During the kernel hardening this week, we built a web browser from scratch, in #Rust with no standard library, running inside our own operating system, while we started hardening the full network stack, the net-core of the nonos-mk.
Own #TLS, own #HTML, own #CSS, own layout, own image and #SVG decoders.
The whole OS, microkernel w/ bootloader, runs in #RAM and forgets everything on shutdown.
Rough in places and honest about the gaps and the next milestones. The beta is loading now.
Real sites, the stacks behind them, and the explanations in the dev clip below 👇
@eKnonos Great work @eKnonos 💪 We all believe that @nonossystems brings back our privacy to our hand. Thank you! ethereum:0x0a26c80be4e060e688d7c23addb92cbb5d2c9eca
During the kernel hardening this week, we built a web browser from scratch, in #Rust with no standard library, running inside our own operating system, while we started hardening the full network stack, the net-core of the nonos-mk.
Own #TLS, own #HTML, own #CSS, own layout, own image and #SVG decoders.
The whole OS, microkernel w/ bootloader, runs in #RAM and forgets everything on shutdown.
Rough in places and honest about the gaps and the next milestones. The beta is loading now.
Real sites, the stacks behind them, and the explanations in the dev clip below 👇
How NØNOS runs real Rust programs, unchanged.
Most operating systems make you a deal. If you want your program to run on them, you write it their way. Their libraries, their system calls, their conventions. Move to a different operating system and you often start over. This is one of the quiet reasons new operating systems almost never get real software. Nobody wants to rewrite everything.
NØNOS took a different path inspired by Redox.
We built something called the std PAL, short for standard-library platform layer. In plain terms, it lets an ordinary Rust program run on NØNOS without changing a single line of it.
Here is the idea.
Every Rust program leans on one shared library called std. It is the part that knows how to print a line, hold memory, open a file, read the time, get a random number, start a thread and open a network connection. std looks the same everywhere but underneath it, on each operating system, it quietly plugs into that system's own machinery.
Linux has its plumbing.
macOS has its plumbing.
We wrote the plumbing for NØNOS.
So we did not fork the language and we did not fork the library. We added one small adapter for each job and we keyed them to our build target so a normal cargo build picks them up on its own. When your program says print this, std routes it to our print. When it says give me memory, std routes it to our memory. Files, time, random, threads, networking. Each one has a matching door into NØNOS.
The result is the part that matters. You take a real Rust program, the kind people publish on https://t.co/KyI7o34vu2 every day, and you build it for NØNOS the same way you would build it for anything else. No edits. We proved this end to end with an unmodified crate pulled straight from https://t.co/KyI7o34vu2. It compiled, it ran, and it printed its result on a live boot.
Now the part that makes NØNOS more than just another place to run code.
On NØNOS your program does not become part of the system. It runs as a capsule, a sealed unit at the user level, walled off from the kernel. Before it is allowed to start, the kernel checks two things. First, a pair of signatures, one classical and one post-quantum, so a forged program is refused. Second, a zero-knowledge attestation that proves the program belongs to an approved set without revealing who signed it. If either check fails, it does not run and once it runs, a system call is its only way to ask the kernel for anything and it can only ask for what it declared up front. A token or a balance never becomes permission.
That is the whole shape of it. A normal program on one side, a small honest layer of adapters in the middle, and a microkernel that verifies and isolates on the other.
The diagram walks the same path top to bottom.
Where we are, plainly. Printing, memory, program arguments, time, and randomness work on live boots, and a real https://t.co/KyI7o34vu2 crate has run start to finish. Files, networking, and threads compile and their wiring is in place, and getting them fully proven at runtime is the frontier we are on now. We would rather tell you exactly where the line is than move it.
The short version. NØNOS is not asking the world to rewrite its software. It is meeting existing software where it already lives, and then holding it to a stricter standard once it arrives.
We started the nexts kernel hardening today.
* This one goes straight into the parts of an OS where mistakes matter most: usercopy, IPC ownership, process exit cleanup, syscall return state, saved user resume frames, capsule load authority and exception handling *
The goal is to remove places where unsafe state could keep running.
Today we started the dedicated kernel-hardening branch and moved the benchmark pipeline into real evidence mode.
Latest CI artifact.
- boot evidence: pass
- build verifier: pass
- 45 capsule ZK attestations: ok
- ZK attestation failures: 0
- panic/fatal markers: 0
- kernel core ready: 114 ms
- microkernel init: 50 ms
- userspace entry: 2.85 s
- first capsule spawn: 116 ms
- first GPU transfer/scanout/flush: ~8.4-8.6 s
This is the standard we want: every claim moving toward logs, JSON, CSV, hashes, repeatable CI artifacts and hardening commits.
Kernel hardening today already started closing real boundaries: syscall authority, runtime capsule loading, IRQ grant cleanup, hardware support source evidence and raw memory reads routed through usercopy.
Get at: https://t.co/HVbeBEDtB1
Infos covered at: https://t.co/jY2Xa5Swno
Week 1 after the 20 days beta plan announced live on spaces.
We said the first week would focus on the boot path and trust chain and that is where the work went.
🔹The bootloader now has a cleaner verified-boot flow, with a minimal graphical interface that shows what the system is actually checking before handoff.
We also moved forward on release signing and key hardening, TPM discovery, measured boot, anti-rollback work and the new setup-free attestation direction.
The point was not to make boot look nicer.
The point was to make the first stage of NØNOS easier to read, harder to attack and more honest about what is being verified.
🔸The kernel moved in parallel too.
Networking is now reaching the desktop path. After the first successful pings from inside the terminal, work has started on the NØNOS Browser.
Still early, but important.
It means the network stack is no longer just code underneath the OS. It is starting to become something users can touch.
Next week we continue with the remaining bootloader verification pieces, deeper kernel hardening, real-hardware validation, browser/networking progress and continue public benchmarks tied to GitHub.
Onto to next week, we want to release the beta version with best efforts.
Screenshots from the week below.
@anonkyc listed our token $NOX on their exchange today, so before telling a single person it safe, i did what is a *must* if we care about community. I spent the rest of the afternoon taking the whole thing apart from the outside.
Before any of the clever stuff i just used it like a normal customer, because that tells you more than a header scan ever will. The deposit worked. I sent 5,000 of our token across and the balance showed up fine. That was the one part that went smoothly.
Then I tried to actually do things and it fell apart.
1) A market order threw an error. A limit order threw an error too. I could not get a single trade to go through. So if it’s an illiquid exchange doesn’t make sense at all and I recommend nothing more than staying on DEX_paths.
2) There was no estimate anywhere for when a deposit credits, you just sit and wait on it.
3) Account security is email, password and 2FA and that is the whole list, no withdrawal address allowlist, no anti phishing code, nothing else on offer.
4) when I went to pull my money back out the fee was 650 on the 5,000, which is 13% just to withdraw my own funds.
The thing feels half built, like it shipped before it was done.
I traced my own deposit end to end. The deposit address was a plain externally-owned account, no contract code and its transaction count was exactly one. That nonce alone tells you most of the story before you read a single log. This address took funds in and has sent precisely one transaction out in its entire life. I pulled that one transaction receipt and decoded the ERC-20 Transfer event by hand. The from topic, the to topic, the amount packed into the data word. The recipient was my own wallet. The same address I had deposited from. 5000 in, 4350 back to me and a balanceOf on the deposit address showed exactly 650 parked there.
13%, retained, down to the token.
Overall withdrawal worked.
Then the operator side, all passive OSINT.
Domain registered four months ago. Anonymous registrar in the Bahamas, the kind people pick specifically so they can't be found. Origin fully behind Cloudflare. No-KYC by design. DMARC policy set to none, which means their own domain is trivially spoofable and their users are one convincing email away from a phishing page. A Yandex verification record sitting in their DNS, a soft tell about where the operators actually are.
None of this is illegal. All of it is exactly the sketch you'd draw if someone asked you to design a high-risk venue from scratch.
One more thing and it's the part that actually matters. The name, the no-KYC Monero-first model and the way it runs all line up closely with nonkyc, an exchange with heavy public allegations of being operated by the same people behind XeggeX and finexbox. XeggeX collapsed last year, claimed a hack, issued IOUs against balances, froze withdrawals and disappeared with user funds.
I won’t prove anonkyc is the same operator, there's no shared code and no shared infra at first look. so I'm not claiming that but it presents as part of that family.
# right down to listing our token without asking us and in that family's playbook the early withdrawals are honored on purpose, to build the trust the later deposits ride on. So I'm not reading my one clean withdrawal as proof of anything.
So deposits and withdrawals work today and the chain shows it returned my test funds. That is not reassurance. It's exactly what the first move looks like. A 4-month-old anonymous no-KYC venue that listed $NOX without permission, charges 13% to withdraw, had broken trading both market and limit due 0 Liquidity offered at all and resembles a lineage with a documented history of taking customer funds.
Treat it as untrusted. If you hold a balance there, get it out. Don't deposit anything you can't afford to lose in full.
We did not authorize this listing and we do not endorse it.
Also we are asking for clarifications.
Anti-rollback is in.
The bootloader now refuses an older, validly signed kernel using a TPM monotonic counter, proven end to end.
The #problem was that our version field lived in an unsigned footer, so it could be edited on an old kernel.
Not real protection but now the kernel signature covers #BLAKE3(kernel) followed by a rollback index, so the index is authenticated by the signature itself and cannot be forged. The signer writes it, the attestation step preserves it, the bootloader verifies the same bytes.
#Enforcement is a TPM NV monotonic counter used as the floor. On boot the signed index is compared to the counter and a lower index is rejected. On commit the counter advances toward the index. An attacker cannot lower a hardware monotonic counter and cannot forge the signed index.
The proof: we signed a kernel as index 2 and booted it, the counter advanced to 2. Then we re-signed the same kernel as index 1 and booted it against that TPM. The signature was valid. The bootloader refused it anyway.
Rollback attack detected. Nothing unverified was run.
A new milestone with the TPM 2.0 measured boot and a hardware NV monotonic counter now run live in the UEFI bootloader, proven end to end against a TPM.
Two bugs were in the way.
# OVMF holds the TCG2 protocol open in driver mode, so our exclusive open returned ACCESS_DENIED and every command failed; opening with GetProtocol fixed it and ## HashLogExtendEvent wants a packed EFI_TCG2_EVENT with a leading size and a 14 byte header but ours was an unpacked 16 byte header with no size, so the firmware rejected it.
https://t.co/SyGCZqVMiv
After both fixes the bootloader extends PCR8, reports measured boot active and the NV monotonic counter reads 1 then 2 across two increments. Real PCR, real counter, real firmware path.
Anti-rollback on top of that counter is next.