.
The
reason
we
use
T,
it's
not
because
it's
the
best,
it's
because
it's
the
most
natural
language
to
interface
with
harder
nowadays
and
if
we
have
risk
5,
which
is
openness
and
so
on.
We
can
have
a
way
to
to
to
adjust
the
the
the
CPU
to
the
language.
C
So
it's
native
because
because
currently
to
me,
when
we
write
former
in
rust
for
let's
say
STM,
which
is
done,
it's
it's,
it's
not
natural!
It
you
just
you
just
rewrite
the
form
where,
but
it's
not
actually
it
for
the
CPU.
It's
it's!
It's
like
you,
have
indirect,
read
access.
You
have
peripherals,
which
are
concurrent
naturally,
so
you
know
all
of
this
is
this
about
actually
making
a
new
core
that
is
essentially
rust,
acceleration
core
that
you
actually
take
advantage
of
the
rust
as
a
design
concept.
C
B
What
my
talk
is
just
about
rust
in
general,
but
I
think
hardware,
software
co
design
is
definitely
interesting,
so
I
think
the
idea
is
that
you
talked
about
would
be
we.
You
have
the
freedom
to
do
that.
Obviously
you
have
these
open
implementations
and
you
could
do
things
protect
unsafe
code.
So
I
think
that's
interesting.
It's
not
something
I'm
exploring
right
now.
The.
C
Reason
we
could
we
keep
using
C,
it's
not
because
it's
the
best,
it's
because
the
best
way
to
interact
with
the
hardware
and
describe
for
the.
How
do
we
want
to
do?
We
need
to
write
a
register
that
doesn't
take
much
right
and
then
you
have
a
peripheral,
that's
doing
something
awesome.
So
it's
just
native
it's
just
easier.
So.
C
B
Know
I
think
you
make
it
fun.
I
mean
I.
Think
the
rust
language
is
pretty
fun
to
work
on
you
make
it
productive,
I
mean
I,
think
that's
partially
why
the
corporate
folks
are
looking
at
it.
They
found
that
I
think
Ron
said
that
they
were
able
to
get
kind
of
like
the
basic
functionality
of
coreboot
written
in
like
three
hundred
lines,
so
I
think
you
I
think.
B
The
reason
why
rust
is
taking
off
is
people
are
seeing
the
the
I
mean
the
security
improvements
from
having
like
safe
code
and
also
you're,
seeing
the
productivity
improvements
as
well.
Writing
and
rust
is
much
easier
than
writing
and
I
mean
it's
much
nicer
than
writing
to
see
right.
You
have
much
better
tooling,
you
have
a
much
better
compiler.
You
have
lots
of
libraries,
Brian
Cantrell
talked
about
in
this,
and
some
of
his
blog
posts
he's
a
Solaris
developer
and
join
so
I.