Linux Study Argues Monolithic OS Design Leads To Critical Exploits

Long-time Slashdot reader Mike Bouma shares a paper (via OS News) making the case for "a small microkernel as the core of the trusted computing base, with OS services separated into mutually-protected components (servers) -- in contrast to 'monolithic' designs such as Linux, Windows or MacOS." While intuitive, the benefits of the small trusted computing base have not been quantified to date. We address this by a study of critical Linux CVEs [PDF] where we examine whether they would be prevented or mitigated by a microkernel-based design. We find that almost all exploits are at least mitigated to less than critical severity, and 40% completely eliminated by an OS design based on a verified microkernel, such as seL4....

Our results provide very strong evidence that operating system structure has a strong effect on security. 96% of critical Linux exploits would not reach critical severity in a microkernel-based system, 57% would be reduced to low severity, the majority of which would be eliminated altogether if the system was based on a verified microkernel. Even without verification, a microkernel-based design alone would completely prevent 29% of exploits...

The conclusion is inevitable: From the security point of view, the monolithic OS design is flawed and a root cause of the majority of compromises. It is time for the world to move to an OS structure appropriate for 21st century security requirements.

Everything old is new again...

[Strider-]

Maybe Tanenbaum was right. 26 years isn't that long for this debate to come back around again.

Real-world examples

[Artem+S.+Tashkinov]

Consider QNX and its vulnerabilities (the entire software stack) and here's what we have for the Linux kernel (again, kernel alone) whose source is ostensibly verified by millions of eyes.

And here's another almost shameful development: Linux and Open Source are all the rage amongst Open Source fans, yet for some reasons it's been hinted that Google is transitioning from the monolithic Linux kernel (lacking internal stable API/ABI) to its own microkernel, Fuchsia (with stable API/ABI).

Re:Microsoft stole NT... because VMS rocked.

[Jeremiah+Cornelius]

Yeah. The original NT microkernel was not VMS derived, but was a salvage-job from the design work that Cutler and team started for DEC Prism, in their Portland R&D location.

DEC cut Cutler over the period that they re-targeted for Alpha as their RISC evolution. Gates swooped on him, to deliver the kernel of his vision for "32-bit OS/2", and break away from the control IBM held over roadmap. IBM OS/400 business was effectively gatekeeping a 32-bit PC OS, even as 32-bit CPU's were effectively mainstream.

Once NT was faced with competitive challenges and requirements to match earlier windows desktop use cases, the microkernel design fell rapidly to the wayside, with principal OS modules run as additional processes in Ring 0, or completely included as functions of the OS kernel. You saw this in graphics first, I think as early as 3.51, but it MIGHT have been 4.0.