Notes on Tanenbaum’s Can We Make Operating Systems Reliable and Secure?

In the pre-paragraph he says that many researchers regard security as more important than performance. I think that only the end user has standing in this area. I wish it were otherwise. I don’t know when users will begin to consider reliability and security in purchase decisions.

I agree that the operating system is the critical component in improving security.

“Bug fixes frequently introduce new bugs.” Indeed. There are at least two varieties to this phenomenon:

“Operating systems do not have this kind of isolation between components.”, well some do, or did—just not commercially available ones. I would judge the Plessey 250 to be such a system. It is no longer available.

Tanenbaum concentrates on the driver problem; Keykos does not. Keykos did not run on platforms that needed to support many kernel device drivers. (The 370 channel architecture removed device logic from the kernel for Keykos and other operating systems.) The personal computer does. I like his description of “Nooks”. I would attempt more draconian limitations on the drivers, such as user mode with limited emulation of privileged ops. This is one of the points where Tanenbaum’s goals fall short of protection from malicious drivers, as he admitted at the beginning.

“Of course, the Linux kernel itself had to be modified to achieve paravirtualization, but this is a one-time change, and it is not necessary to repeat it for each device driver.” I do not see that device drivers are immune to the need of paravirtualization. For a full virtual machine neither drivers nor any other part of the kernel need be modified.

There are several interesting ideas presented here. I see no protection here against malfeasance thru IPC. By this I mean bad code wiping out the disk by sending a message to the disk driver asking it to do so. Some precursors to capability systems neglected to make the calling of another protection domain available only via a capability. Mischievous messages can do as much damage as mischievous stores!

The information on Microsoft’s Singularity is new to me. It might achieve its goals but much of the problem with Windows is its design, not its implementation. The game of Solitaire should be unable to erase all of my files!