Can We Make Operating Systems Reliable and Secure? Andrew S. Tanenbaum, Jorrit N. Herder, and Herbert Bos Vrije Universiteit, Amsterdam May 2006 Group 胡品捷 江彥勳 1

Outline  Introduction  Armored Operating Systems  L4 Microkernel  Multiserver Operating Systems  Language-Based Protection  Conclusion 2

Why we need more reliable and secure?  Most computer users are “normal people”  Less problem  More Convenient and Stable 3

Unreliable  Huge  Poor fault isolation  Example : 6-16 bugs / 1,000 lines of executable code 2-75 bugs / 1,000 lines of executable code Linux kernel Windows xp kernel 2.5 million lines of code 5 million lines of code Linux kernel Windows xp kernel bugs totally bugs totally 4

Fault isolation Procedure 1 Procedure 2 Procedure n Kernel Virus Worm ⇧ 5

Armored Operating Systems  Nooks – improve the reliability of OS Focus on making device divers less dangerous Goals: Protect the kernel against driver failures. Recover automatically when a driver fails. Do all of this with as few changes as possible to existing drivers and the kernel. 6

Isolation  Main tool : virtual memory paging map 7 Driver Running Page 1 Page 2 Page 3 Page 4 Read-only

Paravirtual Machines  Allow two or more OS  Good fault isolation  Problems can’t spread from one machine to another 8

L4 Microkernel  University of Karlsruhe  Linux -> L 4 Linux  9 Linux -> modify -> Paravirtualization

Multiserver Operating Systems  Multiserver architecture 10  Features Separate instruction and data spaces

Language-Based Protection  New protect system - Singularity  New type safe language – Sing# Based on C#  Proction : Algol compiler’s “dangerous” code  Idea : Microsoft Research 11

Conclusion  Nooks – each driver individually wrapped in software jacket  Paravirtual machine – moves the drivers to one or more machines distinct from the main one  Multiserver – runs each driver and OS component in a separate process  Singularity – uses a type-safe language 12