On Hubris and Humility: when "write your own OS" isn't the worst idea
Hubris is a small open-source operating system for deeply-embedded computer
systems, such as our server's replacement for the Baseboard Management
Controller. Because our BMC replacement uses a lower-complexity microcontroller
with region-based memory protection instead of virtual memory, our options were
limited. We were unable to find an off-the-shelf option that met our
requirements around safety, security, and correctness, so we wrote one.
Hubris provides preemptive multitasking, memory isolation between
separately-compiled components, the ability to isolate crashing drivers and
restart them without affecting the rest of the system, and flexible
inter-component messaging that eliminates the need for most syscalls -- in about
2000 lines of Rust. The Hubris debugger, Humility, allows us to walk up to a
running system and inspect the interaction of all tasks, or capture a dump for
offline debugging.
However, Hubris may be more interesting for what it _doesn't_ have. There are no
operations for creating or destroying tasks at runtime, no dynamic resource
allocation, no driver code running in privileged mode, and no C code in the
system. This removes, by construction, a lot of the attack surface normally
present in similar systems.
This talk will provide an overview of Hubris's design, the structure of a Hubris
application, and some highlights of things we learned along the way.