Europe Funds Secure Operating System Research 376
narramissic writes "A Dutch university has received a $3.3 million grant from the European Research Council to fund 5 more years of work on a Unix-type operating system, called Minix, that aims to be more reliable and secure than either Linux or Windows. The latest grant will enable the three researchers and two programmers on the project to further their research into a making Minix capable of fixing itself when a bug is detected, said Andrew S. Tanenbaum, a computer science professor at Vrije Universiteit. 'It irritates me to no end when software doesn't work,' Tanenbaum said. 'Having to reboot your computer is just a pain. The question is, can you make a system that actually works very well?'"
A very good question (Score:4, Insightful)
The question is, can you make a system that actually works very well?
I'm glad someone finally got to asking this question.
Re:Wait a second... (Score:4, Insightful)
I thought Windows was secure. Why not use that? *cough* *cough*
I thought OpenBSD was secure. Why not use that?
The 1980s called... (Score:5, Insightful)
.. they want their funding back.
Seriously , I thought minix had been put out to pasture years ago.
Also what are 5 people going to manage that entire corporations and thousands of OSS developers failed to do in the last few decades? Ok , one of them might be the next Alan Turing and surprise us all but I won't hold my breath.
Re:The 1980s called... (Score:5, Insightful)
The aim is not to produce a better operating system, the aim is to secure funding. This is what academics actually do; good research is (at best) a byproduct. This is business as usual for a research group. The real research will be a low priority, because the group will need to satisfy the EU bureaucracy that they are doing something worthwhile. Consequently, most of their time will be spent writing reports.
Bear in mind that ideas like "self healing software" are buzzwords that you put on research proposals in order to get them accepted. See also: "cyber-physical systems", "multicore paradigms" and "sensor networks".
Re:The 1980s called... (Score:5, Insightful)
Re:Wait a second... (Score:2, Insightful)
Re:The 1980s called... (Score:5, Insightful)
Along the same lines as the above post.... What a waste of my taxes. I am getting fed up of hearing about cash going to dubious research projects. There are some big problems to be solved out there for example reducing mans dependence on fossil fuels and reducing the damage they cause our planet. Why are we wasting cash on this dubious project?????
Many PHD students will feed back what they learned into industry on graduation. Its called education, and it is not a waste of money even if Minix 3 is not the next best OS. Some things that come out of it will almost certainly be used.
Re:What's the point? (Score:5, Insightful)
Re:The 1980s called... (Score:5, Insightful)
Re:Oh gawd , not microkernels again *yawn* (Score:5, Insightful)
How many times is this old chestnut going to be tossed around?
MS tried a microkernel with NT and its HAL. It didn't really work very well. Most Unix varients don't even bother to try.
I think you are right at the moment. I am not sure that you will still be right when processors are 256-core or greater. I think that at some point the overhead of microkernals will be made up for by utilisation of greater parallelisation.
System security is only half the rent (Score:3, Insightful)
The other is user security. And you cannot solve that problem with technology.
The circle you have to square here is that the user/admin should be allowed and able to run his software, but at the same time he must not run harmful software. Now, how do you plan to implement that? Either he can run arbitrary software, then you cannot identify security risks before it is too late. Or he cannot run software that is a potential security risk and he is no longer the master, owner and root of his own machine.
Oh, you want a system where the user can generally do his work but has to ask for special privileges when he wants to install new software or change security critical settings? Where have I heard 'bout that before... hmmm...
Re:A very good question (Score:1, Insightful)
The problem with driver isolation is that it's a layering violation given most today's PC hardware.
A broker driver can crash/corrupt not just the device it's on but the complete machine.
Also, in my experience if the driver bug crashes the entire machine, it's more likely to be fixed.
Re:Tanenbaum? (Score:5, Insightful)
Re:A self-repairing OS? (Score:5, Insightful)
No, but dividing things into smaller pieces makes it easier to fix those pieces in isolation. It's easier for a microkernel system to be self-healing because of that isolation.
This is not an amazing revelation. We've known about the idea of isolating changes since the invention of the sub-routine. The reason microkernels have always been relegated to second-best is that they require more context switching than a regular monolithic kernel. The tradeoff between "fast enough" and "reliable enough" has for some time now favoured "fast enough".
But that's changing -- people's computers are getting plenty fast. The 10-15% slowdown Tanenbaum claims for Minix3 is less of a drag than, say, an anti-virus program and could serve to more effectively prevent viruses into the bargain.
People who say microkernels are passe forget our industry is not set in stone. Priorities change and technologies change with them. In the last 10 years performance has become progressively less important than reducing bugs or speed of development. Microkernels have lots to offer in such a world.
What ideas? (Score:2, Insightful)
All I can see is some buzzwords and them waffling about microkernels - a 1970/80s concept if ever there was one which so far has proved less than impressive in the real world.
Re:Linux is obsolete (Score:3, Insightful)
Hahaha. I'm completely new to this debate (yeah, I know - what a n00b !). Has Tanenbaum ever withdrawn his arguments in the light of experience ? Has he ever thrown up his hands and said "You know, I was just plain wrong. Mea culpa." ?
No, why should he? Because Linux is more popular then minix? I'd guess most people here should start sending Mea Culpa's to Microsoft...
Re:Wait a second... (Score:2, Insightful)
more about creating something that, even if it might have implementation bugs today is fundamentally, conceptually more secure.
So they're dropping C?
Re:Wait a second... (Score:3, Insightful)
Re:Tanenbaum? (Score:5, Insightful)
That's a rather ignorant viewpoint.
Tanenbaum argued for greater modularity and really that's no bad thing, his arguments were pretty solid theoretically. But as we all know, just as the most beautiful, maintainable, stable software designs are sacrificed in business for something that works now even if it has it's flaws, Linux was available, easy to use and just worked the way people wanted, that didn't mean it was inherently better in theory or that Tanenbaum is wrong anymore than it means Windows is a vastly superior OS to Linux and MacOS X simply because it has such a massively larger user base.
Basing your view on Tanenbaum's one comment towards Torvalds is also rather ignorant, throughout the discussion you're referring to, Tanenbaum was well composed and formed coherent arguments, whilst Torvalds at times acted like your average troll.
You see, the very fact Windows is far and away the most popular OS followed by MacOS X followed by Linux is evidence enough that popularity means nothing in terms of the actual quality of an OS, it merely shows which played the business game better.
Tanenbaum is worth listening to, his ideas and justifications included in that 17 year old discussion you mention aren't wrong even if his predictions on the future of computing were. This is a man who understands the theory of how to make a better OS more so than most people do, and yes possibly even more so than Torvalds. The problem is that he's a theoretical guy, so whilst his proposals may be better, they may not be practical at the time they're announced or he simply may not have the time to dedicate to proving their practicality. If they're not practical at the time he proposes them though that doesn't mean they'll never be practical as changes in computing architecture or even raw computing power may make them practical.
Hopefully he'll put this funding to good use and it'll help provide him the time and resources he needs to take his ideas beyond mere theory and he'll be able to backup his theories with actual working demonstrations rather than just arguments now. You can be a Torvalds fanboy all you want but Tanenbaum and Torvalds are two different people - Tanenbaum is someone who comes up with theoretical new concepts, Torvalds is someone who takes existing concepts and implements them well. Both have their strengths, but writing one or the other off is foolish when both have a lot to offer.
Re:Wait a second... (Score:5, Insightful)
Minix did get an reputation of being unstable some 20 years ago, but of course - much have happened since then.
The one thing that hasn't changed though is that Minix is still just a toy system that's meant to be poked at in schools and that nobody actually uses (yes I know about the 3 rabid Minix users, they probably run AmigaOS too).
Oh, wait, now it finally supports X11 (woohoo !). Wait, has it got a mouse driver too ?
However Minix3 *does* feature support for "Over 650 UNIX programs [minix3.org]" (such as man, mkdir and ps). *650* ! It's like 130 × 5 ! Think about it !
Granted, starting from a small scale system such as Minix is certainly simpler than with a much more mainstream OS such as one of the BSDs or Linux but even if anything comes out of the project, it won't ever gain even "niche" status. More people must be running Plan9 or Inferno.
The whole idea is utterly futile, except possibly if the code or the concepts can be reused with another system later on.
Re:Wait a second... (Score:2, Insightful)
Absolutely right. Security is a mindset. It's a mindset that says "How can I misuse this? How can this be abused?"
It's absolutely possible to write secure code in C. It might be easier to make a mistake in C as opposed to languages that have strict overflow checking and proper garbage collection as built-in feature, but you don't throw out the baby with the bathwater so to speak.
I'll say this, like I always say it: there is no magic bullet when it comes to security. Even an operating system written from the ground up around security like OpenBSD can be configured incorrectly. Even an operating system written from the ground up around security can have security bugs.
The only completely safe computer from a security standpoint is one that isn't plugged in and stored in a bank vault. With armed guards trained to shoot first and ask questions later. And security cameras. Surrounded by a moat. Filled with sharks with friggin' lasers attached to their heads.
Re:Wait a second... (Score:5, Insightful)
Dropping C... for what exactly? We're not talking application level security. We're talking kernel level. That means talking to the bare metal. Even if you implement a microkernel with userspace modules for everything, and with those modules written in something more robust than C, that last crucial bit of code that is the microkernel itself is probably going to end up being written in C with ASM snippets, simply because at some point you need to explicitly state what the hardware is doing.
Re:Wait a second... (Score:2, Insightful)
I thought Windows was secure. Why not use that? *cough* *cough*
I thought OpenBSD was secure. Why not use that?
I thought DOS was secure. Why not use that?
I thought stone tablets were secure. Why not use them?
Because none of these suggestions is compatable with my abacus.
Re:Wait a second... (Score:5, Insightful)
Yes, most developers moved to Linux and stopped writing that pesky, unstable software that anyone actually uses.
Keeping a kernel that is 10 years behind the leading edge in file systems or communications, especially by kicking it all out of the kernel and saying "Naah-naah-naah! Not my problem!!!!" is like having a very secure car that doesn't have a reverse gear, seats, or door handles. It certainly helps contribute to stability. But the associated software to handle USB, firewire, packet filtering, or network file systems just isn't up to speed.
Re:Wait a second... (Score:1, Insightful)
kthxbye
You used "lolspeak". Turn in your intelligent human card and don't let the door hit you in the ass on the way out.
Re:Wait a second... (Score:5, Insightful)
And with almost everything going to interpreter environments today (Python, Ruby, Java, .Net), there's a better argument that building a JIT as a kernel component and that the message passing overhead is less of an issue.
Let me get this right, after stating that the advantage of a microkernel lies in the much smaller size in LOCs, you just argued that adding JIT compiler to the microkernel itself is a good idea?
Part of the idea behind a microkernel is that you only need to prove correctness for a small amount of code. The other part is that, when you want to add features, you only need to prove the features you want work correctly. So, instead of proving that each driver works correctly (which, for most environments where this stuff really matters, only needs to be done for a "handful" of drivers), you just upped the ante and said "prove the whole JIT compiler works correctly". And the "message passing overhead" pales in comparison with a poorly-optimized JITC, which is what you get if you want to keep TLOC count low.
Re:What's the point? (Score:5, Insightful)
[citation needed]
All these years after the Tenenbaum-Torvalds debate Linus admitted his prof was right? You'd think that would have been in the news somewhere.
Re:Wait a second... (Score:3, Insightful)
Why Minix is supposedly better than Windows or Linux is because it has a Microkernel, so it is harder for anything to kill or confuse the Kernel
What runs on a microkernel? Services. And if you exploit a highly privileged service, you've exploited the whole system. Or what am I missing?
Re:Wait a second... (Score:2, Insightful)
And with almost everything going to interpreter environments today (Python, Ruby, Java, .Net), there's a better argument that building a JIT as a kernel component and that the message passing overhead is less of an issue.
Like how building a graphics subsystem into the kernel worked out so nice with Win95?
I mean, seriously. A compiler? In kernel?
Re:Wait a second... (Score:3, Insightful)
Anything else that compiles to native opcodes? It's not like C is the only magical language capable of talking to hardware.
C is obviously not magically endowed with some special abilities. But since that was an answer to someone who wanted to replace C with something more secure, the question is: "what language that is naturally more secure than C would you suggest, then?"
Besides the obvious practical question of "give me an actual language that's actually more secure than C", there's the more theoretical question of "what the hell does it mean for a language to be secure?" A programming language is only an abstraction on top of the capabilities of the underlying hardware. Either you're hiding some capabilities the hardware is capable of, or the most a language can do is hold your hand and help you steer clear of the pitfalls. You're safer, but you're not any more secure.
Re:Wait a second... (Score:5, Insightful)
Thats is not going to be your car for daily use. Minix probably isn't going to be you daily OS anytime soon either, but that no reason not to spend research money on it. The IT industry could do with some more proper research instead of just reinventing the same weels (but this type using XML and HTTP!) all the time.
Re:Wait a second... (Score:3, Insightful)
Of course, Tannenbaum is also partly responsible for the creation of Linux. Torvalds would regularly engage in heated debate regarding Minix's non-monolithic architecture.
I read those as they unfolded.
It's true that Tannenbaum is in part responsible for the creation of Linux. But only because at the time (I think it was available then) Minix was the only option on a PC and nobody wanted to run that. Tannenbaum failed at creating something decent so a better system was called for. Later on he may have whined for all he was worth, his system is still ignored (although I, and many others read and appreciated his book, nobody cares about Minix, it's a toy).
I ran Linux on my own machine (I never could have afforded my own Unix machine before that) in 1994 for the first time (mostly to run TeX, oddly enough, long story), and it's been my desktop system since (except for the small gaming Windows partition I've kept on and off for I've never managed to get into consoles).
I did boot Minix several times but even compared to the very first Linux versions, it has always felt like a toy (I mean no X ? come on...). I did run a number of BSD systems though. I also ran an OS X laptop for a bit over a year but it was just Windows with a smiley face to me so it quickly became a paperweight. The Unix side had been perverted enough that it was completely unusable.
So I run Linux, a bit of BSD (and Windows games) and I'm happy that way. I even buy commercial Linux apps when I need them. To each his own of course, people get what suits them.
Re:Wait a second... (Score:5, Insightful)
Re:OS fixes itself already (Score:3, Insightful)
30 seconds when you're sat on your ass in front of your PC.
Try power-cycling a weather satellite in 30 seconds.
Re:Tanenbaum? (Score:3, Insightful)
I agree, I suppose the kind of factors in terms of quality that Windows lacks vs. say Linux are those of security and stability, but Windows is also historically much stronger in terms of usability which is a measure of quality that matters more than any other to most end users - they just want to be able to use it, even if it's not perhaps all that secure.
I would argue though, that from a more objective perspective though, security, stability and modularity are more important factors when measuring overall quality, it's simply that most end users don't realise this until it comes back to bite them (i.e. they lose all their documents to a virus, or lose documents to a crash etc.).