Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Securing the foundations: Hardware-assisted sec...

KC Sivaramakrishnan
November 29, 2024
12

Securing the foundations: Hardware-assisted secure Unikernels

MirageOS Unikernels running baremetal on security-hardened Shakti RISC-V processors

KC Sivaramakrishnan

November 29, 2024
Tweet

Transcript

  1. Today • Operating Systems ‣ MirageOS — Small, safer, single-purpose

    OS • Memory Safety ‣ OCaml — memory-safe programming • Going beyond memory safety ‣ FIDES — Hardware-assisted intra-process isolation
  2. Why do we need an operating system? Firmware Hypervisor Kernel

    Language Runtime Shared Libraries Configuration files Application
  3. Why do we need an operating system? • The main

    goal of an OS is to support running applications ‣ Stability: most applications are not yet written when the system is deployed ‣ Scalability: do not rewrite everything for every new hardware device Firmware Hypervisor Kernel Language Runtime Shared Libraries Configuration files Application
  4. Why do we need an operating system? • The main

    goal of an OS is to support running applications ‣ Stability: most applications are not yet written when the system is deployed ‣ Scalability: do not rewrite everything for every new hardware device • OS does this by ‣ Providing abstraction over hardware — drivers! ‣ Resource management: fi les, users, CPU, memory, network Firmware Hypervisor Kernel Language Runtime Shared Libraries Configuration files Application
  5. Why do we need an operating system? • The main

    goal of an OS is to support running applications ‣ Stability: most applications are not yet written when the system is deployed ‣ Scalability: do not rewrite everything for every new hardware device • OS does this by ‣ Providing abstraction over hardware — drivers! ‣ Resource management: fi les, users, CPU, memory, network • Application code is a small % of the runtime environment Firmware Hypervisor Kernel Language Runtime Shared Libraries Configuration files Application
  6. Kernel: A Core OS component "True, Linux is monolithic, and

    I agree that microkernels are nicer... As has been noted (not only by me), the Linux kernel is a minuscule part of a complete system: Full sources for Linux currently run to about 200kB compressed. And all of that source is portable, except for this tiny kernel that you can (provably: I did it) re-write totally from scratch in less than a year without having /any/ prior knowledge." – Linus Torvalds, 1992 Firmware Hypervisor Kernel Language Runtime Shared Libraries Configuration files Application
  7. Drivers! Linux Kernel Linux 5.11 has 30.14 million lines of

    code, 60% drivers Windows has 50 million lines of code
  8. Library operating systems • Kernel functionality is broken up from

    its monolith into many individual libraries. ‣ There is no ambient kernel; just function calls are left.
  9. Library operating systems • Kernel functionality is broken up from

    its monolith into many individual libraries. ‣ There is no ambient kernel; just function calls are left. • Device drivers, schedulers, networking, and storage stacks are directly linked to the application ‣ Eliminate the need for an intermediary kernel layer. ‣ Applications select libraries they need with a small boot layer and jump straight into the code.
  10. Library operating systems • Kernel functionality is broken up from

    its monolith into many individual libraries. ‣ There is no ambient kernel; just function calls are left. • Device drivers, schedulers, networking, and storage stacks are directly linked to the application ‣ Eliminate the need for an intermediary kernel layer. ‣ Applications select libraries they need with a small boot layer and jump straight into the code. • Hardware is driven directly from the application, usually in a single address space.
  11. Kernel Hardware Process Java VM libc libssl libm Jars Application

    Eliminate separate address spaces Turn into a library
  12. Hardware Kernel Java VM libc libssl libm Jars Application Application

    runs in a single address space libsched libnet libfs Drive hardware directly from application Single calling convention
  13. Library operating systems In the 1990s, we had: • Nemesis:

    Cambridge/Glasgow • Exokernel: MIT Neither succeeded outside of academia due to the device drivers needing to be updated regularly to stay relevant. Became popular in niche areas (network appliances or high-frequency trading).
  14. Library operating systems Firmware Kernel Application Pros: application-level control of

    hardware, small attack surface, high-performance. Cons: There is no kernel protection internally, and device drivers all need to be rewritten from a normal kernel.
  15. Virtualisation • In the 2000s, hardware vendors added extensions that

    allow the creation of virtual versions of physical resources, such as servers, networks, and storage devices. • It enables multiple virtual machines (VMs), with their own operating systems, to run in isolation, side-by-side, on the same physical hardware. • Hypervisor (aka VMM) — creates and runs virtual machines
  16. Virtualisation • Type 1 — KVM (converts Linux to a

    type 1 hypervisor), VMware ESXi, Microsoft Hyper-V, Citrix XenServer • Type 2 — VirtualBox, VMware Workstation, Microsoft Virtual PC
  17. Linux KVM • Turns Linux into a Type 1 VMM

    • QEMU emulates CPUs and missing hardware • VirtIO — virtualisation of networks and disk device drivers ‣ Can take advantage of Linux Kernel’s vast driver support! Cons: There is no kernel protection internally, and device drivers all need to be rewritten from a normal kernel. Library operating systems
  18. Memory safety Cons: There is no kernel protection internally, and

    device drivers all need to be rewritten from a normal kernel. Library operating systems
  19. Memory safety Cons: There is no kernel protection internally, and

    device drivers all need to be rewritten from a normal kernel. Library operating systems
  20. Memory safety 90% of Android vulnerabilities are memory safety issues

    80% of the exploited vulnerabilities of known 0-days were memory safety issues
  21. Memory safety and Programming Languages • Unsafe languages ‣ C,

    C++, Assembly, Objective-C • Safe languages ‣ With the help of a garbage collector (GC) — JavaScript, Python, Java, Go, OCaml, … ‣ Without a GC — Rust
  22. Memory safety and Programming Languages • Unsafe languages ‣ C,

    C++, Assembly, Objective-C • Safe languages ‣ With the help of a garbage collector (GC) — JavaScript, Python, Java, Go, OCaml, … ‣ Without a GC — Rust • Unsafe parts of safe languages ‣ Unsafe Rust, unsafe package in Go, Obj in OCaml
  23. Memory safety and Programming Languages • Unsafe languages ‣ C,

    C++, Assembly, Objective-C • Safe languages ‣ With the help of a garbage collector (GC) — JavaScript, Python, Java, Go, OCaml, … ‣ Without a GC — Rust • Unsafe parts of safe languages ‣ Unsafe Rust, unsafe package in Go, Obj in OCaml Cons: There is no kernel protection internally, and device drivers all need to be rewritten from a normal kernel. Library operating systems
  24. industrial-strength, pragmatic, functional programming language Higher-order functions Hindley-Milner Type Inference

    Powerful module system Functional core with imperative and object- oriented features Native (x86, Arm, Power, RISC-V), JavaScript, WebAssembly Industry Projects
  25. OCaml Performance • GC is tuned for low-latency ‣ If

    your application can tolerate 1 ms latency, then OCaml is a good fi t ‣ 95% of code that we write fi t this model
  26. OCaml Performance • GC is tuned for low-latency ‣ If

    your application can tolerate 1 ms latency, then OCaml is a good fi t ‣ 95% of code that we write fi t this model • GC is a tradeo ff between space and time
  27. OCaml Performance • GC is tuned for low-latency ‣ If

    your application can tolerate 1 ms latency, then OCaml is a good fi t ‣ 95% of code that we write fi t this model • GC is a tradeo ff between space and time • OCaml is typically 1.5x to 2x slower than C for algorithmic workloads ‣ Python will be 10x to 100x slower than C
  28. OCaml Performance • GC is tuned for low-latency ‣ If

    your application can tolerate 1 ms latency, then OCaml is a good fi t ‣ 95% of code that we write fi t this model • GC is a tradeo ff between space and time • OCaml is typically 1.5x to 2x slower than C for algorithmic workloads ‣ Python will be 10x to 100x slower than C • Fast FFI to C for speed
  29. OCaml eio Rust Hyper OCaml (Http/af + Lwt) Go NetHttp

    OCaml (cohttp + Lwt) https://github.com/ocaml-multicore/eio OCaml Performance — Web Server
  30. MirageOS Unikernels • MirageOS is a library OS and a

    compiler that can build specialised images containing only the runtime environment needed by the application ‣ Cut the complexity by designing the layers as independent type-safe libraries.
  31. MirageOS Unikernels • MirageOS is a library OS and a

    compiler that can build specialised images containing only the runtime environment needed by the application ‣ Cut the complexity by designing the layers as independent type-safe libraries. • The MirageOS compiler transforms an application manifest into a specialised image. ‣ Rely on the OCaml compiler for modular static analysis, dead-code elimination, etc.
  32. MirageOS Unikernels • MirageOS is a library OS and a

    compiler that can build specialised images containing only the runtime environment needed by the application ‣ Cut the complexity by designing the layers as independent type-safe libraries. • The MirageOS compiler transforms an application manifest into a specialised image. ‣ Rely on the OCaml compiler for modular static analysis, dead-code elimination, etc. • Rely on the OCaml runtime as the sole trusted runtime environment (and selected C bindings)
  33. Available Libraries Network: Ethernet, IP, UDP, TCP, HTTP 1.0/1.1/2.0, ALPN,

    DNS, ARP, DHCP, SMTP, IRC, cap-n-proto, emails Storage: block device, Ramdisk, Qcow, B-trees, VHD, Zlib, Gzip, Lzo, Git, Tar, FAT32 Data-structures: LRU, Rabin’s fingerprint, bloom filters, adaptative radix trees, discrete interval encoding trees Security: x.509, ASN1, TLS, SSH Crypto: hashes, checksums Ciphers (AES, 3DES, RC4, ChaCha20/Poly1305) AEAD primitives (AES-GCM, AES-CCM) Public keys (RSA, DSA, DH) Fortuna • Reimplemented in OCaml • TLS: “rigorous engineering” ‣ same pure code to generate test oracles, verify oracle against real-world TLS traces and the real implementation ‣ Use Fiat (Coq extraction) for crypto primitives.
  34. What is a MirageOS Unikernel? • A statically compiled ELF

    binary • Executed as a virtual machine ‣ Solo5 is the host system process (“tender”) - Provides the platform-speci fi c details for MirageOS applications to interact with the underlying hardware or virtualisation frameworks ‣ Supports — KVM, Xen, virtio, muen, Linux Seccomp • Can also be executed as a Unix process ‣ Useful for debugging and development
  35. con fi g.ml multi-stage pipeline mirage configure unikernel.ml image dune

    build main.ml opam Make fi le make mirage_net_XXX.ml mirage_tcpip.ml … MirageOS Compiler
  36. Hello unikernel — Unix backend $ mirage configure -t unix

    $ make $ ./dist/hello 2024-11-25T17:04:16+05:30: [INFO] [application] hello 2024-11-25T17:04:17+05:30: [INFO] [application] hello 2024-11-25T17:04:18+05:30: [INFO] [application] hello 2024-11-25T17:04:19+05:30: [INFO] [application] hello
  37. Hello unikernel — solo5-hvt on kvm $ mirage configure -t

    hvt $ make $ solo5-hvt -- dist/hello.hvt | ___| __| _ \ | _ \ __ \ \__ \ ( | | ( | ) | ____/\___/ _|\___/____/ Solo5: Bindings version v0.9.0 Solo5: Memory map: 512 MB addressable: Solo5: reserved @ (0x0 - 0xfffff) Solo5: text @ (0x100000 - 0x1c4fff) Solo5: rodata @ (0x1c5000 - 0x1f5fff) Solo5: data @ (0x1f6000 - 0x289fff) Solo5: heap >= 0x28a000 < stack < 0x20000000 2024-11-25T11:47:10-00:00: [INFO] [application] hello 2024-11-25T11:47:11-00:00: [INFO] [application] hello 2024-11-25T11:47:12-00:00: [INFO] [application] hello 2024-11-25T11:47:13-00:00: [INFO] [application] hello Solo5: solo5_exit(0) called Hello Unikernel Solo5 Linux Kernel kvm.ko User space process User space process
  38. MirageOS Compiler • Remove dead code and inline code across

    traditionally opaque layer ‣ Resulting images usually have a size of a few MiB. ‣ Our HTTPS web server which runs mirage.io is only 10 MiB!
  39. MirageOS Compiler • Remove dead code and inline code across

    traditionally opaque layer ‣ Resulting images usually have a size of a few MiB. ‣ Our HTTPS web server which runs mirage.io is only 10 MiB! • Con fi guration can be partially evaluated at compile-time ‣ Extreme specialisation enables a boot time of a few ms.
  40. MirageOS Compiler • Remove dead code and inline code across

    traditionally opaque layer ‣ Resulting images usually have a size of a few MiB. ‣ Our HTTPS web server which runs mirage.io is only 10 MiB! • Con fi guration can be partially evaluated at compile-time ‣ Extreme specialisation enables a boot time of a few ms. • If something (e.g. networking) is not used, it will not be available at runtime ‣ Minimal runtime environments use a few MiB of RAM.
  41. MirageOS Compiler • Remove dead code and inline code across

    traditionally opaque layer ‣ Resulting images usually have a size of a few MiB. ‣ Our HTTPS web server which runs mirage.io is only 10 MiB! • Con fi guration can be partially evaluated at compile-time ‣ Extreme specialisation enables a boot time of a few ms. • If something (e.g. networking) is not used, it will not be available at runtime ‣ Minimal runtime environments use a few MiB of RAM. • The kernel and user space share the same address space ‣ Many runtime checks are removed, so static analysis is critical.
  42. Bitcoin Piñata • https://hannes.robur.coop/Posts/Pinata • 1.1 MB Unikernel, which ran

    from 2015 to 2018 • Hold the key to 10 bitcoins (peak worth $165k) ‣ Now worth ~$1M • A successful authenticated TLS session reveals the private Bitcoin key • 500,000 accesses to the Piñata website, more than 150,000 attempts at connecting to the Piñata bounty • The bitcoins were safe!
  43. Nitrokey NetHSM • NitroKey is developing NetHSM, a new HSM

    solution to manage cryptographic keys securely. • The software implementation should be easy to customise and o ff er superior security ‣ It should also be easily auditable by anyone to eliminate backdoors. • The NetHSM should meet high-performance requirements, allowing its use in low-power hardware security devices and highly e ff i cient cloud-based solutions. • They chose to use MirageOS running on the Muen micro-kernel https://www.nitrokey.com/products/nethsm
  44. Docker for Mac • Normally Docker use Linux namespaces and

    other Linux features • On macOS • Docker daemon runs in a light Linux VM (using hypervisor.framework) • Docker client is a Mac application • MirageOS libraries are used to translate semantics di ff erences between platforms: • volumes: FUSE format + fsevent/inotify • network: Linux ethernet packets to MacOS network syscalls MirageOS libraries used by millions of users
  45. MirageOS Challenges • Rewrite your applications in OCaml! • No

    inter-unikernel isolation ‣ No separate kernel vs user space ‣ No separation between di ff erent bits of the user space (no process abstraction) • Linking external C libraries ‣ Legacy C code is unavoidable — crypto, drivers, sqlite, … ‣ may have memory vulnerabilities, may harm Unikernel safety OCaml (safe) + C (unsafe) code
  46. MirageOS Challenges • Rewrite your applications in OCaml! • No

    inter-unikernel isolation ‣ No separate kernel vs user space ‣ No separation between di ff erent bits of the user space (no process abstraction) • Linking external C libraries ‣ Legacy C code is unavoidable — crypto, drivers, sqlite, … ‣ may have memory vulnerabilities, may harm Unikernel safety OCaml (safe) + C (unsafe) code
  47. Compartments / SFI — overview • Compartments o ff er

    intra-process isolation ‣ Functions mapped to compartments ‣ Restrict control fl ow and data access across security boundaries
  48. Compartments / SFI — overview • Compartments o ff er

    intra-process isolation ‣ Functions mapped to compartments ‣ Restrict control fl ow and data access across security boundaries • Control fl ow restricted by ‣ Whitelisted PC ranges ‣ Shadow stack to prevent ROP attacks
  49. Compartments / SFI — overview • Compartments o ff er

    intra-process isolation ‣ Functions mapped to compartments ‣ Restrict control fl ow and data access across security boundaries • Control fl ow restricted by ‣ Whitelisted PC ranges ‣ Shadow stack to prevent ROP attacks • Data access restricted by ‣ VMM tricks (or) fat pointers (or) capabilities (à la CHERI)
  50. FIDES — Secure compartments • Security-hardened Shakti RISC-V processor +

    MirageOS unikernels ‣ https://gitlab.com/shaktiproject
  51. FIDES — Secure compartments • Security-hardened Shakti RISC-V processor +

    MirageOS unikernels ‣ https://gitlab.com/shaktiproject • Intra-process compartments - Vulnerabilities in C do not a ff ect OCaml Access Matrix
  52. FIDES — Secure compartments • Security-hardened Shakti RISC-V processor +

    MirageOS unikernels ‣ https://gitlab.com/shaktiproject • Intra-process compartments - Vulnerabilities in C do not a ff ect OCaml • Compartment access matrix de fi ned at link time - Run unmodi fi ed OCaml and C code Access Matrix
  53. FIDES — Secure compartments • Security-hardened Shakti RISC-V processor +

    MirageOS unikernels ‣ https://gitlab.com/shaktiproject • Intra-process compartments - Vulnerabilities in C do not a ff ect OCaml • Compartment access matrix de fi ned at link time - Run unmodi fi ed OCaml and C code • Small extension to hardware and software ‣ Two new instructions added to RISC-V ISA: Val and Checkcap ‣ Modi fi cation to LLVM and OCaml compiler to emit these instructions Access Matrix
  54. Threat model • Source code is untrusted ‣ Inline assembly

    and use of Obj.magic trusted • All code is compiled with FIDES C and OCaml compiler ‣ Compiler instrumentation added by FIDES is correct ‣ OCaml runtime is trusted • Binary executable cannot be tampered with • Hardware attacks rowhammer, fault attacks, side-channels are out of scope
  55. FIDES Guarantees • Control- fl ow integrity ‣ The control

    fl ow in every execution of the program respects the compartment access matrix • Memory safety ‣ No memory errors; all references point to valid memory ‣ Pointers cannot be forged
  56. FIDES — Challenges and opportunities • OCaml o ff ers

    memory safety ‣ Hardware-accelerated fat pointers only for C code - Fine-grained data compartments - No fat pointers for OCaml code ‣ Pay attention to FFI boundaries
  57. FIDES — Challenges and opportunities • OCaml o ff ers

    memory safety ‣ Hardware-accelerated fat pointers only for C code - Fine-grained data compartments - No fat pointers for OCaml code ‣ Pay attention to FFI boundaries • FIDES code compartment must now handle FP features! ‣ Higher-order functions, tail calls, exceptions
  58. Remote Voting Machine (RVM) • Aim to address voter absenteeism

    amongst migrant voters ‣ 300 million people don’t vote • Enable migrant voters to be able to vote from a di ff erent constituency • Voting machine is more complex! ‣ “Discussion on improving voter participation of domestic migrants using remote voting”, Election Commission of India, 2022 Display Public Ballot Display
  59. Compartments for RVM OCaml Stdlib (C5) Crypto (C3) Vote Handler

    (C2) UI (C4) Result table Main (C1) indicates call is allowed
  60. Compartments for RVM OCaml Stdlib (C5) Crypto (C3) Vote Handler

    (C2) UI (C4) Result table Main (C1) indicates call is allowed Has C code Has C code
  61. Compartments for RVM OCaml Stdlib (C5) Crypto (C3) Vote Handler

    (C2) UI (C4) Result table Main (C1) indicates call is allowed Highly secure Has C code Has C code
  62. Higher-order functions OCaml Stdlib (C5) Crypto (C3) Vote Handler (C2)

    UI (C4) Result table Main (C1) indicates call is allowed
  63. Higher-order functions OCaml Stdlib (C5) Crypto (C3) Vote Handler (C2)

    UI (C4) Result table Main (C1) indicates call is allowed
  64. Higher-order functions OCaml Stdlib (C5) Crypto (C3) Vote Handler (C2)

    UI (C4) Result table Main (C1) indicates call is allowed C5 is not allowed to call C2
  65. Higher-order functions — Idea 1 OCaml Stdlib (C5) Crypto (C3)

    Vote Handler (C2) UI (C4) Result table Main (C1) indicates call is allowed
  66. Higher-order functions — Idea 1 OCaml Stdlib (C5) Crypto (C3)

    Vote Handler (C2) UI (C4) Result table Main (C1) indicates call is allowed
  67. Higher-order functions — Idea 1 OCaml Stdlib (C5) Crypto (C3)

    Vote Handler (C2) UI (C4) Result table Main (C1) indicates call is allowed “Confused Deputy” attack
  68. Higher-order functions — Idea 2 OCaml Stdlib (C5) Crypto (C3)

    Vote Handler (C2) UI (C4) Result table Main (C1) indicates call is allowed OCaml Stdlib (C5)
  69. Higher-order functions — Idea 2 OCaml Stdlib (C5) Crypto (C3)

    Vote Handler (C2) UI (C4) Result table Main (C1) indicates call is allowed OCaml Stdlib (C5) Limited compartment resource Shared state?
  70. Fluid compartments Crypto (C3) Vote Handler (C2) UI (C4) Result

    table Main (C1) indicates call is allowed OCaml Stdlib (C5) A fl uid compartment inherits the policies of the caller
  71. Shadow stack • Stores the return addresses for inter-compartment calls

    • Inaccessible from user-code ‣ Maintained and validated by hardware
  72. Shadow stack • Stores the return addresses for inter-compartment calls

    • Inaccessible from user-code ‣ Maintained and validated by hardware foo(): ... bar() after_bar: ... bar(): checkcap ... baz() after_baz: ... baz(): checkcap ... C1 C2 C3 pc
  73. Shadow stack • Stores the return addresses for inter-compartment calls

    • Inaccessible from user-code ‣ Maintained and validated by hardware foo(): ... bar() after_bar: ... bar(): checkcap ... baz() after_baz: ... baz(): checkcap ... C1 C2 C3 ... after_baz ... Shadow stack after_bar ... pc
  74. Non-call-return control flow • Typical compartment schemes handle only call-return

    sequence • OCaml has several non-call-return control- fl ow operations ‣ Tail calls, exceptions, e ff ect handlers! ‣ Need to manage the shadow stack carefully
  75. Exceptions and shadow stacks • Exceptions may be thrown across

    compartments ‣ Need to unwind shadow stack appropriately ‣ Challenge: Detect when intra-compartment exceptions are raised exn_pc prev_exn_ptr sp exn_ptr raise sp exn_ptr
  76. Exceptions and shadow stacks • Exceptions may be thrown across

    compartments ‣ Need to unwind shadow stack appropriately ‣ Challenge: Detect when intra-compartment exceptions are raised • Solution: Security monitor (SM) updates last exn_pc to a special routine exn_pc prev_exn_ptr sp exn_ptr raise sp exn_ptr
  77. Fat pointers Base Bound Cookie Pointer 32 bits Word size

    = 64 bits Cookie … base bound Memory region Fat pointer Fresh cookie at malloc and free
  78. Fat pointers Base Bound Cookie Pointer 32 bits Word size

    = 64 bits Cookie … base bound Memory region Fat pointer Fresh cookie at malloc and free • Fat pointers into the stack have frame scope ‣ Each frame has a cookie freshened at call and return
  79. Fat pointers Base Bound Cookie Pointer 32 bits Word size

    = 64 bits Cookie … base bound Memory region Fat pointer Fresh cookie at malloc and free • Fat pointers into the stack have frame scope ‣ Each frame has a cookie freshened at call and return • val instruction validates fat pointer before access
  80. Fat pointers Base Bound Cookie Pointer 32 bits Word size

    = 64 bits Cookie … base bound Memory region Fat pointer Fresh cookie at malloc and free • Fat pointers into the stack have frame scope ‣ Each frame has a cookie freshened at call and return • val instruction validates fat pointer before access • OCaml does not use fat pointers ‣ At FFI, use OCaml object header info to create fat pointer ‣ Use a special cookie that skips temporal validation
  81. Evaluation • Compiler changes ‣ ~300 lines for OCaml, ~2300

    lines for LLVM • Protyped on Xilinx Artix-7 AC701 FPGA ‣ 38.2K LUTs (+6.1% over base) ‣ 17.4K registers (+6.0% over base) • Performance on voting application ‣ 4% increase in code size ‣ 23% increase in instruction cycle count OCaml Stdlib (C5) Crypto (C3) Vote Handler (C2) UI (C4) Result table Main (C1) Highly secure Has C code Has C code
  82. Limitations • Features: E ff ect handlers, parallelism • OCaml

    runtime is trusted ‣ WIP: Veri fi ed garbage collector for OCaml
  83. Limitations • Features: E ff ect handlers, parallelism • OCaml

    runtime is trusted ‣ WIP: Veri fi ed garbage collector for OCaml • Data compartments are too weak ‣ Objects shared across compartments remain accessible forever ‣ Revocation through ownership and borrowing à la Rust - modal types in OCaml
  84. Limitations • Features: E ff ect handlers, parallelism • OCaml

    runtime is trusted ‣ WIP: Veri fi ed garbage collector for OCaml • Data compartments are too weak ‣ Objects shared across compartments remain accessible forever ‣ Revocation through ownership and borrowing à la Rust - modal types in OCaml • Hardware is exotic ‣ Arm MTE for fat pointers in C?