LWN: Comments on "Europe Funds Secure Operating System Research (PCWorld)"

And they are factually wrong

efexis — Sun, 03 May 2009 04:10:50 +0000

"Unfortunate choice of words"

Haha no quite deliberate :-)

Many reset buttons indeed

man_ls — Fri, 01 May 2009 20:33:43 +0000

Sounds quite reasonable. Sorry if I misunderstood you.

Many reset buttons?

marcH — Fri, 01 May 2009 19:16:44 +0000

Automatically restarting sounds like the cherry on top of the cake. But even before automated restarts you have to make the fine-grained reset buttons available in the first place. The automation needs something to press on.

Moreover I see value in manual fine-grained restarts for consumer (sysadmin-less) devices.

Many reset buttons?

man_ls — Fri, 01 May 2009 10:41:34 +0000

I was thinking more along the lines of an oops or a crash. But infinite loops are another interesting case. Unless you are using Linux (which, as we all know, does infinite loops in under 5 seconds) then it cannot be mathematically proven whether a loop is infinite. Fine. Still, you can use heuristics to infer if a system is working properly. E.g. unless the braking subsystem in the car is responding in under 10 ms then we are in trouble -- and it should be restarted. Real-time systems make that kind of guarantees, so they would not be out of line for a critical system.

Many reset buttons?

riddochc — Fri, 01 May 2009 09:06:32 +0000

...and if the system knows they are failing...

Halting Problem :)

Many reset buttons?

man_ls — Thu, 30 Apr 2009 18:50:38 +0000

This research is basically about having one independent reset button per feature.

From a previous Tanenbaum article, I thought that it was about the operating system automatically restarting those features which are malfunctioning? Otherwise I don't really see the usefulness... Your typical admin cannot be monitoring every feature on the server to restart those that fail, and if the system knows they are failing why not restart them itself?

Europe Funds Secure Operating System Research (PCWorld)

marcH — Thu, 30 Apr 2009 10:07:51 +0000

[Two answers in one]
> That discussion about micro-kernel vs monolithic-kernel will end when MINIX or other micro-kernel based ends up in large production environments in real world, besides that, is just theory.

It is for real, please read references.

> > TVs don't have reset buttons. Stereos don't have reset buttons. Cars don't have reset buttons.
> Not a very good argument IMHO.

These were good examples before unreliable computers pervade formerly reliable devices. This pervasion is happening probably because in many cases people prefer a lot of features with a big reset button rather than few features without one.

This research is basically about having one independent reset button per feature. But maybe consumers are not interested/pushing enough for this to ever happen in non-professional products? Or maybe at least for cars? ("your CD player broke, please pull over immediately"...)

Europe Funds Secure Operating System Research (PCWorld)

plougher — Wed, 29 Apr 2009 22:46:18 +0000

It's 40% at UK universities too (or at least it was 13+ years ago when I was doing research at a UK university).

Europe Funds Secure Operating System Research (PCWorld)

drag — Tue, 28 Apr 2009 23:39:38 +0000

In the private sector, at least in the USA.. employees end up costing about 2x maybe even 3x as much as their real wages due to taxes, business overhead, benefits, and things like that.

Humans are not cheap...

Europe Funds Secure Operating System Research (PCWorld)

jordanb — Tue, 28 Apr 2009 21:23:53 +0000

Yeah and "salary" is nearly always the professor "buying back" his time from the University.

Europe Funds Secure Operating System Research (PCWorld)

drag — Tue, 28 Apr 2009 20:51:09 +0000

Redundancy, redundancy, redundancy.

Depending on the task at hand it's often quite possible spread tasks across multiple computers or at least design your application for failover modes across multiple machines.

I'll take a Linux cluster running on multiple commodity-based machines over a single machine running the best academic microkernel with the highest quality hardware any day of the week.

If it's in a space station I'd like to see how Minix handles having a small asteriod punching a neat hole through the middle of the computer's mainboard. I don't want crash-proof.. I want shotgun-proof. :)

-----------

But I wish Minix all the success in the world. Maybe some of the stuff that gets discovered with this grant will end up helping out in systems that people will actually use someday.

Europe Funds Secure Operating System Research (PCWorld)

JoeBuck — Tue, 28 Apr 2009 20:08:52 +0000

I doubt if there'd be enough money to pay people that well. Don't know about the Dutch system, but at UC Berkeley university overhead was 40%, meaning that the university skimmed that much off the top before anything else. The remaining money would have to buy any needed equipment, travel expenses to conferences, benefits, insurance costs, the employers' share of taxes and so forth. By the time you start figuring out salaries you're down to about 1/3 of the money.

Europe Funds Secure Operating System Research (PCWorld)

man_ls — Tue, 28 Apr 2009 18:24:52 +0000

TVs don't have reset buttons. Stereos don't have reset buttons. Cars don't have reset buttons.

Not a very good argument IMHO. Mobile phones don't have reset buttons, and yet they hang all the time -- turning them on and off again (in true computer fashion) fails too often, to the point where the battery has to be taken off. Reset buttons are good, people! Taking a machine back to a known, predictable state is a computer advantage.

Europe Funds Secure Operating System Research (PCWorld)

bandan — Tue, 28 Apr 2009 16:44:38 +0000

It is free but not quite open. I wrote a simple IPSec suite for Minix3 around a year back as part of my school project. The Linux bug made me want to contribute back this code to Minix3. What happened later was a series of emails to people and to the googe groups mailing list with no replies. No one has any idea who is working on what. Finally, I got a reply from Andy stating they were making big changes to the core network code and I should wait a while. I waited a while and then lost interest.

Yes, it's a good research OS though.

Europe Funds Secure Operating System Research (PCWorld)

leoc — Tue, 28 Apr 2009 15:31:14 +0000

Linux already has been a recipient of EU money for research. And that's just from a 1 minute google search.

Europe Funds Secure Operating System Research (PCWorld)

trasz — Tue, 28 Apr 2009 15:28:38 +0000

4) There is no point to talk about security in case of a kernel that has about as many kernel holes as
Windows, and it cannot really be fixed due to organisational and architectural reasons.

Europe Funds Secure Operating System Research (PCWorld)

tjc — Tue, 28 Apr 2009 14:32:05 +0000

I'm not entirely sure what needs researching, so if someone could enlighten me, I'd be truly grateful.

These are all PDF files:

Construction of a Highly Dependable Operating System

Reorganizing UNIX for Reliability

MINIX 3: A Highly Reliable, Self-Repairing Operating System

A Lightweight Method for Building Reliable Operating Systems Despite Unreliable Device Drivers

Modular System Programming in MINIX 3

Europe Funds Secure Operating System Research (PCWorld)

cma — Tue, 28 Apr 2009 14:05:34 +0000

>>I wish my taxes also fund development of non-research, shorter term free software. Ideally both have their place. >And by the way: http://www.cs.vu.nl/~ast/reliable-os/ Sure, as well other people want their taxes to fund other projects... That discussion about micro-kernel vs monolithic-kernel will end when MINIX or other micro-kernel based ends up in large production environments in real world, besides that, is just theory. Tell this why Google is using Linux kernel for it's android backend or Nokia investing on Linux or even Alcatel on their network products where not too far ago, they were using micro-kernel based backends... IMHO, I think, based on today's perspective about how hard is to earn money, they should invest on *practical* and real *free/libre* production environments. - cma

Europe Funds Secure Operating System Research (PCWorld)

donwaugaman — Tue, 28 Apr 2009 13:56:10 +0000

But if the OS that your Erlang system is running on is unstable, your Erlang system, no matter how well engineered for reliability, is hosed.

Or does Erlang manage to run even if the kernel panics? That would be an interesting trick. :-)

And they are factually wrong

mrshiny — Tue, 28 Apr 2009 13:11:01 +0000

My parents car crahsed once

Unfortunate choice of words :) I had to read the entire post to figure out that you weren't being facetious

Europe Funds Secure Operating System Research (PCWorld)

clugstj — Tue, 28 Apr 2009 12:41:58 +0000

Linus (and Linux) will never be the recipient of a grant like this for at least these three reasons:

1) He doesn't have a Dr. in front of his name
2) His software is used in the "real world"
3) He committed the ultimate crime of moving to the USA

And they are factually wrong

efexis — Tue, 28 Apr 2009 12:25:11 +0000

"Cars don't have reset buttons"

And don't we know it! My parents car crashed once, that was annoying. They couldn't unlock the doors (central locking), open windows (electric), start the engine etc. Think they had to climb out through the back or something (people carrier rather than car, so wasn't too tough). They had to disconnect the battery to reset the system, then take it to the garage to get the logs looked at and the system patched. They were fortunate it didn't happen on motorway or something! Was still a pain though.

And they are factually wrong

tnoo — Tue, 28 Apr 2009 11:38:59 +0000

>> TVs don't have reset buttons
> Yes, they do.

The Volkswagen beetle can be reset by locking/unlocking the doors with the
remote control about 5 times, and then wait a minute for the car to boot.

Europe Funds Secure Operating System Research (PCWorld)

emk — Tue, 28 Apr 2009 10:18:02 +0000

That's $130,000 per person per year, before subtracting university overhead, benefits, office space, and so on. In the US, a good rule of thumb is to divide by 2, giving $65,000 per person per year in salary. Probably more for the PI (Tanenbaum), and less for the research staff.

I'm reasonably certain that most full-time, corporate-sponsored Linux kernel hackers make more than this.

(Things might be slightly better at university with razor-thin overhead, but that's pretty rare.)

Europe Funds Secure Operating System Research (PCWorld)

mjthayer — Tue, 28 Apr 2009 07:30:23 +0000

Hear hear. Things like microkernel research are nice for, well, research pusposes in order too test out all the implications of an idea (although QNX, my first encounter with microkernels, is very nice for other purposes too), but in the end, pragmatism is nice in the real world, rather than trying to push a single idea to its extreme.

Europe Funds Secure Operating System Research (PCWorld)

NAR — Tue, 28 Apr 2009 06:49:18 +0000

Well, Erlang already does this for about 15 years, probably in a telephony exchange system near to you. It's not an operating system, but it doesn't really use the operating system underneath for stability.

And they are factually wrong

khim — Tue, 28 Apr 2009 05:48:48 +0000

TVs don't have reset buttons

Yes, they do.

Cars don't have reset buttons.

They don't but then they have no need: you can just disconned the battery. I've certainly seen this often enough.

Cars often have several systems - they are physically disconnected. One if used to drive the engine, another - to show the map to driver and do gazzilion things. First one is quite reliable (it must be certified, etc), the second one... may be Linux-class. Sometimes even WindowsCE is used!

Steroes are too simple to have as OS...

Europe Funds Secure Operating System Research (PCWorld)

Nick — Tue, 28 Apr 2009 05:03:06 +0000

Hmm, US$ 3.3m for 5 people for 5 years? I'm working on the wrong kernel :)

Europe Funds Secure Operating System Research (PCWorld)

SEJeff — Tue, 28 Apr 2009 03:34:33 +0000

Agreed, in a microkernel based OS, if the thread writing dirty pages to disk (like pdflush in linux) dies and has to be restarted chances are there will still be data loss. A microkernel just makes it more complex to implement and troubleshoot if anything.

Also, with FUSE, CUSE, and libusb, many things in linux are starting to be abstracted out of the Linux kernel and more into userspace. The sweetspot (IMO) is a mix between a traditionally micro and monolithic kernel. That is where linux is heading.

Minix 3 - the Raccoon is on the loose

jzbiciak — Tue, 28 Apr 2009 03:27:13 +0000

It may have come along later, though. As I recall, Linus bootstrapped his system from Minix (ie. cross-compiling, etc.), and even used Minix's filesystem as Linux's filesystem at first.

Had their been no Minix, he would have needed to start from a different base OS. 386BSD (which later evolved into the FreeBSD/NetBSD/OpenBSD we know today) was also just getting started in that timeframe. Maybe he could have cross compiled with DJGPP or someting, but... ew?

I guess in any case he still had a GNU userland, so who knows, it may not have been much of a setback. Linux was self hosting pretty quick as I recall.

Europe Funds Secure Operating System Research (PCWorld)

JoeBuck — Tue, 28 Apr 2009 03:10:16 +0000

You're on a space station, and the life support system detects a malfunction in itself. Saying "OOPS", crashing, and waiting for the sysadmin to fix the problem might not be the best solution when the sysadmin is passing out for lack of oxygen.

On the other hand, having a system that's already corrupted to try to heal itself could be tricky and risky. Perhaps we should invest a bit in researching this problem.

Minix 3 - the Raccoon is on the loose

einstein — Tue, 28 Apr 2009 01:51:28 +0000

> I like to think that Linux would not exist if it weren't for Minix and AST's scholarly OS texts.

Linux would in all likelihood be fine, much as it is today, because the fundamental design of linux was not taken from Tannenbaum, but from Maurice J Bach in "The design of the Unix Operating System" -

Minix 3 - the Raccoon is on the loose

pr1268 — Tue, 28 Apr 2009 01:16:45 +0000

Yes, it's free, albeit a BSD-style license.

Yet, I gather (from interviews, the Minix 3 Web page, and such) that Minix is still geared more for academic purposes and less for Andrew Tanenbaum's commercial gain¹. Not that I'm complaining, though; I like to think that Linux would not exist if it weren't for Minix and AST's scholarly OS texts.

¹ Er, Minix 3 appears substantially more commercial distribution-friendly than its predecessors, according to the FAQ page.

Europe Funds Secure Operating System Research (PCWorld)

MisterIO — Tue, 28 Apr 2009 00:19:11 +0000

I guess the main point of Minix is that most of the system is implemented through separate processes, which, in case of malfunction, can be restarted by the controller process. Now maybe the point is : If something is known to be malfunctioning, is it really a good idea to restart it? Or is it better to signal the malfunction(OOPS) and stop working(or going on if it's not serious)? In the end, even if you center your point of view on reliability, the main technical point remain : Microkernel or Not?
Anyway, I don't know of any real world example where Minix3 was chosen instead of Linux.

Europe Funds Secure Operating System Research (PCWorld)

jordanb — Mon, 27 Apr 2009 23:23:06 +0000

Interestingly those devices (at least Cars) already have sophisticated but very robust software in them, including RTOSes, using things like Ada and MISRA-C.

I'm tangentially interested in High Integrity software and I don't recall seeing Dr Tannenbaum's name come up. I'm also not sure that's really a ripe area for "blue sky" research, particularly when talking about operating systems. The real areas of research focus in High Integrity software has to do with better ways to annotate and statically check (and prove) code, both to be more reliable and reduce the cost of of the verification process.

Europe Funds Secure Operating System Research (PCWorld)

tialaramex — Mon, 27 Apr 2009 23:06:24 +0000

I think this work is centred on what you'd perhaps call "reliability" or even "availability" rather than "security". Not everyone when using the word security, thinks of Orange Book and guys in black hats.

But it has security (in the sense you mean) implications too. My front door lock doesn't have a reset button either.

Europe Funds Secure Operating System Research (PCWorld)

jd — Mon, 27 Apr 2009 22:36:37 +0000

I'm not entirely sure what needs researching, so if someone could enlighten me, I'd be truly grateful.

We already know that security kernels (kernels within the OS kernel that do nothing but security) are fundamental to being able to achieve verifiable security.

We also know, from current experience with Linux and everything learned from the era of B-class Orange Book OS' like Trusted Solaris and Trusted Irix, the drawbacks and benefits of a fairly wide range of security models at the host level. Ok, not every possible model, and there is probably some excellent work yet to be done there, but I don't see it being five years worth.

Finally, we know from the current experience with OpenBSD, what can be realistically achieved through software audits alone.

Ok, yes, there's not a lot of work in secure clustered OS' and the migration of security labels across, say, MOSIX- or Beowulf-type clusters, but Minix would not seem to fit into that arena at this time, as best as I can understand it. So what is being researched?

Europe Funds Secure Operating System Research (PCWorld)

marcH — Mon, 27 Apr 2009 22:36:00 +0000

> Too bad...I think they should be funding something open-source projects like open-office, etc. Something that is being a real-world experiment like linux kernel...

"Research" grants are geared towards long term projects fundamentally departing from existing solutions. Some research projects can be based on "real-world" software like Linux; but some others simply cannot.

I wish my taxes also fund development of non-research, shorter term free software. Ideally both have their place.

And by the way: http://www.cs.vu.nl/~ast/reliable-os/
> MINIX 3 and AST's research generally is **NOT** about microkernels. It is about building highly reliable, self-healing, operating systems. [...] TVs don't have reset buttons. Stereos don't have reset buttons. Cars don't have reset buttons.

Europe Funds Secure Operating System Research (PCWorld)

epa — Mon, 27 Apr 2009 22:02:35 +0000

Minix 3 is quite different from Minix 2 (which I remember hacking on for a university project)... check the website. And yes, it is free software.

Europe Funds Secure Operating System Research (PCWorld)

cma — Mon, 27 Apr 2009 21:35:31 +0000

Too bad...I think they should be funding something open-source projects like open-office, etc. Something that is being a real-world experiment like linux kernel...