Language-Based Safety and Isolation Across System Composition Boundaries
Event details
| Date | 19.06.2026 |
| Hour | 09:00 › 11:00 |
| Speaker | Yiwen Xu |
| Location | |
| Category | Conferences - Seminars |
DIC candidacy exam
Exam president: Prof. Anne-Marie Kermarrec
Thesis advisor: Prof. Mathias Payer
Co-examiner: Prof. Thomas Bourgeat
Abstract
The OS kernel was exposed due to vulnerable drivers as one vulnerability could bring down the whole system. Since fixing all driver bugs is nearly impossible, isolation of drivers is necessary to be a fundamental mechanism for reducing the attack surface between system composition boundaries. Compared with hardware-based isolation(Xen, Nooks, etc) and software-based isolation (e.g. SFI), language-based isolation often gains fine-grained safety, such as type constraints and thread-safety properties.
SafeDrive was an early effort to protect Linux C drivers using type checks, memory-safety invariants, and recovery support, but it still had overhead and incomplete safety. RedLeaf, built in Rust completely, reduces runtime checks by relying on Rust's ownership system while enabling efficient communication through validated interfaces. As Rust enters mainline Linux, a new challenge appears: Rust components need to interact with legacy foreign-language code, where safety guarantees can break. Omniglot addresses this by enabling safe, zero-copy interaction between Rust and unmodified untrusted code using carefully designed memory isolation primitives.
Going forward, my research will continue to focus on the intersection of operating systems and programming languages.
Selected papers
Paper 1: SafeDrive: Safe and Recoverable Extensions Using Language-Based Techniques [OSDI'06] Paper 2: RedLeaf: Isolation and Communication in a Safe Operating System [OSDI'20] Paper 3: Building Bridges: Safe Interactions with Foreign Languages through Omniglot [OSDI'25]
Exam president: Prof. Anne-Marie Kermarrec
Thesis advisor: Prof. Mathias Payer
Co-examiner: Prof. Thomas Bourgeat
Abstract
The OS kernel was exposed due to vulnerable drivers as one vulnerability could bring down the whole system. Since fixing all driver bugs is nearly impossible, isolation of drivers is necessary to be a fundamental mechanism for reducing the attack surface between system composition boundaries. Compared with hardware-based isolation(Xen, Nooks, etc) and software-based isolation (e.g. SFI), language-based isolation often gains fine-grained safety, such as type constraints and thread-safety properties.
SafeDrive was an early effort to protect Linux C drivers using type checks, memory-safety invariants, and recovery support, but it still had overhead and incomplete safety. RedLeaf, built in Rust completely, reduces runtime checks by relying on Rust's ownership system while enabling efficient communication through validated interfaces. As Rust enters mainline Linux, a new challenge appears: Rust components need to interact with legacy foreign-language code, where safety guarantees can break. Omniglot addresses this by enabling safe, zero-copy interaction between Rust and unmodified untrusted code using carefully designed memory isolation primitives.
Going forward, my research will continue to focus on the intersection of operating systems and programming languages.
Selected papers
Paper 1: SafeDrive: Safe and Recoverable Extensions Using Language-Based Techniques [OSDI'06] Paper 2: RedLeaf: Isolation and Communication in a Safe Operating System [OSDI'20] Paper 3: Building Bridges: Safe Interactions with Foreign Languages through Omniglot [OSDI'25]
Practical information
- General public
- Free