MK++ A High Assurance Operating System Kernel Shai Guday David Black
MK++ Results MK++ is a complete reimplementation of the essential Mach abstractions for use in a B3 formal evaluation A microkernel for TIS's TrustBase - B3 level assurance Good performance as well as high assurance An "essential microkernel" with only those features and functions truly needed All B3 assurance requirements have been met High Assurance Software Engineering Object Oriented Layering
Brief History of Software Engineering
MK++ Internal Architecture Resource Management Objects Kernel Interface Space Accounting Processor Scheduling Connection Management Transfer Management Memory Extent Management Resident Memory Management Clock/Device Services Clock Mgmt Device Mgmt User Addr Space User Port Namespace VM Clocks and Devices Tasks, Threads, Resources PC
Object Decomposition
Relationship Decomposition
Benefits of Object Oriented Layering Lock Hierarchy based on Layer Hierarchy MK++ is fully preemptible and multithreaded Simplified Initialization Run constructors in order from lowest layer to highest layer Easy to determine what functionality is available at each layer Significant Layer Enforcement at Compile time Compiler rejects circular inheritance Header file discipline: don't include header files from higher layers ... in addition to improved code structure and assurance
A Few Words About Performance MK++ Performance is comparable to Mach Even on highly optimized Mach code paths Performance is more robust (no special case `fast paths') Kernel microbenchmarks (IPC, page fault, task create) Extensive use of inline methods MK++ has lots of tiny methods, but most of them are inline Disciplined use of virtual methods Layering forces attention to this C++ is not slow in the hands of competent software engineers!
Sharper Tools Layer Verification Tool Enforce Layering Architecture Covert Storage Channel Tool Find all storage channels But not timing channels Tools find many problems missed by people Incremental execution would be very useful Hook tools into source control system
Formal Methods Generated runtime assertions based on Formal Model IPC subsystem invariant checks The Good News: Found 4 serious problems missed by development and review The Bad News: Missed at least one more Kernel not exercised under all possible conditions Test coverage is not a new problem Neither is it a solved problem
Conclusion Assurance is only possible if software practitioners can reason about the software High assurance analysis and design necessary for high assurance software Software engineering techniques exist for practical development of high assurance software Complement of layering and object orientation support decomposition of complex system software, e.g. MK++ microkernel Need advances in the state of the art Object interface design Dependency decomposition and encapsulation Assured design patterns (aka frameworks) Framework composition rules