Building on Bedrock: A Security Philosophy from Bootloader to Runtime

In Minecraft, every world is built from blocks. At the very bottom lies bedrock: an unbreakable foundation that everything else rests on. Above it sit layers of stone, dirt, sand, and other materials. The surface looks quite beautiful, but the resources essential for survival are buried deep below, and players must descend to reach them. Of course, they’re warned: “don’t dig straight down”: remove the block under your feet and you might plunge into lava.

Our technological infrastructure works the same way. We often focus on the surface: APIs, clusters, and users. But just above the bedrock of our systems are the crucial yet less visible layers: hardware drivers, kernels, bootloaders. Developers know that digging too far down can be difficult and risky because of the complexity involved. Yet, as in Minecraft, you can descend safely with the right approach, working your way towards a once untouchable foundation to solve the biggest challenges you face such as security, performance, or velocity.

This talk traces a journey through the entire stack, from the first code that runs when a machine boots to the isolation boundaries that protect containerized workloads, to explore what happens when you change your fundamental assumptions about how systems function. Through three critical infrastructure challenges:  a systemic vulnerability in Rust's ecosystem that could have cascaded through countless production systems, the fundamental isolation gaps in container runtimes we've simply accepted, and the unexamined trust we place in in legacy technology like bootloaders, we'll explore what it means to dig down to bedrock and rebuild directly on top, leaving no stone unturned.

This isn't about Rust being a silver bullet or any single technology solving our problems. It’s a mindset to restore holistic system security, not accepting the status quo just because it’s always been that way. Stripping back layers of complexity and building what we really need, all at the bottom layer of the stack.

Security done right isn't a gate that slows people down, it’s an enabler. But getting there requires us to stop accepting that some layers are just "too hard" to fix and start building the bedrock our systems deserve. You can't solve security at just one layer. You have to do it all, from bedrock up.