Synergy with TheseusOS

I’m just gonna throw this out there and see if it’s also interesting to any one else.

I recently learned about TheseusOS, which is a research operating system (though I get the impression that the creators want to develop it to the point of production readiness). What makes it unique is that it is designed to run everything at a single process level and single address space. They claim that even though they do this, the OS still provides all the security guarantees of traditional operating systems that use multiple process levels and address spaces. They provide them by offloading work to the compiler (like how the borrow checker avoids dynamic memory management). I’ve skimmed over their papers and it seems like thorough work, but the claim that we no longer need techniques which have been at the foundation of all major operating systems for decades is quite extraordinary. So some healthy skepticism is appropriate.

However, as has been noted in the perennial discussions on passwordless sudo, the risks mitigated by separate address spaces and process levels are less relevant in a properly compartmentalized system like QubesOS. In this case, the guest operating system is doing a bunch of work to provide guarantees that are practically provided by Xen (barring Xen exploits, which are not not a concern, but are quite rare). This seems wasteful. The runtime behavior that TheseusOS exhibits results in a cleaner system.

This is probably most useful for service qubes like sys-net and sys-usb, because they have limited responsibilities and impact the performance of multiple user-facing guests. Of course, the challenge there (as is the case for all new operating systems) is hardware support. This is not exactly a new challenge for QubesOS, and perhaps at some point TheseusOS drivers could be a requirement for certification (or just a gold star to add on to it). TheseusOS could also be used for running infrastructure like QubesDB which currently exists in dom0 but in principle could be split off into a separate domain similar to driver domains.

That’s it. It’s just a thing that seems neat. I don’t have time to pursue it right now and I doubt anyone else does either, but it seems fun to talk about. =)

EDIT: Well, apparently this is not as unique as I thought given the discussion about nanokernels which I did not see before making this post…