Ironclad – formally verified, real-time capable, Unix-like OS kernel
133 points
3 hours ago
| 5 comments
| ironclad-os.org
| HN
AlotOfReading
2 hours ago
[-]
Interesting project. I'm curious about the limits of formal verification of worst case execution time. There are other formally verified kernels like seL4 and atmosphere, as well as layers you can stack on top to get a mostly compatible posix-ish layer like genode. You can also go out and find completely compatible kernels with enough maturity that (full) formal verification isn't a major value-add, like QNX or VxWorks.

I'm not aware of much that combines WCET + formal verification + POSIX compatibility though. The verification page here is mostly at stone level, which from my understanding of SPARK terminology just means it passes validation, but might have runtime errors where most of Ada's WCET nondeterminism comes from. I'm skeptical that this is actually production usable for the hard real-time use cases all over their documentation at the current stage, but nothing on the website gives any clue as to the actual maturity short of reading the code myself.

reply
indolering
2 hours ago
[-]
Any government can get RCE on any OS with the change in their couch. Formal verification of process isolation is REALLY important when lives depend on it. That's a huge value add!

My main concern is speed and the lack of capability based security. seL4 is faster than Linux by a mile and I'm guessing that this is much slower. You can put a POSIX layer on seL4 but POSIX is inherently flawed too. MAC separates privileges from code and is too clunky to use in practice (see seLinux).

reply
johnisgood
1 hour ago
[-]
It does not have to remain at stone level, and it can get legit certifications, too.

Looking forward to it. A formally verified OS is a great step towards better security.

reply
notepad0x90
3 hours ago
[-]
There is an NDA related company called ironclad as well. Beware the trademark/copyright terrorists.

That said, I am huge fan of works like this. But in practice, the security layer that betrays all of this tends to be the firmware layer.

My dream is to have something like the Framework computer use verifiably secure EFI firmware, as well as similarly verified and audited firmware for every hardware component.

reply
F3nd0
2 hours ago
[-]
You might want to check out MNT Research if you haven’t yet. They make repairable laptops, too, but they also release their work as free software and open hardware.

https://mnt.re/

reply
notepad0x90
38 minutes ago
[-]
The MNT is too small for my usage, but it's a great effort. I think their goal is to make open hardware right now, not necessarily a verifiable one.
reply
indolering
1 hour ago
[-]
You need a different kernel for firmware verification. But it should be regulated at this point.
reply
scoot
32 minutes ago
[-]
That isn't how trademarks work. There can be multiple business with the same name, as long as they operate in a different field. Case in point, Apple Computer had to pay for the rights to The Beatles label Apple Music only when they entered the music industry (not that they didn't try to contest it!)

Copyright is something different entirely!

https://xkcd.com/386/

reply
joshuakelly
3 hours ago
[-]
Building new operating systems seems so ambitious to me. Radiant Computer (https://radiant.computer/) was also recently posted.

What other exciting projects like these exist?

reply
zzo38computer
14 minutes ago
[-]
I have ideas as well, and wrote about some of them (including some partial specifications), although I do not have a name for my own, so due to this, there is not a repository or anything like that yet. Note that, there are multiple parts, and different projects will have a different set of these parts: hardware, kernel, user/application programs; my ideas involve all three (there may be other parts, and different ways to divide them, too).
reply
lifty
2 hours ago
[-]
https://asterinas.github.io/ (Linux compatible Kernel) and https://redox-os.org/ are two promising ones.
reply
criticalfault
1 hour ago
[-]
I wonder why all of these do not use gpl2?
reply
floam
31 minutes ago
[-]
I wouldn’t kneecap a OS project I wish to be adopted by licensing it GPL. Look at glibc which basically can’t practically support static linking.

You make any of your OS standard libraries GPL and they need to suck to use and can’t statically link your code without being forced to also be licensed GPL.

That viral property some people find desirable.

reply
criticalfault
1 minute ago
[-]
Isn't this what made Linux successful?

Being able to sell it closed and not releasing the source would make closing the android ecosystem 'good old times', no?

We would only get a bunch of closed outdated company controlled binaries, but now for everything, not only drivers?

reply
dokyun
25 minutes ago
[-]
Rust's technical choices seem to make releasing GPL software with it cumbersome and unattractive. Also the implied goal of a lot of Rust projects is to replace GPL'ed programs with permissive ones.
reply
ivanjermakov
3 hours ago
[-]
https://serenityos.org/
reply
sharts
2 hours ago
[-]
This looks perfect. Just wonder how the hardware /software support goes
reply
chrsw
1 hour ago
[-]
Not new, but alternative https://www.haiku-os.org/
reply
attila-lendvai
3 hours ago
[-]
it seems to be little more than a mission statement... no?
reply
alberth
1 hour ago
[-]
> It is written in SPARK and Ada, and is comprised of 100% free software.

I thought SPARK was a paid (not free) license. Am I mistaken?

Very cool project btw.

reply
misswaterfairy
32 minutes ago
[-]
> I thought SPARK was a paid (not free) license. Am I mistaken?

Similar model to Qt: permissive licensed open source version, with a commercial 'Pro' offering.

https://en.wikipedia.org/wiki/SPARK_(programming_language)

https://alire.ada.dev/transition_from_gnat_community.html

reply
liamkinne
1 hour ago
[-]
Is there a technical reason it only supports x86_64, riscv64, and not arm64?
reply