1.6. Why Rust?

Why We Chose to Write an Operating System in Rust

Rust offers significant advantages, especially in the context of operating systems, where security and stability are paramount. Operating systems are foundational to computing, making them the most crucial piece of software. Throughout the history of computing, there have been numerous bugs and vulnerabilities in systems like Linux, BSD, glibc, Bash, and X11, often stemming from issues related to memory allocation and type safety. Rust addresses these issues by enforcing memory safety at the compile-time, which is crucial for preventing such vulnerabilities.

The Importance of Rust in OS Development

Design is important, but so is the implementation. Rust excels in preventing unexpected memory-unsafe conditions, which are a major source of security-critical bugs. Rust's design is transparent, allowing developers to clearly understand what is happening in the code and what the intended behavior is.

The basic design of the kernel and user-space separation in vortexOS is similar to Unix-like systems. The core idea is to separate the kernel and user-space, with the kernel strictly enforcing system resource management. However, vortexOS has a significant advantage: enforced memory and type safety. Rust's strength lies in eliminating a large number of "unexpected bugs," such as undefined behavior, at compile-time.

While the design of Linux and BSD is secure, their implementation is not. Many bugs in Linux stem from unsafe conditions—like buffer overflows—that Rust effectively eliminates. By using Rust, we aim to produce a more secure and stable operating system.

The Role of unsafe in Rust

unsafe is a mechanism in Rust that allows developers to perform operations that the compiler cannot guarantee to be safe, such as low-level memory manipulation. While you cannot write a kernel without using unsafe, Rust requires that these unsafe operations be explicitly marked as such. This keeps the unsafe parts isolated from the rest of the safe code. We aim to minimize the use of unsafe where possible, and when we do use it, we do so with extreme caution.

This approach contrasts with kernels written in C, where no guarantees about security can be made without costly formal analysis. In Rust, the use of unsafe is carefully controlled, enhancing overall system safety.

Benefits of Writing vortexOS in Rust

1. Reduced Likelihood of Bugs

The restrictive syntax and strict compiler requirements of Rust significantly reduce the probability of bugs in the code.

2. Less Vulnerability to Data Corruption

The Rust compiler helps programmers avoid memory errors and race conditions, reducing the chances of data corruption bugs.

3. No Need for C/C++ Exploit Mitigations

The microkernel design, when written in Rust, is naturally protected against the memory defects commonly seen in software written in C/C++. By isolating system components from the kernel, the attack surface is significantly reduced.

4. Improved Security and Reliability Without Performance Impact

The small size of the kernel means it uses less memory, helping to maintain a bug-free status (KISS principle). Rust’s combination of safe and fast language design, along with the minimal kernel code size, ensures a reliable, performant, and easy-to-maintain core.

5. Thread-Safety

C/C++ support for thread safety is fragile, making it easy to introduce subtle bugs or security holes when running programs across multiple threads. Rust's type system prevents the writing of unsafe concurrent access patterns, helping to avoid these issues. This ensures that vortexOS is less prone to bugs related to thread safety.

6. Rust-Written Drivers

Drivers written in Rust are likely to have fewer bugs, making them more stable and secure, contributing to the overall reliability of vortexOS.

By choosing Rust for vortexOS, we are working towards creating an operating system that is not only secure and stable but also efficient and reliable, setting a new standard for operating system development.

4o