Security, Reliability, and the OS

Ralph Shumaker rafazap at cwnet.com
Tue Feb 1 02:07:06 PST 2005 

Tracy R Reed wrote:

>I don't know if this will catch on or not but it is a very interesting
>project. The goal is to make an extremely reliable and provably secure
>operating system. I have not yet downloaded and played with it yet but
>they seem to have a very good start. The OS started out as KeyKOS:
>
>http://www.cis.upenn.edu/~KeyKOS/
>  
>

This stuff is really cool.  (I haven't even gotten to the other links 
below.)
Here's an excerpt from <http://www.cis.upenn.edu/~KeyKOS/Checkpoint.html>:


  8. Practical experience

KeyKOS has been in production use since 1983. Because the KeyKOS 
checkpoint/restart mechanism introduces a significant departure from the 
traditional reliability paradigm, it is worth examining the experience 
gained in using the system over this period.

KeyKOS systems have run for periods of as long as three years. Processes 
have existed and run over that entire period, through power outages, 
hardware failures, and software failures.

Key Logic developed a prototype UNIX-compatible system implemented on 
top of KeyKOS. At UNIFORUM '90, we demonstrated this system by literally 
pulling the plug on the computer at random. Within 30 seconds of power 
restoration, the system had resumed processing, complete with all 
windows and state that had been on the display. We are aware of no other 
UNIX implementation with this feature today.

(The page info says "modified:  98-06-29".)


>Then came EROS:
>
>http://www.eros-os.org/
>
>And now they are working on Coyotos:
>
>http://www.coyotos.org
>
>There are really three remarkable things about this: 
>
>1.  These are are capability based operating systems. This is a much
>better security model based on least privilidge than Unix uses. It is
>designed such that side effects (buffer overflows) can be logically ruled
>out, code proven, and a trusted computing base can be established.
>
>2. They are creating a new language (I know, I hate it when people do
>this, but they may have a good reason in this case) with stricly
>formalized semantics to allow provable code which should result in far
>fewer defects than any previous systems programming language.
>
>3. KeyKOS and EROS were "persistant" operating systems. They have removed
>this feature from Coyote but I am hoping they put it back. This means that
>memory is really just a cache for disk and the whole thing is treated as
>one big address space which has synchronization points and a form of
>journalling. This means the entire state of the system is regularly saved
>to disk and if the system crashes you can resume from where you left off.
>It is similar to hibernation for laptops except it is happening all the
>time so if you just pull the power or the system crashes you don't lose
>all of your work. You could theoretically save the system, pull the drive,
>put it into a different (perhaps upgraded or repaired or backup system)
>and pick up where you left off. 
>
>I love the story in the link below about their little competition with
>Novell.
>
>Here is a more detailed explanation:
>
>http://www.eros-os.org/project/novelty.html
>
>  
>

More information about the KPLUG-List mailing list