MK++A High Assurance Operating System Kernel

Shai GudayDavid Black

MK++ Results

MK++ is a complete reimplementation of the essential Mach abstractions for use in a B3 formal evaluation A microkernel for TIS's TrustBase - B3 level

assurance Good performance as well as high assurance An "essential microkernel" with only those

features and functions truly needed All B3 assurance requirements have been met

High Assurance Software Engineering Object Oriented Layering

Brief History of Software Engineering

Brief History of Software Engineering

Brief History of Software Engineering

Brief History of Software Engineering

Brief History of Software Engineering

Brief History of Software Engineering

MK++ Internal Architecture

Resource Management Objects

Kernel Interface

Space Accounting

Processor Scheduling

Connection Management

Transfer Management

Memory Extent Management

Resident Memory Management

Clock/Device Services

Clock Mgmt Device Mgmt

User AddrSpace

User PortNamespace

VM

Clocks and Devices

Tasks, Threads, Resources

PC

Object Decomposition

Relationship Decomposition

Benefits of Object Oriented Layering

Lock Hierarchy based on Layer Hierarchy MK++ is fully preemptible and multithreaded

Simplified Initialization Run constructors in order from lowest layer to highest

layer Easy to determine what functionality is available at each

layer Significant Layer Enforcement at Compile time

Compiler rejects circular inheritance Header file discipline: don't include header files from

higher layers ... in addition to improved code structure and assurance

A Few Words About Performance

MK++ Performance is comparable to Mach Even on highly optimized Mach code paths Performance is more robust (no special case `fast

paths') Kernel microbenchmarks (IPC, page fault, task create)

Extensive use of inline methods MK++ has lots of tiny methods, but most of them are

inline Disciplined use of virtual methods Layering forces attention to this C++ is not slow in the hands of competent software

engineers!

Sharper Tools

Layer Verification Tool Enforce Layering Architecture

Covert Storage Channel Tool Find all storage channels But not timing channels

Tools find many problems missed by people Incremental execution would be very useful

Hook tools into source control system

Formal Methods

Generated runtime assertions based on Formal Model IPC subsystem invariant checks

The Good News: Found 4 serious problems missed by development

and review The Bad News:

Missed at least one more Kernel not exercised under all possible conditions

Test coverage is not a new problem Neither is it a solved problem

Conclusion

Assurance is only possible if software practitioners can reason about the software High assurance analysis and design necessary for high

assurance software Software engineering techniques exist for practical

development of high assurance software Complement of layering and object orientation support

decomposition of complex system software, e.g. MK++ microkernel

Need advances in the state of the art Object interface design Dependency decomposition and encapsulation Assured design patterns (aka frameworks) Framework composition rules