Samir Rashid

Physics of Satellite Internet From First Principles

2025-06-26T00:00:00+00:00

Streaming live video by shooting bits through the atmosphere to a hunk of metal racing across the sky at 27,000km/h sounds impossible. Modern satellite internet does this while offering gigabit speeds and latencies competitive with wired connections. How do the laws of physics allow us to engineer systems that deliver this unbelievable service?

This post explains the fundamental principles enabling high-speed satellite internet possible. We will build an intuition for the constraints without hand-waving the physics.

Disclaimer: I am no expert and have no formal electrical engineering background. This post is backed by my readings of nonauthoritative online public resources. I will not be updating this post, so please leave corrections in the comments section.

Satellite internet crosses multiple different links to provide connectivity. Users connect devices to a satellite terminal, usually a small dish, that talks directly to a satellite. The satellite may relay data across other satellites before reaching a ground station and the internet. This post focuses on satellite-ground link, though these calculations apply all to wireless connections.

The path packets take via satellite internet. See this diagram for a more detailed trace.

There are two orbits we will look at: low Earth orbit (LEO) and geostationary orbit (GEO). In summary, satellites closer to Earth have stronger signal, lower latency, and require smaller antennas. However, further satellites get more coverage, so a handful of GEO satellites can mostly achieve global coverage, while a LEO constellation requires many more satellites.

Your browser does not support the video tag.

Comparison of GEO vs LEO coverages and satellite orbit altitudes. Source: Viasat

The Fundamental Challenge

Imagine shouting across a room–you can only shout so loud and it gets quieter with distance. Satellites have the same issue but from hundreds of kilometers away.

When transmitting a signal, you can think of the energy spreading uniformly in all directions. The power density (watts per square meter) follows the inverse square law:

\[\text{Power Density} = \frac{\text{Total Power}}{4\pi R^2}\]

This represents the primary constraint in satellite communications: doubling distance quarters signal strength.

At 1,000km away, the signal spreads over 12.6 million $\mathrm{km}^2$. At geostationary orbit (GEO) altitude of 36,000km, that same energy covers 16.3 billion $\mathrm{km}^2$. The antenna in your device receives a tiny fraction of that radiated power.

The inverse square law explains low Earth orbit (LEO) advantages: moving satellites closer from 36,000km (GEO) to 550km (LEO) above the Earth’s surface improves received signal strength by over 4,000 times. The satellite needs to “shout” across 35,450 fewer kilometers. Check out this Wikipedia diagram for a true sense of scale and this post if you need a refresher on orbital mechanics.

Link Budget

Measuring connection performance requires accounting for all signal gains and losses with the Friis Transmission Formula¹:

\[P_r = P_t \cdot G_t \cdot G_r \cdot \left(\frac{\lambda}{4\pi R}\right)^2\]

Where:

$P_r$ = Power received at your antenna (watts)
$P_t$ = Power transmitted by satellite (watts)
$G_t$ = Gain of satellite’s transmitting antenna (dimensionless)
$G_r$ = Gain of your receiving antenna (dimensionless)
$\lambda$ = Wavelength of the radio signal (meters)
$R$ = Distance between satellite and your antenna (meters)

Decibels (dB) are logarithmic, so they turn multiplication into addition:

\[P_r\text{(dBW)} = P_t\text{(dBW)} + G_t\text{(dBi)} + G_r\text{(dBi)} - \text{FSPL(dB)}\]

The Free Space Path Loss (FSPL) term captures the inverse square law:

\[\text{FSPL(dB)} = 20\log_{10}\left(\frac{4\pi R}{\lambda}\right) = 20\log_{10}(R) + 20\log_{10}(f) - 147.55\]

Let’s go through each component and its bottlenecks.

Transmit Power (Pt) faces different bottlenecks at each scale. Large GEO satellites can generate 100+ watts per beam but hit thermal limits as it is hard to dissipate waste heat in vacuum. Smaller LEO satellites are constrained by their total power budget from solar panels, limiting power to about 10 watts per beam. Phones trasmit 0.2 watts, limited by battery life and SAR regulations that prevent excessive radio frequency exposure to human tissue.

Antenna Gain (Gt, Gr) measures how well the antenna focuses the signal’s energy. Larger apertures provide higher gain. Satellite phased arrays achieve approximately 35dBi (3,000× amplification) within size and weight constraints. A dish reaches ~38dBi (6,000× amplification) but is bigger and require precise pointing. Phones get ~2dBi (1.6× amplification).

Distance (R): As we know from the inverse square law, this quadratic term becomes the dominant factor in link performance. LEO satellites at 550km altitude experience 173dB of free space path loss, while GEO satellites at 35,786km suffer 209dB loss. This 36dB difference means GEO signals arrive 4,000 times weaker than LEO signals. We will go into the tradeoffs of different orbits near the end of this post.

Shannon Limit

Once you receive a signal, you need to decipher the encoded data. Maximum data rate follows the Shannon–Hartley theorem:

\[C = B \cdot \log_2(1 + S/N)\]

Where:

$C$ = Channel capacity (bits per second)
$B$ = Bandwidth (Hz)
$S/N$ = Signal-to-Noise Ratio (dimensionless)

This equation reveals you either need more bandwidth or better signal-to-noise ratio.

More bandwidth (B) linearly increases the data rate, which explains why access to frequency spectrum can go for billions of dollars. Higher frequencies are more susceptible to the weather. LTE is a relatively low frequency (~2GHz), which allows the signal to go through buildings.

Improving signal (S) quality offers diminishing returns due to the logarithmic relationship, but the effect remains significant.

Noise (N) originates from thermal agitation of electrons and is unavoidable above absolute zero:

\[N = k \cdot T \cdot B\]

Where:

$k$ = Boltzmann constant $(1.38 \times 10^{-23} \ \mathrm{J/K})$
$T$ = System noise temperature (~150K for good receivers)
$B$ = Bandwidth (Hz)

Since noise is fixed by physics, improving the Signal-to-Noise Ratio requires increasing signal power–which brings us back to the link budget.

GEO vs LEO Path Loss Calculation

Now we can quantify why lower orbit satellites are transforming satellite communications.

Given a 20 GHz signal (λ = 0.015m):

GEO Path Loss (35,786km):

\[\begin{align} \text{FSPL} &= 20\log_{10}(35{,}786{,}000) + 20\log_{10}(20 \times 10^9) - 147.55 \\ &= 209.54 \text{ dB} \end{align}\]

LEO Path Loss (550km):

\[\begin{align} \text{FSPL} &= 20\log_{10}(550{,}000) + 20\log_{10}(20 \times 10^9) - 147.55 \\ &= 173.28 \text{ dB} \end{align}\]

Difference: 36.27dB The LEO signal is $10^{(36.27/10)} =$ 4,233 times stronger than the GEO signal.

This 36dB difference drastically changes system design. LEO’s stronger signal enables higher-order modulation schemes. While GEO systems might use 16-QAM (4 bits per symbol), LEO can use 1024-QAM (10 bits per symbol) at the same error rate. Also, a 19-inch flat panel can achieve what previously required a 4-foot parabolic dish.

Worlds Away

The proximity advantage comes with complexity costs. GEO satellites match the Earth’s rotation, so they appear stationary in the sky and require no tracking. LEO satellites complete an orbit every 90 minutes, demanding rapid beam steering, satellite handoffs, and constellation management.

LEO signals round trip in ~4ms while GEO signals require ~240ms, impacting real-time applications over GEO networks.

Dish vs Phone

How much bandwidth can you actually get from a LEO satellite based on your antenna?

Assumptions:

LEO satellite at 550km altitude
20GHz downlink frequency
250MHz channel bandwidth
10W satellite transmit power
35dBi satellite antenna gain
150K system noise temperature

Dish Link Budget:

\[\begin{align} \text{FSPL} &= 153.3 \text{ dB} \\ P_r &= 10 \text{ dBW} + 35 \text{ dBi} + 38 \text{ dBi} - 153.3 \text{ dB} = -70.3 \text{ dBW} \\ N &= 10\log_{10}(1.38 \times 10^{-23} \times 150 \times 250 \times 10^6) = -122.86 \text{ dBW} \\ \text{SNR} &= -70.3 - (-122.86) = 52.56 \text{ dB} \\ C &= 250 \times 10^6 \times \log_2(1 + 22{,}908) = 4.37 \text{ Gbps} \end{align}\]

Smartphone Antenna Link Budget:

\[\begin{align} \text{FSPL} &= 153.3 \text{ dB (same)} \\ P_r &= 10 \text{ dBW} + 35 \text{ dBi} + 2 \text{ dBi} - 153.3 \text{ dB} = -106.3 \text{ dBW} \\ N &= -122.86 \text{ dBW (same)} \\ \text{SNR} &= -106.3 - (-122.86) = 16.56 \text{ dB} \\ C &= 250 \times 10^6 \times \log_2(1 + 57.5) = 1.38 \text{ Gbps} \end{align}\]

A gigabit to my phone from space!? These calculations assume perfect conditions. In reality, you need at least 10-15dB margin to account for atmospheric losses from rain and clouds, pointing errors as satellites move across the sky, receiver implementation losses from non-ideal components, and Doppler effects from the satellite’s 27,000km/h orbital velocity.

The dish has plenty of margin (52.56dB), but the phone is borderline. This is why a cellular service needs to use much narrower bandwidths.

Real Smartphone Antenna:

Keeping the same frequency with a 5MHz channel instead of 250MHz:

\[\begin{align} N &= 10\log_{10}(1.38 \times 10^{-23} \times 150 \times 5 \times 10^6) = -139.85 \text{ dBW} \\ \text{SNR} &= -106.3 - (-139.85) = 33.55 \text{ dB} \\ C &= 5 \times 10^6 \times \log_2(1 + 2{,}884) = 55.73 \text{ Mbps} \end{align}\]

A phone-scale antenna could expect closer to 60Mbps.

Engineering Constraints

Engineers need to navigate the physics to balance trade-offs to make a viable system.

Power Budget

A satellite’s power budget determines beam transmit power.

\[P_{\text{available}} = A_{\text{panel}} \cdot \eta_{\text{solar}} \cdot \cos(\theta_{\text{sun}}) \cdot f_{\text{eclipse}}\]

The solar panels need to generate enough energy to power the onboard electronics and are mainly used to power the beams. LEO satellites orbit many times per day, so they need to use battery power for the third of time that the Earth blocks sunlight. Ultimately, it’s the power that determines the size of the satellite and the number of beams and their strength.

Frequency Licensing

Radio spectrum is a finite resource managed by country governments. Spectrum allocation creates fundamental trade-offs between bandwidth and propagation characteristics. Higher frequencies offer more bandwidth but suffer worse propagation losses and weather effects.

Band	Frequency Range	Applications
L-band	1-2 GHz	Mobile services, GPS
S-band	2-4 GHz	Mobile satellite applications
Ku-band	12-18 GHz	Satellite TV, Satellite internet
Ka-band	26-40 GHz	Broadband services
V-band	40-75 GHz	Future high-capacity links
5G n53	2.4 GHz	Direct-to-device services
5G n256	26 GHz	Shared satellite-terrestrial spectrum

L-band (1-2GHz) offers excellent propagation through atmosphere and modest power requirements, but provides limited bandwidth. Ka-band (26-40GHz) enables high-bandwidth broadband services but suffers significant rain attenuation that can shut down links during storms. V-band (40-75GHz) promises future high-capacity links but faces extreme weather sensitivity.

Orbital Mechanics

LEO satellites orbit Earth every 90 minutes, creating dynamic coverage patterns. Lower altitudes have less path loss but need magnitudes more satellites to maintain coverage.

Orbital inclination determines coverage zones: polar orbits provide global reach including Arctic regions, while equatorial orbits focus capacity on populated areas but leave polar regions uncovered. Plane spacing controls satellite visibility. Too few planes create coverage gaps, while too many increase constellation complexity and inter-satellite interference.

Your browser does not support the video tag.

The scale of the Starlink constellation is truly astounding. Source: starlinkmap

Antenna Pointing

The dish does not move and uses thousands of antennas to focus the energy towards the satellite. Watch this video for a beautiful explanation of the concept.

User terminals must track satellites moving at 7.5km/s. Mechanical tracking systems using motors and gears are expensive, slow to respond, and prone to mechanical failure. Phased arrays enable fast electronic steering without moving parts but require complex beamforming algorithms and hundreds of antenna elements, increasing cost and power consumption. Multi-satellite handoffs demand seamless switching between satellites as they pass overhead, requiring precise timing coordination and careful interference management.

Cost

The cost to deliver one Viasat-3 satellite (6,400kg) to geostationary orbit was $150M aboard an expendable Falcon Heavy. The same rocket type launched to LEO with 56 Starlink satellites (310kg) and can be reused, so the launch costs a reduced $97M. Furthermore, the Viasat-3 satellite costs $420M, whereas each Starlink satellite is below $1M.

Viasat-3 satellites get global coverage with three satellites, while a LEO constellation needs tens of thousands.

Why Now?

LEO constellations are not new–Iridium had a network in 1998. If the physics have not changed in the past quarter century, what has?

Launch Economics

Historically, launch costs have limited access to space. Since the 1990s, the cost to launch payload to LEO has dropped from $20,000/kg to below $2,000/kg. Rapidly reusable Starships promise to reduce costs another order of magnitude. This trend has enabled large LEO constellations to be economically viable.

Satellite Miniaturization

Traditional satellites were custom-built, multi-ton systems designed for >15 year lifespans in a harsh radiation environment. LEO satellites operate within the Van Allen radiation belts where Earth’s magnetic field provides partial radiation shielding. Relaxing radiation tolerance allows satellites to use modern electronics that are decades ahead of radiation-hardened components. This modernization means smaller satellites can deliver more bandwidth and use standard components, enabling satellite mass production.

Phased Array

Originally developed for military radar, phased arrays electronically steer beams and can track and hop between fast-moving LEO satellites. Semiconductor advances have reduced phased array costs such that they are now ubiquitous in new wireless standards.

Configurable Hardware

Software-defined radios can adapt modulation, coding, and protocols through software updates. Digital signal processing no longer requires specialized hardware. Field-programmable gate arrays (FPGAs) and digital signal processors enable efficient implementation of advanced techniques like 1024-QAM modulation and adaptive coding.

Global Impact

Satellites already provide essential internet to ships and planes and can be used in emergencies after disasters wipe out terrestrial infrastructure. However, there remain over two billion people without internet access. Widespread, low cost, and high bandwidth satellite connectivity offers gigabit internet for the first time to many rural communities, remote islands, and places with undeveloped terrestrial infrastructure.

This post does not begin to get into designing a satellite constellation. There is a tradeoff between wanting global satellite coverage, but demand is not evenly distributed. Viasat has a cool visualization of flight paths and satellite data usage.

The application of electromagnetic theory, information theory, and orbital mechanics bring the world’s knowledge to you no matter where you hike, fly, or sail. This post explored a first principles dive into the terabit cosmic beams that are closing the digital divide.

Fun Quiz

What is the least population dense continent?

Estimate the magnitude difference in cost of deploying satellite internet versus fiber optic internet to the above continent. Answer in log base 10 (satellite cost / fiber cost)
For example, if the satellite cost is $1M and fiber cost is $1. $\log_{10}(1,000,000 / 1) = 6$.

Reveal Answer

Binary Room: Implementation of a RISC-V to ARM Translator

2025-04-15T00:00:00+00:00

by Samir Rashid, Anthony Tarbinian, David Tran (equal contribution)

This paper is best read as a pdf in its original typesetting. In this paper, we describe our experience going from idea to implementation of a binary translator.

Read the Report PDF

Abstract

Binary Room is a static binary translator from RISC-V to ARM binaries. It targets userspace applications and supports a subset of the RISC- V instruction set. We can translate applications that perform memory operations, control flow and system calls. This report outlines the details of the implementation along with challenges we ran into.

1. Introduction

Binary Room statically translates binaries from a subset of the riscv64 to aarch64 instruction set architectures (ISA). We support arbitrary 64-bit userspace binaries, which can include function calls and syscalls. We support a subset of RISC-V instructions which perform arithmetic, memory operations, control flow, and system calls. First, Section 3 provides an overground of our design decisions. Next, Section 4 provides an overview of the aspects of our implementation. We outline the high-level flow of binary translation, along with the difficulties in writing each module of the code (Section 5). Lastly, we evaluate Binary Room's input and output binaries (Section 6).

2. Background

RISC-V is the future of open computing. Binary translation is a form of emulation which enables running binaries from other architectures. To smooth the transition to the RISC-V ISA, we present Binary Room, a tool to run unmodified RISC-V binaries on ARM. Binary Room statically translates binaries without the need for any hardware virtualization extensions.

Our translator is inspired by Apple’s x86 to ARM binary translator, Rosetta 2. Similarly, our tool transparently converts userspace binaries from riscv64 to aarch64 instructions. Binary translation has proved to be a flexible and efficient approach for ensuring binary compatibility (A Comparison of Software and Hardware Techniques for X86 Virtualization, 2006).

3. Design

Figure 1. High level overview of RISC-V to ARM translation and testing.

At a high level, Binary Room operates by consuming a list of RISC-V instructions, iteratively translating each instruction from RISC-V to ARM, converting the ARM instructions to an ARM assembly file, and forming an ARM executable.

Binary room operates at the assembly level, so there are a few steps before producing an executable binary. We assemble the assembly code into an object. Then, we take the object code and link it into the final binary file. On Linux, where we performed the bulk of our testing, this was an ELF file (Tool Interface Standard (TIS) Executable and Linking Format (ELF) Specification Version 1.2, 1995).

4. Implementation

4.1. Representing Instructions

We exploited the Rust type system to encode information about the RISC-V and ARM instructions (RISC-V Instruction Set Specifications, 2019). Specifically, we extensively used Rust's algebraic data types, enums, throughout our codebase.

Parsing the assembly into the Rust type system provides guarantees of the arguments to instructions at compile time. There are many steps that can go wrong, which makes debugging challenging. Parsing, translation, and runtime errors are examples of issues during development. One difficulty is that to support general binaries, you must implement the entire source and destination instruction set and must also encode all the alignment, calling convention, and syscall constraints. To deal with this complexity, we introduce Panic Driven Development (PDD). PDD ensures that binaries we cannot translate fail at the parsing stage. The code will be unable to encode instructions it cannot translate by the design of the enum. This strategy prevents debugging malformed assembly output.

Each enum variant encodes the exact instruction and the types of its arguments.

pub enum RiscVInstruction {
  /// add register
  /// either add or addw
  /// (addw is 32 bits on 64 bit riscv)
  ///
  /// `x[rd] = sext((x[rs1] + x[rs2])[31:0])`
  #[strum(serialize = "add")]
    Add {
    // dest = arg1 + arg2
    width: RiscVWidth,
    dest: RiscVRegister,
    arg1: RiscVRegister,
    arg2: RiscVRegister,
  },
  // Copy register
  // `mv rd, rs1` expands to `addi rd, rs, 0`
  #[strum(serialize = "mv")]
  Mv {
    dest: RiscVRegister,
    src: RiscVRegister,
  },
  …
}

Listing 1.Encoding of the ADD and MV
RISC-V instructions

For the ADD instruction case, the width field specifies whether the instruction is invoked with double or word register width. The arguments to the instruction are defined in another enum which represents CPU registers.

pub enum RiscVRegister {
  #[default]
  #[strum(serialize = "x0")]
  /// Hard-wired zero
  X0,
  #[strum(serialize = "ra")]
  /// Return address
  RA,
  …
}

Our instruction type supports ARM instructions that are not present in the RISC-V ISA. Notably, conditional branching in ARM requires a CMP instruction to set condition flags based on registers operands. For example, to branch to the label foo if x1 != x2, we must first cmp x1, x2 and then conditionally branch bne foo. RISC-V handles conditional branches by taking additional operands in the branch instruction, e.g. bne x1, x2 foo. During translation, Binary Room may output multiple ARM instructions for a given RISC-V instruction.

One limitation of our enum is that we must manually parse from the disassembled binary into the Rust enum. We prioritized implementing the binary translation and did not finish writing a complete parser. Encoding the enum into assembly is straightforward as we use Rust's formatter to convert the list of instructions into validly formatted assembly.

4.2. Variable Width ARM Registers

One feature we encode in the type system is register width. Both ARM And RISC-V have 32 general-purpose registers. However, ARM registers can be used as either 32-bit or 64-bit registers. ARM registers are indicated by the first letter of the register name in the assembly. An “x” indicates 64 bits of a register and a “w” indicates the least significant 32 bits of a register (Registers in Aarch64 State, 2024). This variation means that translation must account for the register width that RISC-V instructions specify and output an ARM instruction with the correct register widths.

We ensured correctness of the binary translation by unit testing simple cross-compiled RISC-V programs. Our tests automatically run in GitHub actions on every commit, and can be run locally using cargo, the Rust build system.

4.3. Register Mapping

Figure 2. Flow of types through the translator.

During instruction translation, we had to be cautious in how we translate the registers in use. Some registers are not general purpose and have semantic meanings, such as the stack pointer (ARM Register Names, 2024). Other registers are expected to have some meaning after function calls, such as the return register. We needed to be mindful of these invariants and avoid overwriting any important state.

To keep our mapping of registers consistent, we created a look-up table to convert each RISC-V register into its corresponding ARM register.

fn map_register(riscv_reg: RiscVRegister, riscv_width: &RiscVWidth) -> ArmRegister {
  
    ArmRegister {
        width: map_width(riscv_width),
        name: map_register_name(riscv_reg),
    }
    
}

Listing 2. Mapping registers splits logic into map_width and map_register_name

Critically, ARM registers can vary in width and RISC-V cannot. For this reason, we added a width argument to this function and decompose the conversion of width and register name into separate functions, map_width and map_register_name. We define widths to be the size of a register and define register names to be the width-agnostic name of the register in assembly (i.e. sp or general purpose register 1).

4.4. Calling Convention

The calling convention of an ISA ensures compatibility with binaries from other compilers (Volume I: RISC-V User-Level ISA V2.1draft, Chapter 18, Calling Convention, 2014). If a program does not interact with foreign functions, then it is not required to abide by the calling convention. This flexibility makes the register translation easier due to less constraints on how Binary Room handles register mappings. To ensure that local register values are preserved between function calls, Binary Room efficiently saves registers onto the stack before a call instruction and restores them from the stack when returning from a function call.

The calling convention constraint still applies to syscalls and dynamic libraries.

4.4.1. Syscalls

We chose to directly translate syscall instructions. Alternatively, we could have taken advantage of the syscall wrappers built into libc (Syscalls(2) - Linux Manual Page, n.d.). However, we chose not to deal with complexities of dynamic libraries, instead directly modifying the instructions which set up syscall arguments and invoke the syscall.

Originally, we thought syscall translation would be equivalent to normal instruction translation. However, there were some nuances that made this more challenging. One such nuance was that syscall numbers change across architectures.

# write(stdout, buf, len)

# syscall number
li a7,64

# arg 2: len
li a2,13

# arg 1: buf
lui a0,%hi(buf)
addi a1,a0,%lo(buf)

# arg 0: stdout fd number
li a0,1

# trigger syscall
ecall

Listing 3. Example program which makes syscall in riscv64 assembly. This sample uses the write Linux syscall to write a buffer to standard out.

When you want to perform a syscall, you need to indicate which syscall you want to execute by loading the syscall number into a register. In Listing 3, the syscall number, 64, is loaded into register a7. However, this syscall number is defined by the operating system. Linux's syscall numbers vary across architectures and ISA variants (i.e. 32-bit and 64-bit) (Arm.syscall.sh, 2024).

Our initial approach inserted instructions to use a lookup table to convert the syscall numbers. At runtime, this code would look at the requested syscall and rewrite the correct value for aarch64 (Linux Kernel System Calls for All Architectures, 2025). Luckily, Linux shares identical syscall numbers between ARM 64-bit and RISC-V 64-bit. It was sufficient for our architecture pair to directly translate the same syscall numbers without modification.

4.4.2. Branching

Binary Room supports relative branching to labels. We extract labels from the disassembled input binary and map them verbatim to the output ARM binary. This insertion guarantees that the label ends up at the same point in the execution of the translated binary. The assembler handles the complexity of turning labels into addresses. Binary Room does not support absolute branches to arbitrary addresses.

5. Challenges

5.1. ISA Quirks

Instruction sets handle the same primitives differently. For example, RISC-V uses a zero register to produce zero arguments to instructions. In ARM, you must use a normal register or dummy instruction such as xoring a register with itself to get a zero (RISC-V Instruction Set Specifications, 2019).

The instruction behaviors also differ between the ISAs. We needed to handle the cases where arguments can change which instruction we need to translate to. For instance, RISC-V's add immediate (addi) opcode can take positive or negative constants, whereas ARM's immediate argument to add can only be positive. Translating this requires handling the different cases of argument values. Sometimes, these translations cannot be determined statically, as seen with syscall numbers.

Figure 3. RISC-V Reference for addi instruction

Figure 3 shows the information provided by the ISA reference. Instructions have high level implementations which authoritatively define their behavior (RISC-V Reference Card, n.d.). This pseudocode enables us to ensure instruction maps have the same behavior.

5.1.1. Pseudo-instructions

Binary disassemblies contain the list of instructions of the program. However, there are also RISC-V pseudo-instructions that can get generated (RISC-V Assembler: Arithmetic, 2024). These are higher level operations that correspond to multiple individual operations. These abstractions are not documented in the architecture manual, so we had to use unofficial online posts to decipher the meaning of these pseudo-instructions.

5.2. ISA Documentation

The largest obstacle we encountered during this project was tracking down relevant documentation and discovering what we needed to know. The general ISAs for RISC-V and ARM are open, but exact implementations of the specifications can differ greatly. For example, when looking for documentation, we would often find incorrect or misleading information. Initially we faced confusion with conflicting information online. This mismatch is because the 32-bit and 64-bit versions of the ISAs change the behavior of registers and syscalls. Instructions work differently on different ISA versions, for instance the many versions and parts of ARM (armv7, aarch64, etc.).

Another difficulty was fully understanding how each ISA works. We needed to understand the semantics of each ISA in order to create a mapping. We found unofficial documentation, such as Figure 3, to be more complete and intelligible than official documentation. Mapping instructions and registers required carefully diffing the register specifications and calling conventions for each ISA. The issues with syscalls led us to decide not to support 32-bit binaries.

As we produced the output binaries, we ended up having to debug invalid assembly. Assembly is itself high level, so we had to deal with linking errors with illegal arguments, unexplainable segfaults, and dealing with OS specific assembly problems such as alignment constraints and extern symbols.

Testing our implementation proved difficult as you need to get everything working in order to test. Each part of the pipeline is dependent on previous parts. Unit testing did not help find bugs as much as running test translations on real programs. Every program you compile with gcc requires dynamic libraries, as there is an implicit libc call to exit the program. We were unable to get static nolibc binaries to work as it has dependencies on the libc provided by the host OS, which needs to be built for RISC-V or ARM.

Another complication is that even simple binaries do not follow the conventions you would expect. For a "hello world" program, we implemented conversion of the text section. Even at minimum optimizations, gcc puts the literal string behind a call to the IO_stdin_used symbol. We decided to not handle all the complications with process and library loading, so a "hello world" program only works with a direct offset to the constant.

5.3. Development environment

Developing Binary Room requires running a Linux machine with QEMU and cross-compile toolchains for riscv64 and aarch64. Binary Room is built with Rust's cargo toolchain and tests run with cargo and some platform-specific build scripting.

To handle the complexity of the build environment, we use the Nix package manager. Nix shells allow us to create a fully reproducible build environment and easily manage parallel compiler toolchains for each architecture we need. (Cross Compiling - Nixos Wiki, 2025)

5.4. Debugging

Debugging the output assembly proved difficult. There are no layers of abstraction below the binary, so there is no debug information when a program goes wrong. Additionally, the issues are typically related to hardware or illegal instructions, so debuggers such as gdb cannot provide any help. We ran into such issues when supporting macOS on our output binaries. macOS has different alignment and linking policies than Linux hosts. Debugging crashes can be difficult as there is not much documentation online explaining these failures. When Binary Room introduced unexpected segmentation faults, we debugged the ARM binary using gdb on an AWS EC2 instance with an ARM-based Graviton CPU.

6. Evaluation

Binary Room provides several programs which it is able to translate. We run translation against all of them by using cargo test. We currently support programs that compute Fibonacci, run arithmetic in a loop, print hello world, and echo stdin. You can view them on GitHub.

6.1. Benchmarking

Figure 4. Tests against a “Hello World” program which makes 1,000 write syscalls. We graph the mean execution time and standard deviation.

Figure 5. Evaluates against a program makes 10,000 function calls to a simple arithmetic function.

We evaluate Binary Room in comparison with QEMU. We run the original RISC-V and translated ARM assembly via QEMU on a x86 machine. We use 100 warmup trials and then repeatedly run the test program 1,000 times to get the average and standard deviation of runtime.

We find that the RISC-V binaries run about twice as fast, as compared to our translation. We predict most of the runtime is due to overhead from loading the process and QEMU. We do not have access to a riscv64 machine, so we are unable to do a fair comparison of bare-metal results. We find both ARM translated binaries run 88-103% slower in QEMU. We are unsure of the cause of this slowdown as the instruction mappings are near one-to-one, so each program should run a similar number of instructions.

7. Discussion

Binary Room introduces a static binary translator from riscv64 to aarch64. Unlike other emulation options, Binary Room produces a fully compatible binary with no dependencies. QEMU and Rosetta2 require just-in-time runtime support to support their translations. Statically translated binaries are more portable, though we forego optimizations that could happen based on runtime values. Furthermore, Binary Room is written in Rust and natively supports both macOS and Linux targets.

8. Conclusion

Binary Room is open source and freely licensed. You may access the source code on GitHub:

https://github.com/samir-rashid/binary-room

References

A Comparison of Software and Hardware Techniques for x86 Virtualization, 2006. https://web.stanford.edu/class/cs240/readings/hwsw.pdf

ARM Register names, 2024. https://developer.arm.com/documentation/dui0056/d/using-the-procedure-call-standard/register-roles-and-names/register-names

arm.syscall.sh, 2024. https://arm.syscall.sh/

Cross Compiling - NixOS Wiki, 2025. https://nixos.wiki/wiki/Cross_Compiling

Linux kernel system calls for all architectures, 2025. https://gpages.juszkiewicz.com.pl/syscalls-table/syscalls.html

Registers in AArch64 state, 2024. https://developer.arm.com/documentation/100076/0100/Instruction-Set-Overview/Overview-of-AArch64-state/Registers-in-AArch64-state

RISC-V Assembler: Arithmetic, 2024. https://projectf.io/posts/riscv-arithmetic/#pseudoinstructions

RISC-V Instruction Set Specifications, 2019. https://msyksphinz-self.github.io/riscv-isadoc/html/index.html

RISC-V Reference Card, https://www.cs.sfu.ca/~ashriram/Courses/CS295/assets/notebooks/RISCV/RISCV_CARD.pdf

syscalls(2) - Linux manual page, https://www.man7.org/linux/man-pages/man2/syscalls.2.html

Tool Interface Standard (TIS) Executable and Linking Format (ELF) Specification Version 1.2, 1995. https://refspecs.linuxfoundation.org/elf/elf.pdf

Volume I: RISC-V User-Level ISA V2.1draft, Chapter 18, Calling Convention, 2014. https://riscv.org/wp-content/uploads/2024/12/riscv-calling.pdf

Linux Spelunking: How are processes loaded?

2025-04-13T00:00:00+00:00

Linux Spelunking: How are processes loaded? How would I figure it out?

Today we journey into Linux to discover how programs are loaded. Building new systems requires understanding how the current system actually works—not how the documentation claims it works. I wrote this post for people who want to learn more about kernel internals but have been hesitating to dive in for themselves; it’s the post I wish I had when starting out. This article aims to convince you that kernel development is not intimidating. We will explore how to deal with ambiguity when researching something new. You will come out with an understanding of the exact actions Linux takes to load a realistic program. Moreover, you will learn the tools to deconstruct any large program.

Goal: How does Linux load a program?

The first thing you may note is that this question is a bit odd. There are several interpretations for what it means to “load a program”. This is a good point. However, a priori, I cannot know what the correct question to ask is. Our expedition begins assuming basic C knowledge and becomes more complex. We will learn about the Linux kernel and its internal mechanisms from scratch.

Roadmap

Trace Simple Program
- Try decoding thousands of system calls with strace and discover printf is not in the program
Binary Archaeology
- Crack compiled programs with objdump and readelf
- Find a PLT and GOT that are calling nonexistent functions
Shared Libraries
- Explore the loading of libc and the dynamic linker ld-linux.so
Kernel Mechanisms
- Follow how mmap, page faults, and copy-on-write support efficient library sharing
Piecing the Puzzle
- Connect the path from execve to main with general purpose kernel mechanisms
- Entirely understand how Linux brings bytes on disk to life as processes :zombie:

We must step in any direction to start. The results of each experiment will allow us to iterate, refine our questions, and learn new concepts.

On first blush, the question seems obvious. Running a program simply means going to the first instruction and running in order until the end. Let’s test this theory.

Load a program

Let’s try running a simple program and inspect what it is doing. nautilus is the file explorer application that ships with GNOME. We want to know what Linux is doing when nautilus starts. Luckily, there is a tool called strace which records every call into Linux. Before we look at the output, let’s stop to recursively explain what is going on.

:information_desk_person:: Why Nautilus?

No reason. I wanted a simple program that doesn’t do much.

:raising_hand:: How do you know to look at calls into the kernel?

Think about how the way programs run. Starting any process requires notifying the kernel of the program you are starting. These interactions are called syscalls. User programs use these functions to ask the operating system to do something privileged. For example, a process cannot open a file without asking for permission first. You can think of system calls as normal function calls for the purposes of this exercise.

$ strace nautilus
execve("/run/current-system/sw/bin/nautilus", ["nautilus"], 0x7ffe54d428a0 /* 75 vars */) = 0
brk(NULL)                               = 0x30e3a000
--------- 23,744 lines snipped ---------

What was that output??? My terminal gets flooded with nautilus’ tens of thousands of syscalls. I have made a grave mistake. That’s okay, it’s too early to get demoralized. Evidently, my mental model that a program which does not appear to be doing anything is doing nothing is wrong. How can we adjust course to make better progress?

Debugging Process:

load “simple” program ⟶ ❌

Load “Hello World”

Instead, we can write a minimal hello_world.c program to test with¹. What happens when the kernel loads this program and prints some text?

#include 

int main(void) {
        printf("hello world!\n");
        return 0;
}

$ gcc hello_world.c
$ ./a.out
hello world!

Aha, we have solved the puzzle! The kernel starts running the instructions of main() and printf is just a function call. Spoiler alert: this is wrong. We still haven’t explained what this printf reference is.

:angry:: You said I wouldn’t need any prerequisite knowledge to understand this. I don’t understand these keywords. What is this weird void thing?

If you haven’t seen this before, you can ignore it for now. It means that the function has no input.

:confounded:: What is that \n after hello world?

Wonderful question, though you may not realize it :smile:. Simply, the \n asks printf to print a newline. Check out my fork post and the resources on printf at the end of this post to get closer to what \n actually does.

In fact, if we remove all unfamiliar syntax, the program behaves the same as before.

main() {
        printf("hello world!\n");
}

$ gcc hello_world_skeptic.c
$ ./a.out
hello world!

This time our compiler, gcc, complains with a bunch of warnings:

hello_world.c:1:2: warning: return type defaults to ‘int’ [-Wimplicit-int]
    1 |  main() {
      |  ^~~~
hello_world.c: In function ‘main’:
hello_world.c:2:9: warning: implicit declaration of function ‘printf’ [-Wimplicit-function-declaration]
    2 |         printf("hello world!\n");
      |         ^~~~~~
hello_world.c:1:1: note: include ‘<stdio.h>’ or provide a declaration of ‘printf’
  +++ |+#include <stdio.h>
    1 |  main() {
hello_world.c:2:9: warning: incompatible implicit declaration of built-in function ‘printf’ [-Wbuiltin-declaration-mismatch]
    2 |         printf("hello world!\n");
      |         ^~~~~~
hello_world.c:2:9: note: include ‘<stdio.h>’ or provide a declaration of ‘printf’

Weird. The program runs the same, so why are we getting all these warnings? One line jumps out to me. gcc warns us four times about something to do with the “declaration of ‘printf’”. Before we get ahead of ourselves, allow me to fix these compiler warnings. Fixing these warnings will prevent any weird unrelated issues that interfere with our later debugging results.

Following the error message include ‘’ or provide a declaration of ‘printf’ tells us precisely how to fix the error. C becomes aware of functions it can link with by using header files. Including stdio.h tells gcc about the definition of printf.

> #include 
 
> int main() {
        printf("hello world!\n");
>       return 0;
  }

It’s a function call

I claim that printf is not a function call. Let’s either verify or disprove this conclusion. We can run strace on hello_world and save the output to a file “hello_world.strace”.

$ gcc hello_world.c
$ strace -o hello_world.strace ./a.out

strace on this binary returns an overwhelming 45 lines of output, which confirms much more is happening.

Abridged output:

$ strace ./a.out
execve("./a.out", ["./a.out"], 0x7ffc3c8056d0 /* 158 vars */) = 0
brk(NULL)                               = 0x33d6f000
mmap(NULL, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f5e57473000
---------- snipped for clarity ----------
write(1, "hello world!\n", 13)          = 13
exit_group(13)                          = ?
+++ exited with 13 +++

Full output (expand)

Tabula Rasa: Starting Safe Stays Safe

2025-02-18T00:00:00+00:00

I’m ecstatic to share that we won best paper at The 3rd Workshop on Security and Privacy in Connected Embedded Systems (SPICES 2024). My collaborators and I studied the security of embedded operating systems and their usage in the wild.

You can read the full paper here, or read on for some relevant excerpts.

Embedded and connected devices have become a ubiquitous and integral part of our world. From medical devices and smart home products to industrial controllers, these devices perform an increasing set of complex, critical tasks. To abstract these complexities, embedded operating systems (OSes) evolved to provide rich development environments and high-level abstractions, such as platform-independent hardware models and separable tasks. Despite the availability of these abstractions and isolation mechanisms for tasks, we find that in practice many embedded applications lack strong isolation and do not enable security reinforcements. This paper explores projects using embedded OSes to quantify how configurable security features are used and how they factor into the given project’s design.

Historically, embedded devices did not offer connectivity. For instance, industrial controllers or automotive Electronic Control Units (ECUs) required a technician physically access and “plug-into” the device. As embedded devices have evolved into the Internet of Things (IoT), many now offer internet connectivity to gather data, offer remote control, and provide firmware updates. Developers now expect embedded OSes to provide library features such as over-the-air updates and network stacks. Internet connectivity and the global scale of many billions of deployed devices implies that embedded devices now face an attack surface more akin to that of a traditional operating system. As such, the security embedded OSes provide is paramount.

With this connectivity, embedded devices now face a more complex attack surface, underscoring the importance of device security. Embedded operating systems are able to span diverse application and hardware domains because they are highly configurable. This flexibility, however, implies that downstream embedded applications may be flexible in how they use security features. This paper investigates how downstream applications use configurable security features in practice. We find that a majority of applications do not alter the default configuration provided by their chosen runtime, and as a result, do not utilize available security options. Early evidence suggests that this under-utilization is due to both runtime and development overhead.

Result 1: Zephyr & FreeRTOS MPU Feature Usage.

Zephyr and FreeRTOS offer similar MPU-based security configurations, and both disable process isolation and stack overflow protection by default. Of surveyed Zephyr and FreeRTOS applications, 17% of Zephyr and 8% of FreeRTOS projects enable both process isolation and hardware stack guards. We subsequently observe that 89% of surveyed FreeRTOS/Zephyr projects do not enable the full suite of opt-in, configurable MPU security features. We do not include RIOT in this result as RIOT does not support MPU process isolation.

Result 2: SW/HW Stackguard Usage.

Surveyed FreeRTOS repositories exhibit a more than sixfold increase of software-based stackguards usage in comparison to hardware-based stack guard usage.

Result 3: Opt-out Configuration Usage.

For RIOT platforms possessing an MPU, RIOT enables mpu_stack_guard by default. We find that no surveyed project disables this feature.

Result 4: Runtime Overhead.

Our preliminary benchmarking of Zephyr in Result 4 finds that hardware security features impose a mere 224 cycle overhead per context switch. This result agrees with the documentation excerpts and shows an overhead that is in fact noticeable, but likely only problematic for high performance applications. We argue that the vast majority of IoT embedded applications do not require “every last drop of performance,” but instead that the primary overhead impeding the usage of configurable security features is not performance but developer overhead.

This paper shows the disparity between the configurable security features the studied embedded OSes offer and the features that are actually used in the wild. Our preliminary results and analysis suggest the primary overhead limiting the use of these features is developer overhead. Nonetheless, further investigation is required to gain a more complete understanding of why these features are left disabled by developers. So long as downstream applications see limited use in enabling such optional features, the potential security benefits embedded OSes can provide is left unrealized. This is particularly problematic given the increased attack surface of modern IoT devices.

Read the full paper

Pronoun usage in the Linux Kernel

2025-02-17T00:00:00+00:00

I analyzed the distribution of pronouns in the 6.13 Linux kernel source. Unsurprisingly, I find that male pronouns are common, but this makes female pronouns all the more unusual.

Results

Counts by pronoun

Term	Count
he/him/his	2516
she/her/hers	33
man	many references to `man`
men	3
wom{a,e}n	4
person	many license usages
people	779

The count for “person” is tainted by all of its usages in license verbiage. Similarly, “man” is polluted with all the references to “man pages”.

I pruned non-pronoun usages. I did not include uses of “they” or “them” because I cannot grep to distinguish between uses of the gender-neutral pronoun “they” or as the plural for neuter terms (such as referring to function calls or variable values).

Pronoun usage over time

Analysis

The kernel overwhelmingly uses male pronouns. This result is expected due to the >90% male contributor population. Bitergia looked at the contributions of men and women to the Linux kernel in 2016. Their study found that women produced 6.8% of git activity as 9.9% of the developer population. This analysis was based on identifying gender from names.

I expected there to only be uses of male or gender-neutral phrases. This hypothesis led me to inspect every usage of female pronouns.

Excluding some gender-neutral uses of “he/she”, “his/her”, and “[s]he”, the results for grepping “her” are peculiar.

“her” usage

noun which the pronoun refers to	notes
female student	A didactic quote with a female student [commit]
user of the computer	unsure of authors as commits are from before the kernel switched to git [commit 1] and [commit 2]
a disk transaction	[commit]
busy waiter on a lock	[commit]

“she” usage

noun which the pronoun refers to	notes
scientist user	[commit]
code author	[commit]
user	[commit]
parody song quote	David Bowie quote [commit]
the GPU?	This commit, by the esteemed Alyssa Rosenzweig, was the only commit using female pronouns which I could attribute to a woman. [commit]

“woman”/”women”

The only reference to a “woman” in the kernel is in a eulogy

I would ask that anyone benefiting from this work, especially those
using it in commercial products, consider making a donation to my local
non-profit hospice organization in the name of the woman I loved, who
passed away Feb. 12, 2003.

And the only usage of “women” is in contribution guidelines documentation.

Swearing in Linux

This paper shows there is a correlation between swear word usage and code quality. In unrelated news, there is a large, negative trend line for the amount of swearing in Linux over the past ten years.

Age

The kernel continues to evolve as new developers come in. The amount of contributors joining and staying on the Linux project keeps dropping.

For example, efforts to push Rust into Linux have been causing controversy. Eventually, Linus himself will have to step down. Being a maintainer is stressful, and even maintainers are human.

Further, contributions are done less than ever by open source hackers. Linux contributions are becoming more commercial, which means that contributors’ incentives may not align with that of the Linux project as a whole. Over 90% of contributors are being paid by their employer to submit patches. Nobody wants to pay to build the infrastructure to make Linux development better (ex: Coccinelle) or to write high quality documentation. These create barriers to the natural growth of the project among younger developers and other demographics.

Bug snack: `fork`s upon `fork`s

2024-10-11T00:00:00+00:00

I wouldn’t eat a cockroach. But this bug snack is quite delectable. This “bug” is a fun little puzzle to solve. I think this is an interesting question to discriminate OS programming experience across a wide range of skill levels.

Part 1

By inspecting the code, how many processes are created and how many times is `ls` run?

#include 
#include 

int main (int argc, char *arg[])
{
    fork ();

    if (fork ()) {
      fork ();
    } else {
        char *argv[2] = {"/bin/ls", NULL};
        execv (argv[0], argv);
        fork ();
    }
}

Reveal Answer

100 Best Movies

2024-10-06T00:00:00+00:00

100 movies I recommend. I make no attempt to rank or find the “best”; these are simply what I subjectively found memorable.

Movie Name	Year	Description
American Fiction	2023
Avatar: The Way of Water	2022
The Babadook	2014
The Big Lebowski	1998	incredibly funny
Bo Burnham: Inside :star:	2021
Bottoms	2023
The Dark Knight	2008
Demon Slayer: Mugen Train	2020	epic animated fighting
Don’t Worry Darling	2022
Eternal Sunshine of the Spotless Mind	2004
Everything Everywhere All at Once	2022
Fresh	2022
A Funny Thing Happened on the Way to the Forum	1966	timeless Plautine comedy
Heat :star:	1995
Heathers	1989
Hera Pheri	2000
The Holdovers	2023
Ikiru :star:	1952	a timeless take on life and bureaucracy
John Wick	2014	I love the world and the whole series
Life is Beautiful	1997
Monkey Man	2024
Nightcrawler	2014
Nobody	2021
The Northman	2022
Office Space	1999
Paprika	2007	what dreams are made of
Parasite	2019
Perfect Days	2023
Pinocchio (Guillermo del Toro)	2022
Rab Ne Bana Di Jodi	2008
The Silence of the Lambs	1991
Spider-Man: Into the Spider-Verse	2018	mindblowing animation and music
The Thing	1982	horror, but the characters behave intelligently
To Catch a Killer	2023
WALL·E	2008
The Whale :star:	2022	MUST WATCH
What’s Eating Gilbert Grape	1993
The Wild Robot	2024
The Woman King	2022
A Woman Under the Influence	1974
Yes Man	2008
To be continued…

Compile time techniques for safer firmware

2024-09-03T00:00:00+00:00

Provable Security in Embedded Systems: Verification Work in Tock OS

Tock OS secures millions of devices and uses language, architectural, and formal techniques to statically enforce system guarantees. This talk will go over how the Tock operating system eliminates many bugs that plague other OSes at compile time. I will demonstrate how we are mitigating logic bugs in Tock OS by using lightweight formal verification (Flux).

UPDATE: The results of our work were published at SOSP 2025.

Watch now

Watch on YouTube Watch on Vimeo

Slides

View slides in fullscreen

Find the pdf of the slides and the source code for the slides and demo in this repo.

Connect with us!

Tock: safe embedded operating system

Tock is open source!
tockos.org
Join Tock Slack, Matrix, and verification mailing list

Flux: scalable Rust verification

Proving should be as easy as programming

I want to credit the amazing support and work on this project done by Pat Pannuto, Nico Lehmann, Evan Johnson, and Ranjit Jhala.

I must to give an enormous thanks to OSFC for sponsoring me to present. If you found this presentation interesting, you should consider going to the next OSFC!

10 reasons I chose to join Triton UAS

2024-05-04T00:00:00+00:00

This post is a reprint of the original post I wrote on the Triton UAS blog. This post has been edited to add `COMMENTARY` blocks with my own commentary.

Triton UAS is a club at UC San Diego which makes Unmanned Aerial Systems, aka autonomous planes.

LA JOLLA, CA - UC San Diego’s massive campus offers hundreds of clubs to join and thousands of classes to take. When I came to UCSD, I spent a lot of time shopping around for what I wanted to do with my free time here. I read through the list of all clubs multiple times to find a place to belong. I want to share why Triton UAS members chose to join, and why sticking with Triton UAS for four years turned out to be the best decision I could ever make.

Commentary

Clearly I had nothing to do during lockdown before and during college because I made a huge 43 page document where I wrote everything I need to know about UCSD. I went through the entire UCSD club list and course catalog. I made a list of 18 clubs I wanted to check out. Reading through it 4 years later, almost all of it except for course planning turned out to be completely irrelevant. I guess I had no one to talk to, so I went on the internet to know what the school I go to is like.

1. The project is exciting

Triton UAS participates in the Student Unmanned Aerial Systems competition. Each year, we design and manufacture a plane from scratch to compete. Then our plane autonomously flies an obstacle course, searches for lost targets on the ground, and safely delivers aid to their locations.

The project is so cool! We build a real, double-than-human sized plane that carries out a mission autonomously. It is inspiring to take part in the process of going from nothing to plane. At the end of the year, I can squint up into the sky and see my work flying.

Flying to the moon

BRANDON VINH

I first heard about TritonUAS while searching through a large list of student project teams that I was interested in. Immediately reading through their website, I was hooked and scheduled a meeting with the project manager. What he told me solidified my interest. They make their own autonomous aircraft, which at that time I had never done before, and they teach everything we need to know to make it? Of course I'm going to join. First stepping into the lab later in the year, my mind was absolutely blown. The project manager explained to me that the TritonUAS team has existed for almost 20 years and has competed in the annual SUAS international competition for almost every year of its existence. The ever-changing competition task guidelines inspire innovation and creativity, as each year they design and manufacture a new aircraft from scratch, and all parts are made by the students. Because experience is not required, they will teach you everything you need to know. Through this, I learned manufacturing processes like wet-composite layups to build the wings and the fuselage with carbon fiber and fiber glass. CNC laser cutting and hot wire cutting to create all of the ribs, bulkheads, wing molds and more. Design software like Solidworks, Onshape, and Matlab were also taught. Tolerancing 3D printed parts to make molds for forged carbon fiber, optimization to understand the best sizing recommendations for the aircraft, and computational fluid dynamic simulations are all things I have learned and are all done by the students! Best of all, after your first quarter, you are immediately added to the competition aricraft design team and are able to create your own parts for the aircraft. It was rewarding and amazing.

Commentary

I first came across TUAS during Zoom University. There was an online event where you could meet all engineering clubs. I was popping into the rooms, listening to the pitches, and asking questions. I came across Garrett, who was the software lead. He was presenting slides about TUAS and told me about what he worked on. In a way that is impossible to describe, I was hooked. He is an amazing nice person and geniunely curious. As a freshman, I knew nothing compared to the leads. If I ever asked any question about what Docker is, or any of the multitude of things they had set up, the leads were ready to answer questions and cared about helping us. I didn't know about CI, Pythonic stuff, or anything other than basic coding logic. It was so funny becoming friends with people I only knew over Zoom.

2. Making something cool

I love that we build a real system. It is no comparison that an autonomous flying plane is cooler than any class project. Some of the things we do have never been done, by students or professionals. Autonomous vehicles are still a largely unsolved problem — you cannot search for existing solutions to the problems we face. Building planes is tough, and moreso given our time and monetary constraints.

However, we rise to the challenge. Triton UAS is a team effort. It is amazing to create something that I could never do on my own.

SAMIR RASHID

My only previous experience was with highschool FIRST Robotics Competition. I remember finding working on robots extremely difficult, but we had plenty of mentor help and you could always find reference implementations online. In comparison, Triton UAS is engineering its way through problems that do not have well defined solutions. We have to figure things out ourselves instead of treading paths where others have discovered the dangers for us. I feel satisfaction by watching us step towards conquering these extremely hard problems.

3. Mentorship

Triton UAS taught me that you can learn anything. Each team lead is an expert at what they do. The leads will teach you everything you need to know. We have an onboarding plane project which allows new members to hit the ground running. Rookie members learn our manufacturing processes and the onboarding projects help all the teams work together towards a unified goal. Experienced members use this time to work on the design of the competition plane. New recruits get to deploy something they built within their first quarter.

Even outside of TUAS, making friends with upperclasspeople can help you navigate school and choosing your future.

ANTHONY TARBINIAN

I think the best reason to join TritonUAS is to get the opportunity to learn by doing. I think there's no better way to pick up new skills then to set out to work on a project. TritonUAS provides members with opportunities to get involved on a long term project where they can be free to make mistakes and learn new skills.

4. Collaboration

There are several subteams which are critical to our mission: airframe, business, embedded, and software. We actively encourage collaboration between teams and make sure that we are foremost learning and having fun. Our airdrop task requires us to design a mechanism to deliver a package to the target. For the dropping mechanism, airframe designed a door in the bottom of the plane and iterated on the internal machinery. Members collaborated with embedded to make the electronics for the guided payload and enlisted software to handle the logic for dropping and making sure that the communications fail safely.

TUAS is in the sweet spot of size. You can get to know everyone in the club. Also, you are not a cog working on a random minor aspect of the plane. Another great part of the community is that you get to interact with the local domain experts. Within TUAS, I have met students who have spent hundreds of hours working with carbon composites, the state of the art of machine learning research, and experts in PCB manufacturing.

Check out why members of our different subteams think:

Airframe: 🛫

The case for Nix on the home server

2024-03-15T00:00:00+00:00

I spoke at NixCon North America this year. The event was co-located with SCaLE 21x (March 14-17, 2024 in Pasadena, California). This is a talk for beginners to Nix. You will learn the highlights of what Nix offers and see how Nix helps to set up a home server.

Why is Nix a good choice for a home server? Learn how Nix enables maintenance free, secure, and reproducible home servers. The talk will cover why Nix is a powerful choice compared to other technologies like Docker or Ansible. It will also showcase how Nix makes it easy to get up and running with server applications such as Nginx, Wireguard, Jellyfin, Samba, and more.

Watch on YouTube

If you want to set up your own home server, check out our repo with a config to follow along after the talk.

View the slides

View slides in fullscreen

You can download the rendered pdf file here or check out the Markdown source code here.

Samir Rashid

Physics of Satellite Internet From First Principles

The Fundamental Challenge

Link Budget

Shannon Limit

GEO vs LEO Path Loss Calculation

Dish vs Phone

Engineering Constraints

Power Budget

Frequency Licensing

Orbital Mechanics

Antenna Pointing

Cost

Why Now?

Launch Economics

Satellite Miniaturization

Phased Array

Configurable Hardware

Global Impact

Further Reading

Fun Quiz

*Binary Room*: Implementation of a RISC-V to ARM Translator

This paper is best read as a pdf in its original typesetting. In this paper, we describe our experience going from idea to implementation of a binary translator.

Linux Spelunking: How are processes loaded?

Load a program

Load “Hello World”

It’s a function call

*Tabula Rasa*: Starting Safe Stays Safe

Pronoun usage in the Linux Kernel

Results

Counts by pronoun

Pronoun usage over time

Analysis

“her” usage

“she” usage

“woman”/”women”

Swearing in Linux

Age

Bug snack: `fork`s upon `fork`s

Part 1

By inspecting the code, how many processes are created and how many times is ls run?

100 Best Movies

Compile time techniques for safer firmware

Provable Security in Embedded Systems: Verification Work in Tock OS

UPDATE: The results of our work were published at SOSP 2025.

Watch now

Slides

Connect with us!

Tock: safe embedded operating system

Flux: scalable Rust verification

Share the presentation permalink: godsped.com/safe-firmware

10 reasons I chose to join Triton UAS

This post is a reprint of the original post I wrote on the Triton UAS blog. This post has been edited to add COMMENTARY blocks with my own commentary.

Triton UAS is a club at UC San Diego which makes Unmanned Aerial Systems, aka autonomous planes.

1. The project is exciting

2. Making something cool

3. Mentorship

4. Collaboration

The case for Nix on the home server

View the slides

Binary Room: Implementation of a RISC-V to ARM Translator

Tabula Rasa: Starting Safe Stays Safe

By inspecting the code, how many processes are created and how many times is `ls` run?

This post is a reprint of the original post I wrote on the Triton UAS blog. This post has been edited to add `COMMENTARY` blocks with my own commentary.