Europe Funds Secure Operating System Research

← Back to Stories (view on slashdot.org)

Europe Funds Secure Operating System Research

Posted by kdawson on Monday April 27, 2009 @09:28PM from the software-heal-thyself dept.

narramissic writes "A Dutch university has received a $3.3 million grant from the European Research Council to fund 5 more years of work on a Unix-type operating system, called Minix, that aims to be more reliable and secure than either Linux or Windows. The latest grant will enable the three researchers and two programmers on the project to further their research into a making Minix capable of fixing itself when a bug is detected, said Andrew S. Tanenbaum, a computer science professor at Vrije Universiteit. 'It irritates me to no end when software doesn't work,' Tanenbaum said. 'Having to reboot your computer is just a pain. The question is, can you make a system that actually works very well?'"

90 of 376 comments (clear)

Wait a second... by Anonymous Coward · 2009-04-27 21:30 · Score: 5, Funny

I thought Windows was secure. Why not use that? *cough* *cough*
1. Re:Wait a second... by 4D6963 · 2009-04-27 21:32 · Score: 4, Insightful
  
  I thought Windows was secure. Why not use that? *cough* *cough*
  I thought OpenBSD was secure. Why not use that?
  
  --
  You just got troll'd!
2. Re:Wait a second... by Anonymous Coward · 2009-04-27 21:36 · Score: 3, Funny
  
  I though Minix was dead for some 15 years....
3. Re:Wait a second... by Zumbs · 2009-04-27 21:38 · Score: 2, Funny
  
  I thought Windows was secure. Why not use that? *cough* *cough*
  I thought OpenBSD was secure. Why not use that?
  I thought DOS was secure. Why not use that?
  I thought stone tablets were secure. Why not use them?
  
  --
  The truth may be out there, but lies are inside your head
4. Re:Wait a second... by Anonymous Coward · 2009-04-27 21:45 · Score: 2, Insightful
  
  It is. This is just some researchers grabbing fund money. Nothing will come from this.
5. Re:Wait a second... by xouumalperxe · 2009-04-27 22:05 · Score: 4, Interesting
  
  I guess the idea is less about creating an all around well-built system that's pretty secure in practice, and more about creating something that, even if it might have implementation bugs today is fundamentally, conceptually more secure.
6. Re:Wait a second... by Anonymous Coward · 2009-04-27 22:18 · Score: 3, Funny
  
  I think I'd rather get raped by a polar bear than use Windows. It hurts much less.
7. Re:Wait a second... by Jacques+Chester · 2009-04-27 22:32 · Score: 4, Interesting
  
  The sad thing about Windows NT is that the design was pretty good, the implementation was OK, but the default security policy is totally useless. Hooray for backwards compatibility.
  
  --
  
  Classical Liberalism: All your base are belong to you.
8. Re:Wait a second... by Z00L00K · 2009-04-27 22:41 · Score: 2, Informative
  
  Minix did get an reputation of being unstable some 20 years ago, but of course - much have happened since then.
  The more interesting thing is that Minix has a different architecture than Linux using a microkernel. This is in some ways a good idea, even if it also have disadvantages.
  
  --
  If builders built buildings the way programmers wrote programs, then the first woodpecker would destroy civilization.
9. Re:Wait a second... by Hurricane78 · 2009-04-27 23:15 · Score: 4, Interesting
  
  That was my thought too. If you want to do it right, why not program it in Haskell in the first place. Sure, it might be a little bit slower (not even much actually). But if you go for security, that's not that important anyways.
  Now how they will solve the PEBKAC problem, if they end up with a TCPA-like system (in the original intended way of protecting the user, not protecting from the user) and what they will do against tricks like remotely reading computer input, the inevitability of programming errors and bios virii, is a completely different question.
  
  --
  Any sufficiently advanced intelligence is indistinguishable from stupidity.
10. Re:Wait a second... by Burnhard · 2009-04-27 23:17 · Score: 2, Insightful
  
  I hacked Minix a new memory manager in a System Programming at University class back in 1996. I'm quite literally apathetic with incredulity that the EU are funding further development. Why not get undergrads to do it for free?
11. Re:Wait a second... by Anonymous Coward · 2009-04-27 23:42 · Score: 3, Informative
  
  Try OpenVMS, a considerably more secure operating system than any Unix variant.
  OpenBSD is relatively bug free, but that only makes it superficially more secure than more popular, usable, operating systems. As a basic example, virtually every application not audited by the OpenBSD team themselves opens a potential attack vector. That's true of most operating systems. But VMS at least had the advantage of a locked down privilege system that made it much harder for a hole in an application to create a space where user files, let alone system files, were suddenly attackable.
  And, yeah, I'm aware you mentioned the possibility of running OpenVMS on the desktop. DEC made a few "desktop" VAXes and Alphas in their time, and DECWindows was the user interface.
12. Re:Wait a second... by mustafap · 2009-04-27 23:55 · Score: 4, Interesting
  
  If you don't understand security it wont matter what language you write in, it will still be crap.
  
  --
  Open Source Drum Kit, LPLC deve board - mjhdesigns.com
13. Re:Wait a second... by jaroslaw.fedewicz · 2009-04-27 23:58 · Score: 2, Funny
  
  > In a non-related story RMS is renaming himself to Jesus. RMS is St. IGNUcius already, he doesn't need any renaming.
14. Re:Wait a second... by Fred_A · 2009-04-28 00:05 · Score: 4, Insightful
  
  Minix did get an reputation of being unstable some 20 years ago, but of course - much have happened since then.
  The one thing that hasn't changed though is that Minix is still just a toy system that's meant to be poked at in schools and that nobody actually uses (yes I know about the 3 rabid Minix users, they probably run AmigaOS too).
  Oh, wait, now it finally supports X11 (woohoo !). Wait, has it got a mouse driver too ?
  However Minix3 *does* feature support for "Over 650 UNIX programs" (such as man, mkdir and ps). *650* ! It's like 130 × 5 ! Think about it !
  Granted, starting from a small scale system such as Minix is certainly simpler than with a much more mainstream OS such as one of the BSDs or Linux but even if anything comes out of the project, it won't ever gain even "niche" status. More people must be running Plan9 or Inferno.
  The whole idea is utterly futile, except possibly if the code or the concepts can be reused with another system later on.
  
  --
  
  May contain traces of nut.
  Made from the freshest electrons.
15. Re:Wait a second... by morgan_greywolf · 2009-04-28 00:17 · Score: 2, Insightful
  
  Absolutely right. Security is a mindset. It's a mindset that says "How can I misuse this? How can this be abused?"
  It's absolutely possible to write secure code in C. It might be easier to make a mistake in C as opposed to languages that have strict overflow checking and proper garbage collection as built-in feature, but you don't throw out the baby with the bathwater so to speak.
  I'll say this, like I always say it: there is no magic bullet when it comes to security. Even an operating system written from the ground up around security like OpenBSD can be configured incorrectly. Even an operating system written from the ground up around security can have security bugs.
  The only completely safe computer from a security standpoint is one that isn't plugged in and stored in a bank vault. With armed guards trained to shoot first and ask questions later. And security cameras. Surrounded by a moat. Filled with sharks with friggin' lasers attached to their heads.
  
  --
  My blog
16. Re:Wait a second... by xouumalperxe · 2009-04-28 00:20 · Score: 4, Insightful
  
  Dropping C... for what exactly? We're not talking application level security. We're talking kernel level. That means talking to the bare metal. Even if you implement a microkernel with userspace modules for everything, and with those modules written in something more robust than C, that last crucial bit of code that is the microkernel itself is probably going to end up being written in C with ASM snippets, simply because at some point you need to explicitly state what the hardware is doing.
17. Re:Wait a second... by theeddie55 · 2009-04-28 00:27 · Score: 2, Insightful
  
  I thought Windows was secure. Why not use that? *cough* *cough*
  I thought OpenBSD was secure. Why not use that?
  I thought DOS was secure. Why not use that?
  I thought stone tablets were secure. Why not use them?
  Because none of these suggestions is compatable with my abacus.
  
  --
  Blazing Spiders
18. Re:Wait a second... by DickeyWayne · 2009-04-28 00:27 · Score: 3, Funny
  
  I though Minix was dead for some 15 years....
  No, *Linux* is dead. Those monolithic kernels are just "one big mess!"
19. Re:Wait a second... by Antique+Geekmeister · 2009-04-28 00:39 · Score: 4, Insightful
  
  Yes, most developers moved to Linux and stopped writing that pesky, unstable software that anyone actually uses.
  Keeping a kernel that is 10 years behind the leading edge in file systems or communications, especially by kicking it all out of the kernel and saying "Naah-naah-naah! Not my problem!!!!" is like having a very secure car that doesn't have a reverse gear, seats, or door handles. It certainly helps contribute to stability. But the associated software to handle USB, firewire, packet filtering, or network file systems just isn't up to speed.
20. Re:Wait a second... by pasamio · 2009-04-28 00:41 · Score: 4, Informative
  
  Andy said at LCA2007 it was a 30% hit, I don't see a 30% performance hit being 'slightly' slower.
  
  --
  I always wondered where this setting was...
21. Re:Wait a second... by xouumalperxe · 2009-04-28 01:00 · Score: 4, Insightful
  
  And with almost everything going to interpreter environments today (Python, Ruby, Java, .Net), there's a better argument that building a JIT as a kernel component and that the message passing overhead is less of an issue.
  Let me get this right, after stating that the advantage of a microkernel lies in the much smaller size in LOCs, you just argued that adding JIT compiler to the microkernel itself is a good idea?
  Part of the idea behind a microkernel is that you only need to prove correctness for a small amount of code. The other part is that, when you want to add features, you only need to prove the features you want work correctly. So, instead of proving that each driver works correctly (which, for most environments where this stuff really matters, only needs to be done for a "handful" of drivers), you just upped the ante and said "prove the whole JIT compiler works correctly". And the "message passing overhead" pales in comparison with a poorly-optimized JITC, which is what you get if you want to keep TLOC count low.
22. Re:Wait a second... by xaxa · 2009-04-28 01:02 · Score: 2, Interesting
  
  The whole idea is utterly futile, except possibly if the code or the concepts can be reused with another system later on.
  After reading the summary, I expect the whole idea is that the concepts will be reused in another system later on.
23. Re:Wait a second... by gnapster · 2009-04-28 01:04 · Score: 3, Informative
  
  The whole idea is utterly futile, except possibly if the code or the concepts can be reused with another system later on.
  That is exactly the point of academic research. Toy systems that introduce new concepts are rarely used widely, but the concepts are borrowed for use in other systems later on.
24. Re:Wait a second... by V!NCENT · 2009-04-28 01:13 · Score: 2, Interesting
  
  That would take a loooooong time. First Minix needs to a reach 'gold/stable' release. Then there are the X11 galium noveau and open source ATI driver. Then we are going to need sound support, a port of Gnome and/or KDE 4.8 :') and soundcard and network drivers.
  By that time DNF is probably released for Windows NT 7.0 and Wine has kept up with Windows 7 to run it...
  
  --
  Here be signatures
25. Re:Wait a second... by tepples · 2009-04-28 01:26 · Score: 2, Insightful
  
  Why Minix is supposedly better than Windows or Linux is because it has a Microkernel, so it is harder for anything to kill or confuse the Kernel
  What runs on a microkernel? Services. And if you exploit a highly privileged service, you've exploited the whole system. Or what am I missing?
26. Re:Wait a second... by gnapster · 2009-04-28 01:33 · Score: 2, Informative
  
  It may well be that this group is "starting with Minix" because that's what they know best. I have not looked into this to know how much of the code for Minix3 is shared with prior versions. But Tannenbaum et al. know it inside out, so for them it is probably the best sandbox for these new ideas. They may already have done some work, and that was part of their argument in the funding proposal.
  My hero is G. H. Hardy, the number theorist who loved his field because it had no practical application. He would never have guessed that his concepts would be vital for public-key encryption and other things which are used by millions of people every day.
27. Re:Wait a second... by V!NCENT · 2009-04-28 01:33 · Score: 2, Informative
  
  30% hit compared to what? Compared to itself if it wasn't a Microkernel?
  Remember that the microkernel has only 4000 lines of code. Remember that on Linux the graphics drivers are also in userspace, in X11, on top of the shell that is on top of the Linux kernel.
  It sure as hell shouldn't be any slower than Linux...
  
  --
  Here be signatures
28. Re:Wait a second... by Jurily · 2009-04-28 01:34 · Score: 3, Interesting
  
  I'll say this, like I always say it: there is no magic bullet when it comes to security. Even an operating system written from the ground up around security like OpenBSD can be configured incorrectly. Even an operating system written from the ground up around security can have security bugs.
  OpenBSD was not written securely from the ground up. It was secured from an inherited codebase over a long, long time. And they have witnessed, time after time, how they combed over the source code for a specific class of bugs, cleaned it, and two versions later the same bug appeared from upstream because the programmer did not fully grok the API he was using.
  Just google for strlcpy().
29. Re:Wait a second... by Cyberax · 2009-04-28 02:01 · Score: 4, Interesting
  
  Dropping C is possible.
  For example, CoyotOS (http://www.coyotos.org/) uses BitC and aims for the completely proved kernel. I.e. it will be formally proven that its microkernel CAN'T crash or do something wrong.
  Or look at QNX, their microkernel used to be something like 12Kb of hand-written assembly code (and so stable that QNX systems literally work for decades now without reboots). The rest can be done using other tools than plain C.
30. Re:Wait a second... by Just+Some+Guy · 2009-04-28 02:04 · Score: 2, Funny
  
  Andy said at LCA2007 it was a 30% hit, I don't see a 30% performance hit being 'slightly' slower.
  Yeah. Moore says [1] you'd have to wait an extra six months for hardware to catch up.
  [1] Don't get all pedantic on me. I know what he really said.
  
  --
  Dewey, what part of this looks like authorities should be involved?
31. Re:Wait a second... by TrueKonrads · 2009-04-28 02:26 · Score: 2, Interesting
  3.3 mil is a lot of money for uncertain outcome. We already have microreboots in some toy systems, that should solve crashes and ensure that system continues to operate (though it will probably go through the crash-reboot-work-crash cycle endlessly. We already have in-memory kernel patching from SUN and partially from linux. Not to mention SELinux and Hurd and the rest of security ideas. I think that the real purpose of the project is to suck funding. Let me quote from Tannenbaum's project proposal:
  
  "..but I should start out by pointing out how ambitious and risky this research is." In layman's terms it means: "I want to experiment, but no promises or even deliverables".
  "... nearly all experience with actual security incidents shows that security problems almost always stem from actions that the design and rules forbid but which bugs in the code allow to happen anyway." and "The most serious reliability and security problems are those relating to the operating system" I am a security consultant and most security incidents stem from misunderstanding the basics, like password management, not buffer overflows. Seriously, has he ever consulted a security practitioner?
  Some classic proof by (broken) analogy: "Banks lock their front doors at night and have strong safes even though there are laws forbidding bank robbery" What does this prove exactly?
  "What I am proposing is a fundamental redesign of the operating system." Dude, seriously, You mention known concepts and offer fundamental redesign? Is this just a rewrite project for minix?
  I could go on and on like this. This is how funds are spent without any real gain, not even new concept evolution. Andy, give the EU taxpayers money back!
  --
  Lone Gunmen crew.
32. Re:Wait a second... by xouumalperxe · 2009-04-28 03:18 · Score: 2, Insightful
  
  Anything else that compiles to native opcodes? It's not like C is the only magical language capable of talking to hardware.
  C is obviously not magically endowed with some special abilities. But since that was an answer to someone who wanted to replace C with something more secure, the question is: "what language that is naturally more secure than C would you suggest, then?"
  Besides the obvious practical question of "give me an actual language that's actually more secure than C", there's the more theoretical question of "what the hell does it mean for a language to be secure?" A programming language is only an abstraction on top of the capabilities of the underlying hardware. Either you're hiding some capabilities the hardware is capable of, or the most a language can do is hold your hand and help you steer clear of the pitfalls. You're safer, but you're not any more secure.
33. Re:Wait a second... by Jurily · 2009-04-28 03:19 · Score: 2
  
  Anyway, are there real-world kernels that don't use C ?
  Yes.
34. Re:Wait a second... by xouumalperxe · 2009-04-28 04:00 · Score: 2, Interesting
  
  How is hand-coded assembly a move to a "more secure language" (whatever that means) than C (which is what I was replying to)? Is that not precisely the job for which compiled languages were created?
  Regarding CoyotOS and BitC, those are quite interesting references, thank you. It might be a stillbirth, though, since one of the lead guys is leaving the BitCC team. Either way, one could argue that coming up with your own low-level language to develop your own secure operating system is pretty much the only way to be able to "prove" it correct (and "prove" there is in quotes because I doubt they proved LLVM's correctness). Still, from what I read about BitCC, the original point still stands: How intrinsically secure is the languange, in and of itself? What does it have that makes it special? Because all I can find is stuff that makes bugs less likely, like proper bounds testing.
35. Re:Wait a second... by AVee · 2009-04-28 04:15 · Score: 4, Insightful
  
  That kind of car is actually build regularly by most car manufacturers. The amount of money spend on those cars is often in the same ballpark, or even more. They call it concept cars, and they generally also only explore certain aspects of cars while happily ignoring others.
  
  Thats is not going to be your car for daily use. Minix probably isn't going to be you daily OS anytime soon either, but that no reason not to spend research money on it. The IT industry could do with some more proper research instead of just reinventing the same weels (but this type using XML and HTTP!) all the time.
36. Re:Wait a second... by Cyberax · 2009-04-28 04:18 · Score: 2, Interesting
  
  Assembly can be more secure because it doesn't depend on a compiler :)
  In any case, 12 Kb of asm/C code is vanishingly small quantity for modern operation systems. For most purposes 12 Kb is the same as 'none'.
  "How intrinsically secure is the languange, in and of itself? What does it have that makes it special?"
  It allows you to maintain _invariants_, checking them automatically. Including very complex invariants expressed as theorems.
  Formal correctness checking is not feasible for large programs, but a formally proved microkernel is quite possible.
37. Re:Wait a second... by Fred_A · 2009-04-28 04:23 · Score: 2, Insightful
  
  Of course, Tannenbaum is also partly responsible for the creation of Linux. Torvalds would regularly engage in heated debate regarding Minix's non-monolithic architecture.
  I read those as they unfolded.
  It's true that Tannenbaum is in part responsible for the creation of Linux. But only because at the time (I think it was available then) Minix was the only option on a PC and nobody wanted to run that. Tannenbaum failed at creating something decent so a better system was called for. Later on he may have whined for all he was worth, his system is still ignored (although I, and many others read and appreciated his book, nobody cares about Minix, it's a toy).
  I ran Linux on my own machine (I never could have afforded my own Unix machine before that) in 1994 for the first time (mostly to run TeX, oddly enough, long story), and it's been my desktop system since (except for the small gaming Windows partition I've kept on and off for I've never managed to get into consoles).
  I did boot Minix several times but even compared to the very first Linux versions, it has always felt like a toy (I mean no X ? come on...). I did run a number of BSD systems though. I also ran an OS X laptop for a bit over a year but it was just Windows with a smiley face to me so it quickly became a paperweight. The Unix side had been perverted enough that it was completely unusable.
  So I run Linux, a bit of BSD (and Windows games) and I'm happy that way. I even buy commercial Linux apps when I need them. To each his own of course, people get what suits them.
  
  --
  
  May contain traces of nut.
  Made from the freshest electrons.
38. Re:Wait a second... by frank_adrian314159 · 2009-04-28 04:43 · Score: 2, Interesting
  
  You don't need a JIT compiler or an interpreted language to have a secure kernel - you just need a well-designed, type-safe language (which C is not). You can start, for example, from Haskell, as these guys are doing. Haskell is a compiled language, with minimal boxing and, thus, gives all the speed you want without the idiocy of buffer overruns and invalid pointer references. Its performance is within a couple of percent of C.
  
  --
  That is all.
39. Re:Wait a second... by xouumalperxe · 2009-04-28 04:43 · Score: 2, Funny
  
  Well, I think the key point here is what we understand as secure. "Secure" is "easy" to define in terms of a system, but, to me, seems a remarkably nebulous concept when applied to a language. While it's very easy to screw up in C, that isn't a matter of "barbed wire and armed security guards", but rather "flying trapeze and safety nets".
40. Re:Wait a second... by harry666t · 2009-04-28 05:07 · Score: 5, Insightful
  
  "Some researcher"!? The guy (prof. Tanenbaum) wrote the original Minix, which was the OS that inspired Linux and hosted the early stage of its development. Also see: http://en.wikipedia.org/wiki/Tanenbaum-Torvalds_debate
41. Re:Wait a second... by Ant+P. · 2009-04-28 06:41 · Score: 2, Funny
  
  I thought Windows was secure. Why not use that? *cough* *cough*
  I thought OpenBSD was secure. Why not use that?
  I thought DOS was secure. Why not use that?
  I thought stone tablets were secure. Why not use them?
  Because none of these suggestions is compatable with my abacus.
  Ah. Another NetBSD user.
A very good question by oneirophrenos · 2009-04-27 21:32 · Score: 3, Insightful

The question is, can you make a system that actually works very well?
I'm glad someone finally got to asking this question.
1. Re:A very good question by u38cg · 2009-04-27 21:47 · Score: 2, Interesting
  
  You can. It just requires well defined inputs and outputs and to run on certified hardware. Software, heal thyself? There's a reason self-modifying code is frowned upon. Besides, is kernel reliability really an issue these days? Even the Windows kernel only really crashes when you feed it bad memory.
  
  --
  [FUCK BETA]
2. Re:A very good question by Chrisq · 2009-04-27 21:54 · Score: 4, Informative
  
  Software, heal thyself? There's a reason self-modifying code is frowned upon. Besides, is kernel reliability really an issue these days? Even the Windows kernel only really crashes when you feed it bad memory.
  They are actually talking about things like driver isolation with monitoring and restarts. The answer to whether kernels are stable enough depends on your requirements. I find that I am much less forgiving when my DVD player crashes and doesn't record the film I have set than when my computer crashes, though both are now very rare events. Monitoring, isolation and restarting is used in things like engine management systems, where failures are even less welcome and a full OS with this level of reliability is bound to have applications in medicine, industry, "defence", etc.
3. Re:A very good question by aliquis · 2009-04-27 22:12 · Score: 2, Funny
  
  10 print "no"
  20 goto 10
4. Re:A very good question by Vanders · 2009-04-27 22:14 · Score: 5, Informative
  
  The problem with driver isolation is that it's a layering violation given most today's PC hardware.
  That depends on how you've designed things, I guess. "Today's PC hardware" (& yesterdays for that matter) has always provided 4 protection ring levels, but very few OSes have ever made use of more than 2 (1 for the kernel, one for userspace). You could certainly put drivers in a higher ring than the kernel and allow them to only have limited access to memory, just as you do with a user-space application.
  
  --
  Syllable : It's an Operating System
5. Re:A very good question by Al+Dimond · 2009-04-28 08:57 · Score: 2, Interesting
  
  Yup. A dude I knew in college actually modified Linux to put drivers in one of the middle rings as a research project. Seemed like a cool project, and he had working demos of drivers crashing and restarting. I wonder why something like that hasn't caught on.
  Actually, I don't know if processor architectures other than x86 have more than 2 levels of protection. That would probably deter a lot of people, and drive them instead to a more general microkernel design. And even then, you can restart a crashed driver but it's often harder to get the device back into a usable state. I actually think having the ability to recover from some driver crashes would be useful, but I think a lot of people would be discouraged by the fact that there would still be lots of unrecoverable crashes (this is the big issue with X11 -- even though the lion's share of a GPU driver lives outside the kernel, when it crashes the GPU is left in an unknown state, and there's tons of state on a GPU. Even if an X crash hadn't left you unable to use your input devices to get back to a terminal you probably wouldn't be able to show it. This is not to say it wouldn't be nice -- logging into the terminal blind to initiate a clean shutdown would be great).
The 1980s called... by Viol8 · 2009-04-27 21:33 · Score: 5, Insightful

.. they want their funding back.
Seriously , I thought minix had been put out to pasture years ago.
Also what are 5 people going to manage that entire corporations and thousands of OSS developers failed to do in the last few decades? Ok , one of them might be the next Alan Turing and surprise us all but I won't hold my breath.
1. Re:The 1980s called... by FourthAge · 2009-04-27 21:41 · Score: 5, Insightful
  
  The aim is not to produce a better operating system, the aim is to secure funding. This is what academics actually do; good research is (at best) a byproduct. This is business as usual for a research group. The real research will be a low priority, because the group will need to satisfy the EU bureaucracy that they are doing something worthwhile. Consequently, most of their time will be spent writing reports.
  Bear in mind that ideas like "self healing software" are buzzwords that you put on research proposals in order to get them accepted. See also: "cyber-physical systems", "multicore paradigms" and "sensor networks".
  
  --
  The tao of democracy: the government you can vote for is not the real government.
2. Re:The 1980s called... by Zumbs · 2009-04-27 21:42 · Score: 4, Insightful
  
  The point may not be to build the next big $SUPER_DUPER_OS, but to try out some new ideas and concepts for better and more robust OSs in a very controlled environment. If they get good results, the ideas may be integrated into the kernal of those other OSs, hopefully improving the quality of the OS.
  
  --
  The truth may be out there, but lies are inside your head
3. Re:The 1980s called... by Chrisq · 2009-04-27 21:56 · Score: 5, Insightful
  
  Along the same lines as the above post.... What a waste of my taxes. I am getting fed up of hearing about cash going to dubious research projects. There are some big problems to be solved out there for example reducing mans dependence on fossil fuels and reducing the damage they cause our planet. Why are we wasting cash on this dubious project?????
  Many PHD students will feed back what they learned into industry on graduation. Its called education, and it is not a waste of money even if Minix 3 is not the next best OS. Some things that come out of it will almost certainly be used.
4. Re:The 1980s called... by VoidCrow · 2009-04-27 21:57 · Score: 5, Insightful
  
  That tendency of unimaginative geeks to piss all over ideas that aren't actually in front of them and in use at that point... It's loathsome and saddening.
5. Re:The 1980s called... by PhotoGuy · 2009-04-27 22:46 · Score: 4, Informative
  
  I remember Minix. Before there was Linux, Minix was around. It was my first exposure to a Unix-like operating system on a PC. It was surprisingly lean and elegant and Unix-like. I still have the box of floppies. I remember recompiling and modifying the operating system. It was indeed quite a powerful tool, and I dare say an important precursor to Linux.
  (When I first heard about Linux, I had incorrectly assumed it was an evolution of Linux.)
  I see a lot of people bashing Minix here; I don't think it will replace Linux by any means, but it is an important historical OS, IMHO.
  Wiki notes (about Linux):
  
  In 1991 while attending the University of Helsinki, Torvalds began to work on a non-commercial replacement for MINIX,[13] which would eventually become the Linux kernel.
  Linux was dependent on the MINIX user space at first. With code from the GNU system freely available, it was advantageous if this could be used with the fledgling OS.
  
  --
  Love many, trust a few, do harm to none.
6. Re:The 1980s called... by stsp · 2009-04-27 23:56 · Score: 4, Funny
  
  When I first heard about Linux, I had incorrectly assumed it was an evolution of Linux.
  No no no, your assumption was correct!
MINIX guy by 4D6963 · 2009-04-27 21:34 · Score: 5, Informative

said Andrew S. Tanenbaum, a computer science professor at Vrije Universiteit
It sounds intentionally misleading to present them as "a computer science professor" when he's the one MINIX guy.

--
You just got troll'd!
What's the point? by seeker_1us · 2009-04-27 21:34 · Score: 2, Informative

All respect to Andrew Tanenbaum, I'm not trying to troll. It's a sincere question.
He has said Minix was to be a teaching tool.
Now they want to turn it into a super reliable OS?
I don't think it's to make it into another production OS. Could it be in order to develop new OS concepts and ideas which can be spread out to the world?
1. Re:What's the point? by MrMr · 2009-04-27 21:56 · Score: 4, Insightful
  
  Yes, imagine that: A professor trying to teach students how to implement something new and potentially useful rather than clicking ok in the 'solve my problem' wizard.
2. Re:What's the point? by MichaelSmith · 2009-04-27 22:32 · Score: 4, Interesting
  
  Back when Linus started to write his kernel the debate between monolithic and micro kernels still made some sense. But now more features and drivers are being written for linux and it is getting bigger and more bloated. Functions are being put into modules but that only solves half of your problem because a module can still bring down the kernel.
  
  I think AST was right. Linux can't continue to use a monolithic architecture.
  
  --
  http://michaelsmith.id.au
3. Re:What's the point? by slabbe · 2009-04-27 22:39 · Score: 3, Informative
  
  From www.minix3.org "MINIX 1 and 2 were intended as teaching tools; MINIX 3 adds the new goal of being usable as a serious system on resource-limited and embedded computers and for applications requiring high reliability"
4. Re:What's the point? by EMN13 · 2009-04-27 22:53 · Score: 4, Informative
  
  It's also a research OS - the aim isn't to make minix the next best thing, the aim is to research self-healing OS software by using minix as a test platform.
  Most good production software takes a good look at similar software to imitate the best features of each - this isn't a competition between minix and linux, it's testing a feature is a simpler (and thus cheaper) fashion.
5. Re:What's the point? by irexe · 2009-04-28 00:03 · Score: 5, Informative
  
  I asked Tanenbaum this question at a lecture he gave on Minix 3 earlier this year. He responded that he changed his mind somewhat about the education-only issue because he felt that, to prove a point about the superiority of the microkernel design, you need to get it out of the lab and into the real world. He also felt that he could do this without hurting the simplicity of the system as a teaching tool. Incidentally, his intention is not to compete with Linux or Windows on the desktop, but rather to make a robust OS for embedded applications.
6. Re:What's the point? by jensend · 2009-04-28 01:21 · Score: 4, Insightful
  
  Linus said himself, that his biggest error with Linux was, that he made it monolithic.
  [citation needed]
  All these years after the Tenenbaum-Torvalds debate Linus admitted his prof was right? You'd think that would have been in the news somewhere.
A self-repairing OS? by cpghost · 2009-04-27 21:50 · Score: 2, Interesting

Actually, it's not such a bad idea. The concept of putting important components in user-space has been around for a while, and it still has potential w.r.t. reliability. But the real question is: are only microkernel architectures capable of self-healing?

--
cpghost at Cordula's Web.
1. Re:A self-repairing OS? by Jacques+Chester · 2009-04-27 22:31 · Score: 5, Insightful
  
  No, but dividing things into smaller pieces makes it easier to fix those pieces in isolation. It's easier for a microkernel system to be self-healing because of that isolation.
  This is not an amazing revelation. We've known about the idea of isolating changes since the invention of the sub-routine. The reason microkernels have always been relegated to second-best is that they require more context switching than a regular monolithic kernel. The tradeoff between "fast enough" and "reliable enough" has for some time now favoured "fast enough".
  But that's changing -- people's computers are getting plenty fast. The 10-15% slowdown Tanenbaum claims for Minix3 is less of a drag than, say, an anti-virus program and could serve to more effectively prevent viruses into the bargain.
  People who say microkernels are passe forget our industry is not set in stone. Priorities change and technologies change with them. In the last 10 years performance has become progressively less important than reducing bugs or speed of development. Microkernels have lots to offer in such a world.
  
  --
  
  Classical Liberalism: All your base are belong to you.
Linux is Obsolete! by fishexe · 2009-04-27 21:50 · Score: 4, Funny

Now that Minix 3 is here, Linus can take his monolithic kernel and stuff it! Microkernels are the wave of the future, man!

--
"I don't care about the Constitution!" --Bill O'Reilly, November 17, 2009
Re:Oh gawd , not microkernels again *yawn* by Chrisq · 2009-04-27 22:01 · Score: 4, Insightful

How many times is this old chestnut going to be tossed around?
MS tried a microkernel with NT and its HAL. It didn't really work very well. Most Unix varients don't even bother to try.
I think you are right at the moment. I am not sure that you will still be right when processors are 256-core or greater. I think that at some point the overhead of microkernals will be made up for by utilisation of greater parallelisation.
Minix 3 source code by Jacques+Chester · 2009-04-27 22:01 · Score: 3, Informative

I'd recommend people take a look at the source code for Minix 3. It's actually pretty easy to wrap your head around, even for a C-phobic person like I am.

--

Classical Liberalism: All your base are belong to you.
System security is only half the rent by Opportunist · 2009-04-27 22:06 · Score: 2, Insightful

The other is user security. And you cannot solve that problem with technology.
The circle you have to square here is that the user/admin should be allowed and able to run his software, but at the same time he must not run harmful software. Now, how do you plan to implement that? Either he can run arbitrary software, then you cannot identify security risks before it is too late. Or he cannot run software that is a potential security risk and he is no longer the master, owner and root of his own machine.
Oh, you want a system where the user can generally do his work but has to ask for special privileges when he wants to install new software or change security critical settings? Where have I heard 'bout that before... hmmm...

--
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
1. Re:System security is only half the rent by Jacques+Chester · 2009-04-27 22:23 · Score: 2, Informative
  
  The Singularity project at MSR looked at this problem in a different way. What if each piece of software carries a protocol specification? What services it will require, in what order?
  Then you can do various clever things involving proving that the system won't do anything malicious. If the software tries to do something outside of its specified protocol, then zappo, it's gone. This has the nice side effect that you don't need to rely on hardware memory protection and therefore you don't have to pay context switches. Singularity's process startup and kill times leave everyone else for dead.
  But Singularity only works because of language features and requires you to do everything in a conforming language (Spec#). Probably the most meaningful predecessor was Oberon.
  Minix has a better chance of working in the "real world" because it takes a less all-or-nothing approach to the problem. For instance, Minix3 is coded in C, which is fast but unsafe. But Minix supports a lot of POSIX and could conceivably add Linux emulation as a module, whereas Singularity requires you to rewrite everything to enjoy the guarantees.
  Tanenbaum makes the further point that no matter what you prove, software has bugs. If you isolate the bugs you reduce their cost. If you simplify recovery from failure you reduce their cost still further. A microkernel approach does just these things and so would presumably be more reliable on a per-line-of-code basis than a monolithic kernel.
  
  --
  
  Classical Liberalism: All your base are belong to you.
Re:Linux is obsolete by fishexe · 2009-04-27 22:08 · Score: 3, Funny

"Of course 5 years from now that will be different, but 5 years from now everyone will be running free GNU on their 200 MIPS, 64M SPARCstation-5."
Man, remember back in '96 when we all got SPARCstations? Those were the days.

--
"I don't care about the Constitution!" --Bill O'Reilly, November 17, 2009
Re:Tanenbaum? by Ragzouken · 2009-04-27 22:10 · Score: 5, Funny

Actually he said: "Be thankful you are not my student. You would not get a high grade for such a design :-)" the :-) is important.
Hooray! by Cornwallis · 2009-04-27 22:12 · Score: 5, Funny

2009 will finally be the Year of the Minix Desktop!
perhaps their work will inspire by ei4anb · 2009-04-27 22:18 · Score: 4, Interesting

I remember submitting some patches to them many years ago when I got Minix working in less that one megabyte of RAM (at the time Minix worked at 1Mb and up) and thinking that it would be nice if it were GPL and if I had the time...
As I recall some guy in Finland did have the time
Re:Tanenbaum? by miketheanimal · 2009-04-27 22:20 · Score: 5, Insightful

Has anyone noticed how more and more stuff gets moved from the Linux kernel into user space these days; FUSE is a good example. History may record that, broadly speaking, Tanenbaum was corrent and Torvalds was not. Anyway, I assume you are saying that since Linux has been so much more successful than Minix, we must listen to Torvalds and ignore Tanenbaum? On that basis, we should listen to Gates and ignore Torvalds!
Even more misleading by EmTeedee · 2009-04-27 22:21 · Score: 5, Informative

...is to call this news. The grant was received in November 2008! (see http://www.minix3.org/news/)
Why would you think Minix was dead? by jonaskoelker · 2009-04-27 22:27 · Score: 5, Funny

I though Minix was dead for some 15 years....
Did netcraft confirm it?
1. Re:Why would you think Minix was dead? by AHuxley · 2009-04-27 22:49 · Score: 2, Interesting
  
  Did SCO confirm it?
  
  --
  Domestic spying is now "Benign Information Gathering"
Sometimes by HarryatRock · 2009-04-27 22:41 · Score: 2, Interesting

I have been trying to answer that question for more than 40 years, and I can say the answer is :: sometimes. The trouble is you need lots of money (i.e. man hours + very good kit + a very well defined problem + lots of testing), unfortunately experience shows that when you get all of that, the system is obsolete by the time you hand it over to the user. It's better to aim for good enough.

--
nec sorte nec fato
Re:Linux is obsolete by AVee · 2009-04-27 22:48 · Score: 2, Insightful

Hahaha. I'm completely new to this debate (yeah, I know - what a n00b !). Has Tanenbaum ever withdrawn his arguments in the light of experience ? Has he ever thrown up his hands and said "You know, I was just plain wrong. Mea culpa." ?
No, why should he? Because Linux is more popular then minix? I'd guess most people here should start sending Mea Culpa's to Microsoft...
EU Burocracy... by js_sebastian · 2009-04-27 22:56 · Score: 5, Informative

The aim is not to produce a better operating system, the aim is to secure funding. This is what academics actually do; good research is (at best) a byproduct. This is business as usual for a research group.
Not really. The purpose is doing the research you are interested in doing (even if it's just for your career ambitions). For that you need funding. So of course you have to do some marketing to sell the research you want to do to the people deciding whom to fund. You think this guy has been doing MINIX for 20 years just to get funding? It's the other way around, you get funding, to be independent and have people work for you so you can get some interesting stuff done. Or, if you are more cynical, he's working on MINIX because it generated enough interest that he could get a ton of publications out of it.

The real research will be a low priority, because the group will need to satisfy the EU bureaucracy that they are doing something worthwhile. Consequently, most of their time will be spent writing reports.
From my experience this is a bit of an exaggeration. It's true that EU-funded projects have more strings attached than those from many other funding sources, but running the burocracy/reports/financials for an EU project that is funding 3 full time people at our university still only takes a rather small percentage of my time.

And that's a lot more freedom to do real research than in any company environment i've seen or heard of so far. Big companies (even the good ones) have IMHO more bureaucracy, not less, and short-term horizon (want returns in 3, 5 years at the most), which means very little of what is called "research and development" has anything to do with research.
Doesn't anybody think the hardware is the problem? by master_p · 2009-04-27 23:11 · Score: 4, Interesting

The real reason there is no security and that we have the monolithic vs micro kernel is that CPUs provide process isolation and not component isolation. Within a process, CPUs do not provide any sort of component isolation. If they did, then we would not have this discussion.
I once asked Tanenbaum (via email, he was kind enough to reply) why CPUs do not have in-process module isolation. He replied:
From: Andy Tanenbaum [ast@cs.vu.nl]
Sent: Ðáñáóêåõ, 1 Öåâñïõáñßïõ 2008 4:00 ìì
To:
Subject: Re: The debate monolithic vs micro kernels would not exist if CPUs
supported in-process modules.
I think redesigning CPUs is going to be a pretty tough sell.
Andy Tanenbaum
But why? I disagree with that for two reasons:
1) the flat address space need not be sacrificed. All that is required is a paging system extension that defines the component a page belongs to. The CPU can check inter-component access in the background. No change in the current software will be required. The only extra step would be to isolate components within a process, by setting the appropriate paging system extensions.
2) The extension will require minimal CPU space and CPU designers already have great experience in such designs (TLBs, etc). Money has been invested for less important problems (hardware sound, for example), so why not for in-process components? it will be very cheap, actually.
Of course, security is not only due to the lack of in-process component isolation, but it's a big step in the right direction...
How about not by Viol8 · 2009-04-27 23:22 · Score: 2, Informative

A number of issues I can see:
- A bug in the VM could effect EVERY driver on the system
- Drivers generally need to respond to hardware interrupts and send out data to hardware in real time. Thats unlikely to
happen if its managed code.
- A VM/JIT system would only catch memory issues. It wouldn't catch out bad logic or instructions that make the
hardware go nutes and crash the machine anyway.
Re:How about JIT in the Kernel? by dido · 2009-04-27 23:24 · Score: 2, Interesting

The folks at Bell Labs who invented Unix and Plan 9 have been doing all that and more since the mid-1990s with Inferno. The core kernel is pure C, which has a bytecode interpreter for the Dis virtual machine, which almost all userspace code runs as, allowing it to run code safely even on CPUs that don't have hardware memory protection. Add to that a neat C-like programming language called Limbo that natively supports primitives inspired by C.A.R. Hoare's Communicating Sequential Processes, full support for distributed processing technology first developed for Plan 9, and you've got a really interesting open source embedded distributed OS that is working today.

--
Qu'on me donne six lignes écrites de la main du plus honnête homme, j'y trouverai de quoi le faire pendre.
Re:Linux is obsolete by Anonymous Coward · 2009-04-27 23:36 · Score: 2, Interesting

According to the professor, it should soon make Linux obsolete.
Phillip.
A great thread to point out Torvalds hasn't changed much. He's still the same arrogant prick he was back then.
Replying like an inane troll to the professor's insightful and constructive comments. Repeatedly.
Mail after mail, Tanenbaum comes off as an intelligent gentleman, while Torvalds as a frustrated teenager.
He did get one thing right though: it was free, and that made it better.
(Posting AC after modding the parent informative. And yeah, I run Linux.)
Re:So? by zevans · 2009-04-27 23:52 · Score: 2, Informative

It's interesting to a good number of people here, especially those with six-figure or shorter UIDs, for historical reasons. Pity the summary doesn't mention those reasons AT ALL.
Minix came Before Linux (yes, there is such an era) and the Minix and Gnu communities encouraged one another in the same way that Linux and FOSS cross-fertilise now.

--
"... and more and more now there are all kinds of electronic goodies available" -- Pink Floyd 1972
Re:Tanenbaum? by Xest · 2009-04-27 23:53 · Score: 5, Insightful

That's a rather ignorant viewpoint.
Tanenbaum argued for greater modularity and really that's no bad thing, his arguments were pretty solid theoretically. But as we all know, just as the most beautiful, maintainable, stable software designs are sacrificed in business for something that works now even if it has it's flaws, Linux was available, easy to use and just worked the way people wanted, that didn't mean it was inherently better in theory or that Tanenbaum is wrong anymore than it means Windows is a vastly superior OS to Linux and MacOS X simply because it has such a massively larger user base.
Basing your view on Tanenbaum's one comment towards Torvalds is also rather ignorant, throughout the discussion you're referring to, Tanenbaum was well composed and formed coherent arguments, whilst Torvalds at times acted like your average troll.
You see, the very fact Windows is far and away the most popular OS followed by MacOS X followed by Linux is evidence enough that popularity means nothing in terms of the actual quality of an OS, it merely shows which played the business game better.
Tanenbaum is worth listening to, his ideas and justifications included in that 17 year old discussion you mention aren't wrong even if his predictions on the future of computing were. This is a man who understands the theory of how to make a better OS more so than most people do, and yes possibly even more so than Torvalds. The problem is that he's a theoretical guy, so whilst his proposals may be better, they may not be practical at the time they're announced or he simply may not have the time to dedicate to proving their practicality. If they're not practical at the time he proposes them though that doesn't mean they'll never be practical as changes in computing architecture or even raw computing power may make them practical.
Hopefully he'll put this funding to good use and it'll help provide him the time and resources he needs to take his ideas beyond mere theory and he'll be able to backup his theories with actual working demonstrations rather than just arguments now. You can be a Torvalds fanboy all you want but Tanenbaum and Torvalds are two different people - Tanenbaum is someone who comes up with theoretical new concepts, Torvalds is someone who takes existing concepts and implements them well. Both have their strengths, but writing one or the other off is foolish when both have a lot to offer.
Re:Oh gawd , not microkernels again *yawn* by Chrisq · 2009-04-28 00:40 · Score: 2, Informative

basically a microkernel architecture splits subsystems such as file systems, device drivers and security out of the kernel and into separate modules. This leads to an overhead of context switching to different processes on a single processor. A user process requesting access to a file may need a context switch to the kernel, another to security, another to the filesystem and then another to the disk device driver. With multiple processors this overhead can be removed.
Re:OS fixes itself already by Ant+P. · 2009-04-28 07:00 · Score: 2, Insightful

30 seconds when you're sat on your ass in front of your PC.
Try power-cycling a weather satellite in 30 seconds.
Re:Tanenbaum? by Xest · 2009-04-28 07:07 · Score: 2, Insightful

I agree, I suppose the kind of factors in terms of quality that Windows lacks vs. say Linux are those of security and stability, but Windows is also historically much stronger in terms of usability which is a measure of quality that matters more than any other to most end users - they just want to be able to use it, even if it's not perhaps all that secure.
I would argue though, that from a more objective perspective though, security, stability and modularity are more important factors when measuring overall quality, it's simply that most end users don't realise this until it comes back to bite them (i.e. they lose all their documents to a virus, or lose documents to a crash etc.).