James Morris (James Morris), Linux kernel security subsystem maintainer at Microsoft, presented the project Litebox, positioned as a security-focused operating system in the form of a library (Library OS). Litebox can be used within programs or kernels as an additional layer of isolation, blocking access to unnecessary kernel functionality or APIs to reduce the attack surface. The project code is written in Rust and open under the MIT license.
The idea of ”Library OS” is that operating system services are directly built into the application instead of accessing the external OS kernel using system calls. In the context of Litebox, an isolation layer is connected to applications, providing a minimal platform that translates requests to an external, full-featured software interface. Such external interfaces can be the Linux kernel, secure isolated environments OP-TEE (Open Portable Trusted Execution Environment), Webassembly environments or the standard RustStd library.
The minimal platform formed via Litebox is applicable for launching Linux, Windows, and FreeBSD applications, nested Linux kernels, and LVBS (Linux Virtualization Based Security). Possible applications for Litebox include running unmodified Linux programs on Windows, isolating the execution of Linux applications on systems running the Linux kernel, running programs on top of AMD SEV SNP for memory encryption, running OP-TEE programs on Linux, and isolation using the LVBS concept.
The LVBS project, whose representatives are participating development of Litebox, is developing methods