Can We Make Operating System Reliable and Secure?

Micro kernels – long discarded as unacceptable because of their lower performance compared with monolithic kernels – might be making a comeback in operating systems due to their potentially higher reliability, which many researchers now regard as more important than performance. The worst offender when it comes to reliability and security is the operating system. Although application programs contain many flaws, if the operating system were bug free, bugs in application programs could do only limited damage. A few words about the relationship between reliability and security are to be said. Problems with each of these domains often have the same root cause: bugs in the software. A buffer overrun error can cause a system crash (reliability problem), but it can also allow a cleverly written virus or worm to take over the computer (security problem). Although we focus primarily on reliability, improving reliability can also improve security.

Current operating systems have two characteristics that make them unreliable and insecure: They are huge and they have very poor fault isolation. The Linux kernel has more than 2.5 million lines of code; the Windows XP kernel is more than twice as large. The large size of current operating systems means that no one person can understand the whole thing. Clearly, it is difficult to engineer a system well when nobody really understands it. Operating systems do not have isolation between components. A modern operating system contains hundreds or thousands of procedures linked together as a single binary program running in kernel mode. Every single one of the millions of lines of kernel code can overwrite key data structures that an unrelated component uses, crashing the system in ways difficult to detect. In addition, if a virus or worm infects one kernel procedure, there is no way to keep it from rapidly spreading to others and taking control of the entire machine.

Fortunately, the situation is not hopeless. Researchers are endeavoring to produce more reliable operating systems. There are four different approaches that researchers are using to make future operating systems more reliable and secure. The most conservative approach, Nooks, is designed to improve the reliability of existing operating systems such as Windows and Linux. Nooks maintains the monolithic kernel structure, with hundreds or thousands of procedures linked together in a single address space in kernel mode, but it focuses on making device drivers – the core of the problem – less dangerous. In particular, Nooks protects the kernel from buggy device drivers by wrapping each driver in a layer of protective software to form a lightweight protection domain, a technique sometimes called sandboxing. The wrapper around each driver carefully monitors all interactions between the driver and the kernel.

The Nooks project’s goals are: to protect the kernel against driver failures, to recover automatically when a driver fails, to do all of this with as few changes as possible to existing drivers and the kernel.

Protecting the kernel against malicious drivers is not a goal. The idea is to run a special control program, called a virtual machine monitor, on the bare hardware instead of an operating system. The virtual machine creates multiple instances of the true machine. Each instance can run any software the bare machine can.

This technique is commonly used to allow two or more operating systems, say Linux and Windows, to run on the same hardware at the same time, with each one thinking it has the entire machine to itself. The use of virtual machines has a well-deserved reputation for good fault isolation – after all, if none of the virtual machines even know about the other ones, problems in one machine cannot spread to others. This research is to adapt this concept to protection within a single operating system, rather than between different operating systems. This approach directly attacks the core of the problem: having the entire operating system run as a single gigantic binary program in kernel mode. Instead, only a tiny microkernel runs in kernel mode with the rest of the operating system running as a collection of fully isolated user-mode server and driver processes.

The microkernel handles interrupts, provides the basic mechanisms for process management, implements inter process communication, and performs process scheduling. The most radical approach comes from an unexpected source – Microsoft Research. In effect, the Microsoft approach discards the concept of an operating system as a single program running in kernel mode plus some collection of user processes running in user mode, and replaces it with a system written in new type- safe languages that do not have all the pointer and other problems associated with C and C++.

Thus, each of the four different attempts to improve operating system reliability focuses on preventing buggy device drivers from crashing the system. It is not yet known which, if any, of these approaches will be widely adopted in the long run. Nevertheless, it is interesting to note that micro kernels – long discarded as unacceptable because of their lower performance compared with monolithic kernels – might be making a comeback due to their potentially higher reliability, which many people now regard as more important than performance.

Study the meaning of the following words and word combinations:

· a flaw

· sandboxing fault isolation

· entire

· to endeavor

· interrupt armored

· to discard to wrap

· type-safe language

1.2. Answer the following questions:

1. Are unreliability and insecurity the same from the OS point of view?

2. How many approaches to the problem are discussed in the text?

3. What are their main ideas of the text?

4. What approach is more acceptable from your point of view? Why?

1.3. Read and translate the text “Hardware, Software and Firmware”[26]