GuardBSD Features

GuardBSD is designed around minimalism, security, performance, and portability. The system provides a clean architectural model aimed at high-assurance environments and embedded applications.

1. Minimalism

  • ~4,366 lines of code
  • strict separation of subsystems
  • only essential functionality implemented
  • reduced surface for bugs and vulnerabilities

Minimalism directly supports formal verification.

2. Security

Capability-Based Access Control

Every resource access requires a capability:


Capability {
    object_id,
    rights,
    seal,
    generation,
}

Properties:

  • unforgeable
  • revocable
  • transferable
  • attenuable

Exploit Mitigations

  • Stack canaries
  • ASLR (16-bit)
  • W^X memory enforcement
  • Secure zeroing
  • Rate limiting
  • Pointer validation

System-wide overhead: < 5%

3. Performance

GuardBSD has undergone extensive optimizations:

Hot Path Optimizations

  1. read/write/open/close
  2. TLB flush
  3. IPC send/receive

Techniques:

  • inline & cold-path separation
  • fast-path dispatch
  • cache-aligned structures

Result: 10–43% faster behavior in critical areas.

4. Portability

GuardBSD supports:

  • x86_64
  • aarch64

via a unified codebase:

  • trait-based architecture abstraction
  • conditional compilation (#[cfg])
  • architecture-specific modules in arch/

Future target: riscv64

5. Scalability

  • SMP support

  • per-CPU run queues

  • lock-free structures

  • configurable limits:

    • processes: 2^16
    • threads: 2^16
    • ports: 1024 per process

Summary

GuardBSD focuses on:

  • minimal trusted computing base
  • strong capability-based security
  • multi-architecture portability
  • high performance and low overhead
  • predictable behavior and verifiable correctness

See Also