Overview of Fuchsia, a New Operating System Mickaël Salaün

Overview of Fuchsia, a new operating system

Mickaël Salaün

French National Cybersecurity Agency (ANSSI)

September 23, 2019 Warning I Fuchsia is a moving target right now, this talk might be partially outdated soon. I A lot of new things are developed for this OS, but I don’t have time to cover all aspecs of them in this talk.

Introduction

Started in 2015 and open-sourced in 2016, Fuchsia is mainly developed by Google, with some private parts: roadmap and issue tracker (Atlassian).

What is Fuchsia? I OS targeting end-user devices (e.g. smartphone, laptop, IoT, extended reality devices?) I main goals: security, reliability and modularity I future-proof: designed to be updatable for a long time

ANSSI Overview of Fuchsia, a new operating system 2/17 Introduction

Started in 2015 and open-sourced in 2016, Fuchsia is mainly developed by Google, with some private parts: roadmap and issue tracker (Atlassian).

Warning I Fuchsia is a moving target right now, this talk might be partially outdated soon. I A lot of new things are developed for this OS, but I don’t have time to cover all aspecs of them in this talk.

ANSSI Overview of Fuchsia, a new operating system 2/17 Screenshot of Fuchsia: greeter Screenshot of Fuchsia: apps Support big existing ecosystems (WIP) I Flutter apps, Android apps, Chromecast apps I Linux VM (ﬁle transferts, Wayland bridge)

Connected I composable apps and task-centric I distributed data storage: Ledger I bridges with other systems (overnet/gRPC): iOS and Android

Major properties

Open and supported I mainly open-source I supported by a big company, already developing Android and Chrome OS

ANSSI Overview of Fuchsia, a new operating system 5/17 Connected I composable apps and task-centric I distributed data storage: Ledger I bridges with other systems (overnet/gRPC): iOS and Android

Major properties

Open and supported I mainly open-source I supported by a big company, already developing Android and Chrome OS

Support big existing ecosystems (WIP) I Flutter apps, Android apps, Chromecast apps I Linux VM (ﬁle transferts, Wayland bridge)

ANSSI Overview of Fuchsia, a new operating system 5/17 Major properties

Open and supported I mainly open-source I supported by a big company, already developing Android and Chrome OS

Support big existing ecosystems (WIP) I Flutter apps, Android apps, Chromecast apps I Linux VM (ﬁle transferts, Wayland bridge)

Connected I composable apps and task-centric I distributed data storage: Ledger I bridges with other systems (overnet/gRPC): iOS and Android

ANSSI Overview of Fuchsia, a new operating system 5/17 Implementation FIDL I static definition of protocols (inspired by Chromium’s Mojo) I enables to transfert (typed) data and handles (including other protocols) I generates serialization and deserialization libraries ⇒ agnostic to the underlying languages ⇒ consistent and unique entry point to audit and test services ⇒ defines semantics (e.g. user-defined capability, revocation, state machine)

IPC

Capability I reference (handle) to a kernel object (e.g. memory, interrupt, process) I associated with a set of access rights I unforgeable I communicable (e.g. through channels)

ANSSI Overview of Fuchsia, a new operating system 7/17 IPC

Capability I reference (handle) to a kernel object (e.g. memory, interrupt, process) I associated with a set of access rights I unforgeable I communicable (e.g. through channels)

FIDL I static definition of protocols (inspired by Chromium’s Mojo) I enables to transfert (typed) data and handles (including other protocols) I generates serialization and deserialization libraries ⇒ agnostic to the underlying languages ⇒ consistent and unique entry point to audit and test services ⇒ defines semantics (e.g. user-defined capability, revocation, state machine)

ANSSI Overview of Fuchsia, a new operating system 7/17 Drivers I shared libraries (ELF) I API/ABI deﬁned with Banjo and Binding Instructions I composables (relative addresses/routes)

Zircon

Microkernel I well suited for security: small TCB (running in ring 0) I origin: Little Kernel (32-bits, no syscall, no MMU. . . ) I 64-bits only I 150+ syscalls, mainly called with handles, mostly asynchronous I vDSO: mandatory entry point to the kernel I partial POSIX compatibility (e.g. no UID, no fork()) I hypervisor, realtime I 98K+ SLOC: subset of C++ 17 (e.g. no exception, casting and inheritance restrictions)

ANSSI Overview of Fuchsia, a new operating system 8/17 Zircon

Drivers I shared libraries (ELF) I API/ABI deﬁned with Banjo and Binding Instructions I composables (relative addresses/routes)

ANSSI Overview of Fuchsia, a new operating system 8/17 Packages I set of ﬁles, including component(s) I integrity checked with Merkle tree hash for each ﬁle, thanks to a content-addressed FS: blobfs I OTA updates: TUF and Omaha

Customization and derivability I derivable board and product deﬁnitions with GN and Jiri I stable system ABI with FIDL I permissive licences (BSD-like)

Modularity

Components I basic unit of executable software (e.g. app) I sandboxed: principle of least privilege

ANSSI Overview of Fuchsia, a new operating system 9/17 Customization and derivability I derivable board and product deﬁnitions with GN and Jiri I stable system ABI with FIDL I permissive licences (BSD-like)

Modularity

Components I basic unit of executable software (e.g. app) I sandboxed: principle of least privilege

Packages I set of ﬁles, including component(s) I integrity checked with Merkle tree hash for each ﬁle, thanks to a content-addressed FS: blobfs I OTA updates: TUF and Omaha

ANSSI Overview of Fuchsia, a new operating system 9/17 Modularity

Components I basic unit of executable software (e.g. app) I sandboxed: principle of least privilege

Packages I set of ﬁles, including component(s) I integrity checked with Merkle tree hash for each ﬁle, thanks to a content-addressed FS: blobfs I OTA updates: TUF and Omaha

Customization and derivability I derivable board and product deﬁnitions with GN and Jiri I stable system ABI with FIDL I permissive licences (BSD-like)

ANSSI Overview of Fuchsia, a new operating system 9/17 Hardening I ASLR with PIC/PIE, full RELRO, stack protector (strong), SafeStack, W⊕X memory I strong typing (e.g. user space vs. kernel space addresses) I use of object destructors for security: auto-closing (pointer, handle, FD, lock), memory zeroing, type-confusion checks (debug-only)

Security mitigations

Good development practices I strict language guidelines, sane/safe API, tests, doc., code review I fuzzing (libraries, drivers, services): libFuzzer, syzkaller I sanitizers: Address (ASAN), Undeﬁned Behavior, Coverage. . .

ANSSI Overview of Fuchsia, a new operating system 10/17 Security mitigations

Hardening I ASLR with PIC/PIE, full RELRO, stack protector (strong), SafeStack, W⊕X memory I strong typing (e.g. user space vs. kernel space addresses) I use of object destructors for security: auto-closing (pointer, handle, FD, lock), memory zeroing, type-confusion checks (debug-only)

ANSSI Overview of Fuchsia, a new operating system 10/17 Development Commits per month1

3000 2500 2000 1500

commits 1000 500 0 Jul. 2016 Jul. 2017 Jul. 2018 Jul. 2019 Jan. 2018 Jan. 2017 Jan. 2019

1Generated from the public repositories (excluding bots) the 19th September, 2019.

ANSSI Overview of Fuchsia, a new operating system 12/17 Authors per month2

350 300 250 200 150 authors 100 50 0 Jul. 2019 Jul. 2016 Jul. 2017 Jul. 2018 Jan. 2019 Jan. 2017 Jan. 2018

2Generated from the public repositories (excluding bots) the 19th September, 2019.

ANSSI Overview of Fuchsia, a new operating system 13/17 Commits per author3

Googlers 1000 others

100 commits 10

1 100 200 300 400 500 600 700 800 authors

3Generated from the public repositories (excluding bots) the 19th September, 2019.

ANSSI Overview of Fuchsia, a new operating system 14/17 Third parties I musl libc (stripped), jemalloc, scudo I e1000, iwlwiﬁ, brcm80211, ath10k. . . I BoringSSL, Cairo, FreeType, ICU, Mesa, Roughtime, OpenSSH, Dash. . . I Chromium

Source codes

Fuchsia’s own code Language Files Share C++/C 11.7k+ 80% Rust 1.5k+ 10% Dart/Flutter 1.0k+ 7% Go 400+ 3%

ANSSI Overview of Fuchsia, a new operating system 15/17 Source codes

Fuchsia’s own code Language Files Share C++/C 11.7k+ 80% Rust 1.5k+ 10% Dart/Flutter 1.0k+ 7% Go 400+ 3%

Third parties I musl libc (stripped), jemalloc, scudo I e1000, iwlwiﬁ, brcm80211, ath10k. . . I BoringSSL, Cairo, FreeType, ICU, Mesa, Roughtime, OpenSSH, Dash. . . I Chromium

ANSSI Overview of Fuchsia, a new operating system 15/17 Conclusion Limitations I performance: balance with security, safety and patents (e.g. RCU?) I hardware (in)security can still undermine software (e.g. side channels, Spectre) I some coarse-grained rights (e.g. ZX_KIND_RSRC_ROOT) I no security proof of critical components ⇒ not stable yet: opportunity for experiments, feedbacks and improvements https://fuchsia.dev

Takeaway

Great properties I capability-based security OS with nice IPC speciﬁcations I very modular architecture I microkernel with stable device driver ABI

ANSSI Overview of Fuchsia, a new operating system 17/17 https://fuchsia.dev

Takeaway

Great properties I capability-based security OS with nice IPC speciﬁcations I very modular architecture I microkernel with stable device driver ABI

Limitations I performance: balance with security, safety and patents (e.g. RCU?) I hardware (in)security can still undermine software (e.g. side channels, Spectre) I some coarse-grained rights (e.g. ZX_KIND_RSRC_ROOT) I no security proof of critical components ⇒ not stable yet: opportunity for experiments, feedbacks and improvements

ANSSI Overview of Fuchsia, a new operating system 17/17 Takeaway

Great properties I capability-based security OS with nice IPC speciﬁcations I very modular architecture I microkernel with stable device driver ABI

ANSSI Overview of Fuchsia, a new operating system 17/17 Misc Processes (partial)

I bootsvc I component_manager I devcoordinator I zircon-drivers I devhost:sys - hid, rtc, ps2. . . I devhost:root - null, zero I devhost:misc - console, dmctl, ptmx sysinfo, acpi, pci. . . I devhost:pci#1 - display I devhost:pci#2 - block/fvm I devhost:pci#3 - ethernet I zircon-services I svchost I fshost I netsvc I virtual-console I blobfs:/blob I pkgfs I minfs:/data I fuchsia I appmgr (from /pkgfs) . . . *.cmx

ANSSI Overview of Fuchsia, a new operating system 2/6 File System(s)

Full root directories

I bin I cache I install I conﬁg I pkg I blob I pkgfs I boot I svc I bootsvc I system I data I tmp I dev I volume I hub

ANSSI Overview of Fuchsia, a new operating system 3/6 Some syscalls

bti_create interrupt_bind cache_flush iommu_create channel_call ioports_request channel_create job_create channel_read job_set_policy channel_read_etc nanosleep channel_write object_get_info clock_adjust process_create clock_get socket_create cprng_add_entropy system_mexec cprng_draw task_kill eventpair_create thread_create fifo_create ticks_get futex_wait vcpu_create guest_create vmar_allocate handle_close vmo_create

ANSSI Overview of Fuchsia, a new operating system 4/6 FIDL example (partial)

library fuchsia.overnet;

using fuchsia.overnet.protocol;

[Discoverable] protocol Overnet { ListPeers(uint64 last_seen_version) -> (uint64 version, vector peers); RegisterService(string service_name, ServiceProvider provider); ConnectToService(fuchsia.overnet.protocol.NodeId node, string service_name, handle chan); };

struct Peer { fuchsia.overnet.protocol.NodeId id; bool is_self; fuchsia.overnet.protocol.PeerDescription description; };

ANSSI Overview of Fuchsia, a new operating system 5/6 Package: *.cmx

1.1k+ packages

"program": { "data": "data/ermine" }, "sandbox": { "pkgfs": [ "packages" ], "services": [ "fuchsia.bluetooth.control.Control", "fuchsia.cobalt.LoggerFactory", "fuchsia.fonts.Provider", "fuchsia.logger.LogSink", ... "fuchsia.modular.Clipboard", ... "fuchsia.power.BatteryManager", "fuchsia.sys.Environment", "fuchsia.sys.Launcher", ... ], "system": [ "data/sysui" ] }

ANSSI Overview of Fuchsia, a new operating system 6/6