@krocz | hello everybody |
---|---|
@krocz | our following participant is Marcus Brinkmann |
@krocz | he is participant assets of the communities of free software |
@krocz | and he is one of the HURD developers and other GNU projects |
@krocz | i leave with you to Marcus Brinkmann |
@krocz | Marcus, the channel is yours |
@marcus | Thanks, krocz |
@marcus | The GNU/Hurd |
@marcus | That's the name of the GNU operating system kernel, which was started in the early 90s as a replacement for the Unix kernel. Linux wasn't at the horizon at that time. |
@marcus | At that time, Unix was considered dated, and Microkernels were all the rage. |
@marcus | The clima was such that if you wanted to have grants for research projects, one way to get them was to write microkernel somewhere in the topic. |
@marcus | One of the most important microkernel of the first generation (as we call it), was the Mach microkernel, a university project. |
@marcus | It did not offer the traditional features of a Unix kernel. There was no filesystem, no network stack, no user ids. |
@marcus | Instead, it only offered what was considered to be the bare essentials of an operating system, on top of which everything else could be implemented by servers, user space daemonds. |
@marcus | To prove the concept, a Unix server was written for Mach. |
@marcus | In the meantime, GNU was looking for a kernel to run the GNU tools on. |
@marcus | Instead of reengineering a Unix kernel, a decision was made to try the microkernel concept, and try to leverage the basic design by splitting up the functionality of the kernel into many different servers. |
@marcus | These servers run in parallel, and communicate with each other. |
@marcus | An example would be the authentication server, which implements user credentials, and the filesystem, which implements files and directories. |
@marcus | The filesystem uses the authentication server to verify the user IDs of its clients. |
@marcus | The purpose of splitting up the system services into many different servers was not only to increase robustness, maintainebility and other consequences of modularity. |
@marcus | The purpose was also to allow users to ignore certain system services, or replace them with their own services. |
@marcus | For example, a user can run their own filesystems. |
@marcus | One hope was that this would lead to incremental improvements in the operating system, by having users add new services, just like applications. |
@marcus | So, where do we stand today? |
@marcus | We have a working implementation of the Hurd on Mach. |
@marcus | However, it is not widely used, and there are only few developers. |
@marcus | The interesting question is why that is so? |
@marcus | Let me offer conventional wisdom: |
@marcus | "Operating system research is dead." |
@marcus | That's what you can read on slashdot, for example. |
@marcus | Is this actually true? |
@marcus | Well, one can certainly look at the amount of operating system research that is funded (and thus the amount that is happening), and conclude that there is not much going on. |
@marcus | So, in some sense, the claim is correct. |
@marcus | However, the claim is usually followed up by a strange assertion. |
@marcus | It is said that OS research is "dead" because existing operating systems are "good enough". |
@marcus | This is however profoundly incorrect. |
@marcus | The defects of todays operating systems are glaringly obvious, and the only reason we are kidding ourselves is because we have accepted the traditional frame of reference, and are putting a lot of work into patch-work. |
@marcus | Two examples. |
@marcus | First, security. |
@marcus | Does anybody need a reminder of the insecurities in Windows? :) |
@marcus | Certainly not. We are all painfully aware of them. Even the newspapers are full of reports on the latest viruses and worms. They are creating an immense damage. |
@marcus | However, we should not forget that what we see is only the tip of the iceberg. |
@marcus | Malicious crackers all over the world are picking low hanging fruit today. They don't even need to put a serious effort into cracking systems, and yet they have a tremendous success (and earn a million dollar a week easily). |
@marcus | We like to feel safer on GNU/Linux systems, and other Unix-like systems. |
@marcus | The question is, however, why. |
@marcus | Let's remind us that the first internet worm that caused serious problems was a worm exploiting a bug in Emacs. |
@marcus | I don't think Windows even existed at that time ;) |
@marcus | I just checked. On my system, I have 8.8GB of software installed. |
@marcus | I have no reason to trust 8.799 GB of that. |
@marcus | I don't have the latest figure of the linux source code tree size. It's dozens of MB. |
@marcus | Most of that is drivers, but some of those drivers are those for your hardware, too. |
@marcus | The Unix security model and implementation is slightly better than Windows, but in the grand scheme of things, there is not much difference. |
@marcus | For example, once a Unix system is penetrated, it is deeply penetrated. Your browser has access to all your files. |
@marcus | Another example is the single point of failure named root. |
@marcus | So, let's assume that Windows is eradicated from the world, and 95% use GNU/Linux. |
@marcus | Then we will see how insecure GNU/Linux really is :) |
@marcus | Or Mozilla. |
@marcus | Or OpenOffice. |
@marcus | In a more secure system, a bug in the browser would not leak your gnupg keys to the world. |
@marcus | Or malicious code in your video codec would not have the ability to sniff for passwords and send them to a remote ftp site. |
@marcus | One problem is that the Unix permission model is based on access control lists. |
@marcus | ACLs are proven mathematically to not provide the necessary isolation between components, essentially because all your programs run with the same user ID. |
@marcus | A different type of permission control is provided by a capability system. |
@marcus | In such a system, permissions would be fine-grained and selectively delegated. |
@marcus | The Hurd, because it is based on Mach, uses a capability system. |
@marcus | However, currently, it does not really lever this for permission control |
@marcus | This is because the Hurd uses the auth server, which provides Unix user IDs as a service, and then servers use the user ID check and not the capability check in some places. |
@marcus | In some places, we do use capabilities, but it is not done very thoroughly, from ground up. The implementation is a bit careless in that regard. |
@marcus | I promised another example where operating systems today fail. |
@marcus | This example is quality of service control |
@marcus | Try to watch a DVD, then run find / or grep in an xterm, and you will immediately know what I mean. |
@marcus | We have all experienced stuttering sound and skipping frames. |
@marcus | The reason is that the operating system can not properly schedule the resources (for whatever reason). |
@marcus | To fix this is a daunting task. |
@marcus | There are brave people trying to make Linux more soft-real-time capable, for example for audio processing. They have some successs, but they also have an uphill battle. |
@marcus | Now, let's take a look at the initial question. |
@marcus | Is operating system research dead? |
@marcus | Is it unnecessary? |
@marcus | What's the purpose of an operating system? |
@marcus | It's this: |
@marcus | The operating system tries to allow _secure_ and _efficient_ sharing of common resources. |
@marcus | This means that isolated components should stay isolated, but still use the same hardware. |
@marcus | This is an incredible hard problem. |
@marcus | Being secure alone is not too difficult. Complete isolation provides high security. |
@marcus | Being efficient is not too difficult if only one program (alone) uses the hardware. |
@marcus | Putting both together, and we are in an area where the really hard problems are not only not solved, but we are still in the beginning of trying to solve them. |
@marcus | I should say a few words on Hurd performance. |
@marcus | It's not so good :) |
@marcus | And the reason is basically the same why you get skipped frames on Linux if you run two bandwidth intensive programs. |
@marcus | It's because the resource scheduling sucks. |
@marcus | In the Hurd the problem is just much more visible, and exposed. |
@marcus | Neal and me have been in the process of reevaluating the Hurd, and have identified these two areas, security and quality of service, as the big challenge. |
@marcus | I should now say a few words on how we want to address them. |
@marcus | First, security. |
@marcus | The capability approach is the right one. Or let's say it like this: |
@marcus | It's the only one we know that works. |
@marcus | In fact, we have mathematical results about the correctness of the underlying model. |
@marcus | The problem is that user IDs combine too much permission. |
@marcus | OTOH, we need a way to save all permissions of a user across reboots. |
@marcus | We are considering to make the system globally, transparently persistent. |
@marcus | This means that the system never shuts down. |
@marcus | It just hibernates. |
@marcus | This has a couple of nice consequences, one of them is that we can actually safe the capabilities directly to disk, instead of reconstructing a user's permission by their user ID and the filesystem. |
@marcus | We will explore how much of POSIX can be reused in an environment where user IDs are not a global concept anymore. |
@marcus | Our expectation is that the answer will be: "most of it (POSIX)" |
@marcus | We have a model of a persistent capability system. It's EROS (www.eros-os.org) |
@marcus | EROS stands for Extremely Reliable Operating System, and that's what it is. |
@marcus | It's a free-software implementation of KeyKOS, which was built with military-grade security in mind. |
@marcus | In fact, although there are some challenges in the microkernel design related to this, this is mostly an application level design problem. |
@marcus | (of course the basic services are also affected) |
@marcus | The second issue is resource management and quality of services. |
@marcus | And this is where I have to become speculative. |
@marcus | Neal wants to give every process fine-grained control about the direct physical resources. |
@marcus | Because this is where the most of the information is, directly in the application, on how the resource is used. |
@marcus | We don't go so far as Exokernels, in that we want to remove all abstractions. |
@marcus | Some abstractions are very helpful. |
@marcus | But we would like to put the application into control about, for example, paging decisions. |
@marcus | The problem here is separating policy from mechanism. |
@marcus | The paging mechanism needs, for security reasons, be in the trusted computing base. But the paging policy (which page to evict next) should be in the application. |
@marcus | This is a big challenge, and Neal will research this issue. |
@marcus | A couple of notes on the microkernel debate. |
@marcus | We are looking at microkernels of the second generation (L4, EROS, Coyotos). |
@marcus | These are very much different from Mach. |
@marcus | So all negative points you can or want to make about Mach, don't apply :) |
@marcus | Or rather, you will have to evaluate the new kernels to verify if they apply or not. |
@marcus | Today, we know how to write efficient microkernels. |
@marcus | But we don't yet fully know if we can write efficient general purpose large-scale operating systems on top of those microkernels. |
@marcus | So, there is a risk involved in all of this. Maybe the whole approach is futile. |
@marcus | But I hope that you can see how the search for a better way itself is not futile. |
@marcus | We are all using an operating system from the 70s. |
@marcus | The reason we still can is that we have sufficient free room: We are not heavily under attack, because the main attacks go to Windows users. And if we have special performance needs, we just customize the system. |
@marcus | (For example by recompiling the kernel) |
@marcus | For example, there are several dozens schedulers for Linux, and even a module to replace the scheduler at run time. |
@marcus | However, the engineering effort that goes into these customized solution is very big, and an approach which would lend itself to easier maintainability, customizability, etc, would be very much welcomed by many. |
@marcus | I think we can go to the Q&A now :)
- continue in #qc - |
@krocz | thanks Marcus for this talk |
@krocz | and |
@krocz | the discussion follows in #qc |
@krocz | thanks to everybody |
@marcus | thanks to everybody for listening! |
@marcus | and thanks to the organizers for having me |