MK++ A High Assurance Operating System Kernel Shai Guday David Black.
-
Upload
marcus-matthews -
Category
Documents
-
view
213 -
download
0
Transcript of MK++ A High Assurance Operating System Kernel Shai Guday David Black.
MK++A High Assurance Operating System Kernel
Shai GudayDavid Black
MK++ Results
MK++ is a complete reimplementation of the essential Mach abstractions for use in a B3 formal evaluation A microkernel for TIS's TrustBase - B3 level
assurance Good performance as well as high assurance An "essential microkernel" with only those
features and functions truly needed All B3 assurance requirements have been met
High Assurance Software Engineering Object Oriented Layering
Brief History of Software Engineering
Brief History of Software Engineering
Brief History of Software Engineering
Brief History of Software Engineering
Brief History of Software Engineering
Brief History of Software Engineering
MK++ Internal Architecture
Resource Management Objects
Kernel Interface
Space Accounting
Processor Scheduling
Connection Management
Transfer Management
Memory Extent Management
Resident Memory Management
Clock/Device Services
Clock Mgmt Device Mgmt
User AddrSpace
User PortNamespace
VM
Clocks and Devices
Tasks, Threads, Resources
PC
Object Decomposition
Relationship Decomposition
Benefits of Object Oriented Layering
Lock Hierarchy based on Layer Hierarchy MK++ is fully preemptible and multithreaded
Simplified Initialization Run constructors in order from lowest layer to highest
layer Easy to determine what functionality is available at each
layer Significant Layer Enforcement at Compile time
Compiler rejects circular inheritance Header file discipline: don't include header files from
higher layers ... in addition to improved code structure and assurance
A Few Words About Performance
MK++ Performance is comparable to Mach Even on highly optimized Mach code paths Performance is more robust (no special case `fast
paths') Kernel microbenchmarks (IPC, page fault, task create)
Extensive use of inline methods MK++ has lots of tiny methods, but most of them are
inline Disciplined use of virtual methods Layering forces attention to this C++ is not slow in the hands of competent software
engineers!
Sharper Tools
Layer Verification Tool Enforce Layering Architecture
Covert Storage Channel Tool Find all storage channels But not timing channels
Tools find many problems missed by people Incremental execution would be very useful
Hook tools into source control system
Formal Methods
Generated runtime assertions based on Formal Model IPC subsystem invariant checks
The Good News: Found 4 serious problems missed by development
and review The Bad News:
Missed at least one more Kernel not exercised under all possible conditions
Test coverage is not a new problem Neither is it a solved problem
Conclusion
Assurance is only possible if software practitioners can reason about the software High assurance analysis and design necessary for high
assurance software Software engineering techniques exist for practical
development of high assurance software Complement of layering and object orientation support
decomposition of complex system software, e.g. MK++ microkernel
Need advances in the state of the art Object interface design Dependency decomposition and encapsulation Assured design patterns (aka frameworks) Framework composition rules