Their TCB is (according to my information) larger than 100000 lines of code.
http://www.osnews.com/thread?337733
This is one problem.
> Any bug in a compiler, loader, linker
> or analysis tool will eventually lead to a very nasty failure in ring
> 0.
Like in Minix. Minix kernel is also compiled by an unverified compiler.
Just like Singularity.
Not to mention the fact that both Minix and Singularity run on
unverified hardware. That sounds like an infinite regress, I fear.
> Add to that fact that I don't think static analysis can catch each
> and every problem... I don't think this is such a tremendous idea. In
> practice, this approach will probably prevent a lot of bugs and
> thereby problems, but not all.
I think you are simplifying things here. They rely on security
mechanisms beyond simple typechecker (such as reference monitor that
enforces security policies specified in "manifest" of a given component
etc).
Yes. And when the line count would be actualized for 3.1.4 (6,000?
8,000? without forgetting the kernel libraries ;-)), it will still hold.
> I'd say the former is actually feasible, the latter is not.
But it still is a LOT of work (that should be done entirely on every
build you want to verify.)
Furthermore, Minix 3 consists of more than the small kernel, as the
thread about "effort needed..." shows; sure, drivers have been put off
the path (and it certainly is a Good Thing), but there are still a lot
of things beyond the kernel required to make Minix minimally functional,
including but not limited to pm, rs, vfs, mfs, vm; they do not run at
ring 0, but they do have easy (and not throughly checked) access to the
ring 0 primitives and structures.
> Moreover, Minix is compiled on a specific compiler from a specific
> manufacturer that has been stable for what, 20 years, more?
Probably a bit less.
First, around 1991 (after 1.5) the hot thing around Minix was the "new"
C compiler (there are still traces of this "newness", for example the n
--for "new"-- in ncg; of course the front end was a substantial rewrite,
for ANSI compatibility; also, the i386 back-end did not exist before
1991-92, http://groups.google.com/groups?selm=13...@star.cs.vu.nl.)
And while it was not substantially altered after 1994 (according to the
CVS tags), we do not have the former history available to track back to
the earlier asld's of Minix 1.0-1.5 compilers of the 1983-87-89 vintage.
Furthermore, while this compiler is /stable/, the same can be said for
CvW's C386 or Bruce Evans' bcc of the same timeframe: in fact they had
not evolved and were not used for many projects, which is /not/ a good
thing when it comes about safety; Microsoft's C compiler (not the C++
one, much less C#) has also been quite "stable" for the same timeframe
as ACK, yet it also have been used widely and so probably it is more
solid when it comes to security or safety analysis.
Antoine
I do not think that this is a good argument. Linux is reliable but at
what price (counted in human centuries). How many projects will have the
luck of attracting as many "eyeballs"? Also, Windows is more or less
reliable (I believe) but at what price? How many projects can afford to
pay that price?
Whenever when you are considering whether or not you are going to trust
ultimately to someone, it is wise to verify its reputation. Reputation
of authors of Linux and reputation of authors of Windows is quite different.
I do not aggree with Jens that language-based approach is hopeless but
in the context of Singuarlity, this discussion is irrelevant. It might
be interesting in case if:
- a given system has small TCB
- a given system has simple and powerful security model
- a given system follows principle of the least authority (POLA)
(which should not be confused with POLP---permission/privilege
and authority are two separate concepts)
- a given system has proper structure
(minimized dependency relationship)
I do not think that Singularity has any of these.
Jens de Smit wrote:
> Add to that fact that I don't think static analysis can catch each
> and every problem.
This statement significantly underestimates for example type system
described here:
http://www.springer.com/computer/programming/book/978-3-540-20854-9
The authors describe a type system (and other things) that can be used
for some of those things you think are not possible to do. It is a tough
book but I think worth reading. It describes a fancy typesystem that can
be used for (if I exaggerate) "catching each and every problem".
Certainly many of those you wouldn't imagine that can be catched by a
typesystem.
Note Singularity will and is intended to be much better than Windows /Linux
. Singularity ( and Minix) both benefit from being easy to change. Windows
and Linux are static because it is so hard and risky to change.
Even your argument they have 100,000 lines vs 5-10,000,000 which is a
massive improvement. Still Minux is much bigger than 5000 if you include
all things that have access to OS data hence there is some difference in
what is a TCB.
>
>Whenever when you are considering whether or not you are going to trust
>ultimately to someone, it is wise to verify its reputation. Reputation
>of authors of Linux and reputation of authors of Windows is quite
>different.
But they don't trust anyone except themselves. The compiler will be in the
OS ( apps will be managed and hence need to be compiled by the OS at
install) and the device drivers managed who do all the access via the HAL (
including IO ports). Minux trust device driver writers to do DMA and IO.
>
>I do not aggree with Jens that language-based approach is hopeless but
>in the context of Singuarlity, this discussion is irrelevant. It might
>be interesting in case if:
>- a given system has small TCB
I think it has a small TCB . 100,000 lines of C# is not that much
considering it covers everything that has access to OS data. However a real
OS in the style of Singularity would prob be 200K or so. Still C++ is at
least twice as compact that C# in terms of lines.
>- a given system has simple and powerful security model
It has a very powerful OS /software based security model .
>- a given system follows principle of the least authority (POLA)
> (which should not be confused with POLP---permission/privilege
> and authority are two separate concepts)
I don't know the detail here but they have a lot in this area. Device
drivers do not have direct hardware access, And the run manifest states
exactly what authority the app needs and the OS can deny it. This is not
really part of the Kernel though by limiting what can access the kernels
data which they do they certainly limit the authority.
"For all resource statements in the application manifest, we assume the
existence of a security policy language that can be used to specify policies
such as trust relationships for each resource in the manifest. The exact
form of this policy language remains to be decided by the security team."}
>- a given system has proper structure
> (minimized dependency relationship)
It is probably weakest here in theory though minimizing dependencies is
standard OO practice and since nearly all of the code is reasonable C# it
does make a good attempt.
>I do not think that Singularity has any of these.
Id still argue as a Research OS it has a lot of ideas that deserve our
attention. The authors deliberately avoided many things and optimizations a
real OS have due to being out of scope.
Regards,
Ben
Concerning Linux, do you think it is fair to count also subsystems that
are never actually used? If we count only those subsystems that are
used, how big is the kernel then in terms of lines of code?
Do you find their proposals (how to enforce security policies) attractive?
I do not like the proposed solution but I like the problem they
(at last :) ) identified.
How does Minux and micro kernels in general plan to support this now and in
future ?
Option 1)
Each run time runs in its own process along with all child processes. This
is bad as 1 app can bring the whole runtime down , completely defeating the
point of reliable OS . Sure the OS is robust but people won't view it as
such when half the apps stop working. Consider having 30 pages open in a
browser and it coming down - its quite annoying to the extent that some
browsers even restart your pages now ( pitty about the form you were just
filling out) .
Option 2)
Each child process runs in its own process and the runtime is shared code. A
crash of a app should not affect the other apps , While this works ok in
Monolithic kernels with a micro kernel the switching overhead becomes very
heavy. Take the case of a large number of load balanced SOA services that
need to frequently communicate.
Eg take a common case of an incoming request and then the service talks to
another service for a single call ( say to log something) .
Incomming Request -> network Stack -> Soap stack -> Service Hosting ->
Service 1 -> Soap stack ->Tcp/ip stack ->Network stack or shared memory ->
Tcp/ip stack -> Soap stack - Service 2 -> Call Db process -> Db talks to
file system -> fs talks to Disk driver ->
And now the ack is returned.
I would imagine that while web sites serving html could run ok (but not
great) in this mode , actual web applications would get bad performance. Its
worth noting SOA applications particularly are sensitive to the latency here
as they may pass through a number of services.
Option 3)
Is as Option2 but the shared runtime code can only be readonly pages. This
is the same as 2 just a bit safer .
Regards,
Ben
I disagree. It is artificially (not inherently) complicated problem.
Consider a following scenario.
- you have a (Singularity) subsystem that you want to run
- it requires some authority to be able to provide required services
If you make sure that:
(1) a given subsystem is started in an (unbreakable) sandbox
(2) the language does not support forging arbitrary references
then the whole security problem (how to follow the principle of the
least authority---POLA) reduces to passing a given subsystem right set
of references to object it needs to talk to.
The caveat is that (1) and (2) are hard to do for Java/C#. But language
designed progressed from the time in which Java was designed and there
are languages where (1) and (2) is trivial to ensure.
There are many advantages of this scheme.
- you can forget about authentification
(what is the identity of kernel components anyway)
Authentification subsystem can be dropped from TCB.
- you can forget about reference monitor
(there are many different kinds of objects and usually
this means that you need separate reference monitor for each
and every type of object)
All the reference monitors can be dropped from TCB.
- You do not have to choose between
- security
- usability
as it is always an inherent problem of any ACL scheme.
- Basically, the effort needed to determine the authority
of a chosen component is proportional
- not to the size of the sandboxed component
- but to the size of the the trusted component that sends
it right set of references.
- The security model is simpler. What you have a references. Those
you have anyway so the situation does not get more complicated.
You do not have to deal with ridiculous security mechanisms.
Are there any other disadvantages of this scheme?
(provided that we choose a language where conditions (1) and (2) can be
trivially ensured)
Can you please explain to me why you posted all these explanations about
Singularity in response to my post, which was targeting Minix3?
Antoine
Sys Admin (= bklooste = Ben) wrote :
> I created this thread to discuss Singlarity ideas and how they apply to
> Minix (and hence whether they are worth implementing in a micro kernel OS ).
> The conversation just before you entered was on comparing the TCB of Minux
> to Singularity.
Do you mean this thread should refrain from discussing Minix, just
sticking on Singularity?
If yes, it probably would have been easier to mention it, rather than
requiring me to figure out the details of your post and the relationship
with mine.
Antoine
>Do you mean this thread should refrain from discussing Minix, just
>sticking on Singularity?
>
>If yes, it probably would have been easier to mention it, rather than
>requiring me to figure out the details of your post and the relationship
>with mine.
>
No one is saying it should be only Singularity.
"I created this thread to discuss Singularity ideas and how they apply to
Minix (and hence whether they are worth implementing in a micro kernel
>OS )." Which obviously != " Do you mean this thread should refrain from
discussing Minix, just
>sticking on Singularity?" in the English language at least
It may mean the thread, as should be obvious from the subject should refrain
from discussing ONLY Minix but I don't have an issue with a thread wondering
a bit though i do think it is reasonable for me to tie relevant comments
back to the subject.
However YOU were the one that raised the issue of why I tied it back to the
original topic , at the time of posting i didn't realize you intended to
fork the discussion without changing the obvious subject which is either
lazy or bad etiquette. I can understand you just read the last post and
wanted a reply to your specific email , however it sounds like you did not
bother reading the rest of the tread. Personally i think your request for an
explanation to an on topic reply on a thread i started and the incorrect but
sarcastic tone in reply to my conciliatory last message are insulting if not
downright rude.
Regards,
Ben
I've been trying to follow this with a bit of reading, and I'm really
interested in what MSR is doing with Singularity, Sing#, Spec# and
Code Contracts. I think I see how each could contribute to shortening
development and making it harder to write buggy software to begin
with.
My question is on the Code Contracts specifically. I'm a fan of
Eiffel-style Debug:Asserts in the debugging process, but for a
language that doesn't have them built-in, I've always just put them in
preprocessor directives that would print out debug messages to the
screen. I think on of the most useful things about Code Contracts is
that they're checked at compile time, so you can get rid of a lot of
edge cases before you even start running unit tests.
Is there any kind of utility/tool for this sort of thing in MINIX (in
C and/or assembly)? If not, is there an existing tool (maybe on the
GNU Toolchain) that does this that could be ported?
Thanks
~Alex