June 12, 2008 at 01:05Why MS Windows 7 Will Never Become a Reliable OS
We live in a post / informational, globalized world where computers control nuclear power plants, strategic military facilities, etc. Moreover, in modern operating systems (OS), there are two characteristics that make them unreliable and unsafe: they are huge and have very poor isolation of failures. The Linux kernel contains more than 2.5 million lines of code, and the Windows XP kernel contains more than 5 million lines of code. According to researchers at Carnegie-Mellon University, there are 5 to 15 errors per 1000 lines of code. With such estimates, the Linux kernel contains about 15,000 errors, while the Windows XP kernel contains more than 30,000 errors. Even worse, about 70% of the OS code is occupied by device driver code, in which errors occur 3-7 times more often than in regular code. It is clear that it is simply impossible to find and correct all errors; moreover, when correcting errors, new ones are often introduced.
The large size of modern operating systems means that no one can understand the whole system, as a result of which managing the system becomes very difficult. But the same can be said, for example, about the aircraft carrier. No single person knows how an aircraft carrier works, but all of its subsystems are well insulated. The problem of a clogged toilet does not affect the rocket launch subsystem. Operating systems lack such component isolation. A modern operating system contains hundreds and thousands of procedures connected together that form a single binary program executed in the kernel. Each of the millions of lines of kernel code has the ability to write to key data structures used by an unrelated component, which can lead to a system crash. [cm.:“Andrew Tanenbaum, Jorrit Herder and Herbert Bos,“ Can We Make Operating Systems Reliable and Secure ” ]
Windows NT:
MS Windows 7 Milestone is a development of MS Windows NT. The first commercial version of Windows NT was released on July 27, 1993 (it will soon be 15 years old). The version immediately came out at number 3.1 only because Windows API was added to the original NT kernel, including the window interface from MS Windows 3.1 [see: Microsoft Windows - Material from Wikipedia ]
»The development of Windows NT, begun in November 1988 under the working title NT OS / 2, was carried out in parallel with the development by IBM of its own OS, OS / 2 2.0, which was finally released only in April 1992. At the same time, Microsoft continued to develop its DOS and Windows family of operating systems that have lower computer resource requirements than IBM OS / 2. After Windows 3.0 was released in May 1990, Microsoft decided to add a Windows API compatible program interface (API) to NT OS / 2. This decision caused serious friction between Microsoft and IBM, which ended in a break in collaboration. IBM began to continue to develop OS / 2 alone, and Microsoft began to work on a system that was eventually released under the name Windows NT. Although this system has not brought immediate popularity like DOS or Windows,
It is interesting to note that the OS / 2 APIs were originally planned as NT program interfaces, and then POSIX - Windows API support was added last. In addition, the Intel i860 was originally planned as a hardware platform for NT, and then MIPS - in the same way, support for Intel x86 was added later ... "[see: Windows NT - Wikipedia entry ]
What Windows Vista is called today , this NT is terribly hung with all sorts of API libraries and interfaces invented by Microsoft According to MS, Windows 2000 contains 35-60 million lines of code, and Windows XP contains more than 45 million lines of codewhich is constantly being refined and modernized. The source code is written in assembly language, C and C ++. Even Microsoft itself does not quite understand exactly what they developed. Understanding the code is very, very difficult. Most likely, Microsoft Windows in all its versions contains a vulnerability that cannot be fixed (according to some third-party researchers, such Absolute Errors are different in different versions). Treating it is about the same as closing a hole in the middle of the foundation, on which a multi-story building already stands. Of course, Microsoft is well aware of the Absolute error, but do not consider it a vulnerability.
The way out of this deadlock is Microkernel OSthat can take on a new life due to the potential to provide higher reliability:
Reliability of the Microkernel OS comes from different sources. Firstly, the size of the code executed in the kernel is about 4000 lines, and the total number of errors is only about 24 (using the example of the Minix 3 microkernel) The small size of the kernel allows you to verify its code manually or based on formal methods. IPC features avoid the need for buffer management in the kernel. In addition, the available IPC primitives are limited for each process, including destination addresses and notified events. For example, user processes can only use the rendezvous principle and send messages only to Posix servers. In addition to this, all kernel structures are static. All these properties greatly simplify the code and eliminate kernel errors related to buffer overflows, memory leak, untimely interruptions, etc. Of course, moving most of the operating system to user-mode processes does not eliminate the inevitable errors in drivers and servers, but this limits their impact on the system as a whole. Erroneous code in the kernel can ruin critical data structures, write unnecessary data to disk, etc .; the wrong code in most drivers and servers cannot do such harm, because these processes are strictly separated and very limited in their capabilities.
Another feature that improves reliability is the use of separate command and data spaces. Even if an erroneous code or virus causes a buffer overflow and places someone else's code in the data space, this code will not be possible to execute by switching to it, because the kernel will not run code that is not in the process command space (read-only).
Among other features that contribute to improving reliability, the most important is the property of self-healing. If the driver writes to the wrong pointer, falls into an endless loop, or behaves badly in some other way, then the reincarnation server will automatically replace it, often without affecting other processes.
MS Singularity:
Quote from Andrew S. Tanenbaum :“... Microsoft is also interested in microkernels. She, like no one else, clearly understands all the problems of maintaining monolithic nuclei. Windows NT 3.1 was an indecisive attempt to create a microkernel system, but this attempt was not implemented correctly. And the performance of the OS on the equipment of the early 90s was also not good enough, so Microsoft temporarily abandoned this idea. But recently, Microsoft tried to do it again, but on new hardware, which led to the advent of the Singularity OS. Today, as I see it, many people believe that if Microsoft did this, then it clearly went crazy. ButGalen Hunt and Jim Larus, who led the Singularity project, are very smart guys and they just understand very well what kind of mess Windows is actually and how much Microsoft needs a completely new approach for its further development . Even people working on Vista see that they have serious problems. That's why they transfer drivers to user space, that is, they do exactly what I recommend. ” [see: “The second part of the Marlezon Ballet.” Discussion of Tanenbaum and Torvalds: Part II " ]
The Singularity project developed at Microsoft Research offers the most radical approach to developing a robust microkernel-based OS. But it’s not possible to fasten the Windows API to Singularity and it is not possible to transfer the Soft written under the Windows API to this system, so this theoretically unique project cannot help ordinary users of MS Windows :( [see: “Andrew Tanenbaum, Jorrit Herder and Herbert Bosz “Can We Make Operating Systems Reliable and Secure” ]
L4 Microkernel:
L4 is built in such a way that almost any API can be built on its basis. It abstracts from specific memory management algorithms and other strategies, but provides mechanisms for their implementation (strategies) in an arbitrary form. It also supports many hardware platforms, has support for multiprocessing (SMP) in the kernel. Drivers are supported in user space and the launch of several OS simultaneously on one microkernel. In addition, it supports the creation of both a real-time OS and conventional OS with time sharing; Both OS for embedded applications and desktop OS; You can implement various strategies of the process scheduler (and memory management).
Comparing Mach and L4, the Mach microkernel was very cumbersome, it had more than a hundred system calls, it contained about 100,000 lines of code, took about 500 KB on disk. L4 is 1-2 orders of magnitude more compact. The original implementation of L4 contained only 7 system calls, its complexity was about 10,000 lines of code, on the disk it takes about 100 K (ELF format, Intel platform; data for L4Ka :: Pistachio), but in memory it takes only 12 KB! (According to other sources - 32 Kbytes, it depends on the version of the kernel). Therefore, L4 is also often called a nanokernel, because its size is 1-2 orders of magnitude smaller than the classical micronucleus.
Nicta- The National Research Center for Information and Communication Technologies, which is developing the L4 core, created a commercial company called Open Kernel Labs (OK Labs) to promote L4-based solutions (mainly embedded). OK Labs is developing its own commercial implementation of NICTA :: Pistachio-embedded, together with Wombat and Iguana. This proprietary version of L4, Wombat, and Iguana is called OKL4. “Commerciality” OKL4 does not cancel the freedom of its license. OKL4 is licensed under the BSD license and its sources are open. OK Labs promises to release the first microkernel with a mathematically proven no-error (formally-proven bug-free microkernel) around the middle of 2009!
Apple MacOS X:
In NICTA, besides Kenge / Iguana / Wombat projects, there is a project called Darbat, or L4 / Darwin. This is nothing more than the Darwin kernel port on which MacOS X is based on the L4 microkernel. Darbat is trying to improve Darwin's performance by using IPC L4, which is much more productive than the IPC microkernel Mach, on which Darwin is based. Darbat also contains an IOKit port on L4, which seeks to benefit from the use of user-level drivers (in Darwin, many drivers work in kernel mode, and in Darbat they are carried out in userlevel). One goal is to support Darwin unmodified drivers in userspace. Darbat does not seek to completely remove Mach from Darwin, but instead get a version of MacOS X that runs almost unchanged under L4 and takes advantage of the benefits that L4 offers when compared to Mach.
Quote from Andrew S. Tanenbaum : “Mac OS X is also a kind of microkernel OS. Inside, it is a Berkeley UNIX, operating on top of a modified version of the Mach microkernel. However, since all this runs in kernel mode (in order to select all possible performance), Mac OS X is not truly microkernel. However, since Carnegie Mellon University had launched Berkeley UNIX in user space on top of the Mach microkernel many years ago, this could probably be done again, albeit with a slight performance loss, as with L4Linux. In particular, there is a Darbat project for porting Apple BSD (Darwin) code to L4 in order to make it a true microkernel OS. ” [see: "The second part of the Marlezon Ballet." Discussion of Tanenbaum and Torvalds: Part II " ]
Apple is said to be developing a new “big leap forward” system in parallel with the current Mac OS X 10.6 Snow Leopard successor system. Perhaps it was about her that Jobs mentioned in an interview in 2007 on the occasion of the official release of Leopard. Judging by the thoroughness of stripping the Snow Leopard, there will already be “discoveries” in it. And not simple discoveries, but rather serious ones. Given Apple’s obsession with simplicity and elegance of decisions, it would be logical to assume that the new system (Apple OS X 11, or some other) will be based on the unique L4 Microkernel and will be used on all, without exception, Apple products . From iPhone smartphones to servers. It's beautiful enough to come to Steve Jobs’s head. And to turn crazy thoughts into products that have crazy success, Jobs usually does. [cm.:“Perhaps Mac OS 10.6 Snow Leopard will be next” ]]
And if that happens, then Apple OS X 11 will have unrivaled reliability and versatility!
And the conclusion suggests itself MS Windows has no future. With Microsoft’s modern approach to OS development, the future MS Windows 7 unfortunately will remain with 10 thousand bugs and annoyed users. And I would never begin developing large and demanding software projects to choose the creation of Microsoft for the base OS :(
The large size of modern operating systems means that no one can understand the whole system, as a result of which managing the system becomes very difficult. But the same can be said, for example, about the aircraft carrier. No single person knows how an aircraft carrier works, but all of its subsystems are well insulated. The problem of a clogged toilet does not affect the rocket launch subsystem. Operating systems lack such component isolation. A modern operating system contains hundreds and thousands of procedures connected together that form a single binary program executed in the kernel. Each of the millions of lines of kernel code has the ability to write to key data structures used by an unrelated component, which can lead to a system crash. [cm.:“Andrew Tanenbaum, Jorrit Herder and Herbert Bos,“ Can We Make Operating Systems Reliable and Secure ” ]
Windows NT:
MS Windows 7 Milestone is a development of MS Windows NT. The first commercial version of Windows NT was released on July 27, 1993 (it will soon be 15 years old). The version immediately came out at number 3.1 only because Windows API was added to the original NT kernel, including the window interface from MS Windows 3.1 [see: Microsoft Windows - Material from Wikipedia ]
»The development of Windows NT, begun in November 1988 under the working title NT OS / 2, was carried out in parallel with the development by IBM of its own OS, OS / 2 2.0, which was finally released only in April 1992. At the same time, Microsoft continued to develop its DOS and Windows family of operating systems that have lower computer resource requirements than IBM OS / 2. After Windows 3.0 was released in May 1990, Microsoft decided to add a Windows API compatible program interface (API) to NT OS / 2. This decision caused serious friction between Microsoft and IBM, which ended in a break in collaboration. IBM began to continue to develop OS / 2 alone, and Microsoft began to work on a system that was eventually released under the name Windows NT. Although this system has not brought immediate popularity like DOS or Windows,
It is interesting to note that the OS / 2 APIs were originally planned as NT program interfaces, and then POSIX - Windows API support was added last. In addition, the Intel i860 was originally planned as a hardware platform for NT, and then MIPS - in the same way, support for Intel x86 was added later ... "[see: Windows NT - Wikipedia entry ]
What Windows Vista is called today , this NT is terribly hung with all sorts of API libraries and interfaces invented by Microsoft According to MS, Windows 2000 contains 35-60 million lines of code, and Windows XP contains more than 45 million lines of codewhich is constantly being refined and modernized. The source code is written in assembly language, C and C ++. Even Microsoft itself does not quite understand exactly what they developed. Understanding the code is very, very difficult. Most likely, Microsoft Windows in all its versions contains a vulnerability that cannot be fixed (according to some third-party researchers, such Absolute Errors are different in different versions). Treating it is about the same as closing a hole in the middle of the foundation, on which a multi-story building already stands. Of course, Microsoft is well aware of the Absolute error, but do not consider it a vulnerability.
The way out of this deadlock is Microkernel OSthat can take on a new life due to the potential to provide higher reliability:
Reliability of the Microkernel OS comes from different sources. Firstly, the size of the code executed in the kernel is about 4000 lines, and the total number of errors is only about 24 (using the example of the Minix 3 microkernel) The small size of the kernel allows you to verify its code manually or based on formal methods. IPC features avoid the need for buffer management in the kernel. In addition, the available IPC primitives are limited for each process, including destination addresses and notified events. For example, user processes can only use the rendezvous principle and send messages only to Posix servers. In addition to this, all kernel structures are static. All these properties greatly simplify the code and eliminate kernel errors related to buffer overflows, memory leak, untimely interruptions, etc. Of course, moving most of the operating system to user-mode processes does not eliminate the inevitable errors in drivers and servers, but this limits their impact on the system as a whole. Erroneous code in the kernel can ruin critical data structures, write unnecessary data to disk, etc .; the wrong code in most drivers and servers cannot do such harm, because these processes are strictly separated and very limited in their capabilities.
Another feature that improves reliability is the use of separate command and data spaces. Even if an erroneous code or virus causes a buffer overflow and places someone else's code in the data space, this code will not be possible to execute by switching to it, because the kernel will not run code that is not in the process command space (read-only).
Among other features that contribute to improving reliability, the most important is the property of self-healing. If the driver writes to the wrong pointer, falls into an endless loop, or behaves badly in some other way, then the reincarnation server will automatically replace it, often without affecting other processes.
MS Singularity:
Quote from Andrew S. Tanenbaum :“... Microsoft is also interested in microkernels. She, like no one else, clearly understands all the problems of maintaining monolithic nuclei. Windows NT 3.1 was an indecisive attempt to create a microkernel system, but this attempt was not implemented correctly. And the performance of the OS on the equipment of the early 90s was also not good enough, so Microsoft temporarily abandoned this idea. But recently, Microsoft tried to do it again, but on new hardware, which led to the advent of the Singularity OS. Today, as I see it, many people believe that if Microsoft did this, then it clearly went crazy. ButGalen Hunt and Jim Larus, who led the Singularity project, are very smart guys and they just understand very well what kind of mess Windows is actually and how much Microsoft needs a completely new approach for its further development . Even people working on Vista see that they have serious problems. That's why they transfer drivers to user space, that is, they do exactly what I recommend. ” [see: “The second part of the Marlezon Ballet.” Discussion of Tanenbaum and Torvalds: Part II " ]
The Singularity project developed at Microsoft Research offers the most radical approach to developing a robust microkernel-based OS. But it’s not possible to fasten the Windows API to Singularity and it is not possible to transfer the Soft written under the Windows API to this system, so this theoretically unique project cannot help ordinary users of MS Windows :( [see: “Andrew Tanenbaum, Jorrit Herder and Herbert Bosz “Can We Make Operating Systems Reliable and Secure” ]
L4 Microkernel:
L4 is built in such a way that almost any API can be built on its basis. It abstracts from specific memory management algorithms and other strategies, but provides mechanisms for their implementation (strategies) in an arbitrary form. It also supports many hardware platforms, has support for multiprocessing (SMP) in the kernel. Drivers are supported in user space and the launch of several OS simultaneously on one microkernel. In addition, it supports the creation of both a real-time OS and conventional OS with time sharing; Both OS for embedded applications and desktop OS; You can implement various strategies of the process scheduler (and memory management).
Comparing Mach and L4, the Mach microkernel was very cumbersome, it had more than a hundred system calls, it contained about 100,000 lines of code, took about 500 KB on disk. L4 is 1-2 orders of magnitude more compact. The original implementation of L4 contained only 7 system calls, its complexity was about 10,000 lines of code, on the disk it takes about 100 K (ELF format, Intel platform; data for L4Ka :: Pistachio), but in memory it takes only 12 KB! (According to other sources - 32 Kbytes, it depends on the version of the kernel). Therefore, L4 is also often called a nanokernel, because its size is 1-2 orders of magnitude smaller than the classical micronucleus.
Nicta- The National Research Center for Information and Communication Technologies, which is developing the L4 core, created a commercial company called Open Kernel Labs (OK Labs) to promote L4-based solutions (mainly embedded). OK Labs is developing its own commercial implementation of NICTA :: Pistachio-embedded, together with Wombat and Iguana. This proprietary version of L4, Wombat, and Iguana is called OKL4. “Commerciality” OKL4 does not cancel the freedom of its license. OKL4 is licensed under the BSD license and its sources are open. OK Labs promises to release the first microkernel with a mathematically proven no-error (formally-proven bug-free microkernel) around the middle of 2009!
Apple MacOS X:
In NICTA, besides Kenge / Iguana / Wombat projects, there is a project called Darbat, or L4 / Darwin. This is nothing more than the Darwin kernel port on which MacOS X is based on the L4 microkernel. Darbat is trying to improve Darwin's performance by using IPC L4, which is much more productive than the IPC microkernel Mach, on which Darwin is based. Darbat also contains an IOKit port on L4, which seeks to benefit from the use of user-level drivers (in Darwin, many drivers work in kernel mode, and in Darbat they are carried out in userlevel). One goal is to support Darwin unmodified drivers in userspace. Darbat does not seek to completely remove Mach from Darwin, but instead get a version of MacOS X that runs almost unchanged under L4 and takes advantage of the benefits that L4 offers when compared to Mach.
Quote from Andrew S. Tanenbaum : “Mac OS X is also a kind of microkernel OS. Inside, it is a Berkeley UNIX, operating on top of a modified version of the Mach microkernel. However, since all this runs in kernel mode (in order to select all possible performance), Mac OS X is not truly microkernel. However, since Carnegie Mellon University had launched Berkeley UNIX in user space on top of the Mach microkernel many years ago, this could probably be done again, albeit with a slight performance loss, as with L4Linux. In particular, there is a Darbat project for porting Apple BSD (Darwin) code to L4 in order to make it a true microkernel OS. ” [see: "The second part of the Marlezon Ballet." Discussion of Tanenbaum and Torvalds: Part II " ]
Apple is said to be developing a new “big leap forward” system in parallel with the current Mac OS X 10.6 Snow Leopard successor system. Perhaps it was about her that Jobs mentioned in an interview in 2007 on the occasion of the official release of Leopard. Judging by the thoroughness of stripping the Snow Leopard, there will already be “discoveries” in it. And not simple discoveries, but rather serious ones. Given Apple’s obsession with simplicity and elegance of decisions, it would be logical to assume that the new system (Apple OS X 11, or some other) will be based on the unique L4 Microkernel and will be used on all, without exception, Apple products . From iPhone smartphones to servers. It's beautiful enough to come to Steve Jobs’s head. And to turn crazy thoughts into products that have crazy success, Jobs usually does. [cm.:“Perhaps Mac OS 10.6 Snow Leopard will be next” ]]
And if that happens, then Apple OS X 11 will have unrivaled reliability and versatility!
And the conclusion suggests itself MS Windows has no future. With Microsoft’s modern approach to OS development, the future MS Windows 7 unfortunately will remain with 10 thousand bugs and annoyed users. And I would never begin developing large and demanding software projects to choose the creation of Microsoft for the base OS :(