mk++ a high assurance operating system kernel shai guday david black
TRANSCRIPT
![Page 1: MK++ A High Assurance Operating System Kernel Shai Guday David Black](https://reader036.vdocuments.us/reader036/viewer/2022082821/5697bfbd1a28abf838ca2053/html5/thumbnails/1.jpg)
MK++A High Assurance Operating System Kernel
Shai GudayDavid Black
![Page 2: MK++ A High Assurance Operating System Kernel Shai Guday David Black](https://reader036.vdocuments.us/reader036/viewer/2022082821/5697bfbd1a28abf838ca2053/html5/thumbnails/2.jpg)
MK++ Results
MK++ is a complete reimplementation of the essential Mach abstractions for use in a B3 formal evaluation A microkernel for TIS's TrustBase - B3 level
assurance Good performance as well as high assurance An "essential microkernel" with only those
features and functions truly needed All B3 assurance requirements have been met
High Assurance Software Engineering Object Oriented Layering
![Page 3: MK++ A High Assurance Operating System Kernel Shai Guday David Black](https://reader036.vdocuments.us/reader036/viewer/2022082821/5697bfbd1a28abf838ca2053/html5/thumbnails/3.jpg)
Brief History of Software Engineering
![Page 4: MK++ A High Assurance Operating System Kernel Shai Guday David Black](https://reader036.vdocuments.us/reader036/viewer/2022082821/5697bfbd1a28abf838ca2053/html5/thumbnails/4.jpg)
Brief History of Software Engineering
![Page 5: MK++ A High Assurance Operating System Kernel Shai Guday David Black](https://reader036.vdocuments.us/reader036/viewer/2022082821/5697bfbd1a28abf838ca2053/html5/thumbnails/5.jpg)
Brief History of Software Engineering
![Page 6: MK++ A High Assurance Operating System Kernel Shai Guday David Black](https://reader036.vdocuments.us/reader036/viewer/2022082821/5697bfbd1a28abf838ca2053/html5/thumbnails/6.jpg)
Brief History of Software Engineering
![Page 7: MK++ A High Assurance Operating System Kernel Shai Guday David Black](https://reader036.vdocuments.us/reader036/viewer/2022082821/5697bfbd1a28abf838ca2053/html5/thumbnails/7.jpg)
Brief History of Software Engineering
![Page 8: MK++ A High Assurance Operating System Kernel Shai Guday David Black](https://reader036.vdocuments.us/reader036/viewer/2022082821/5697bfbd1a28abf838ca2053/html5/thumbnails/8.jpg)
Brief History of Software Engineering
![Page 9: MK++ A High Assurance Operating System Kernel Shai Guday David Black](https://reader036.vdocuments.us/reader036/viewer/2022082821/5697bfbd1a28abf838ca2053/html5/thumbnails/9.jpg)
MK++ Internal Architecture
Resource Management Objects
Kernel Interface
Space Accounting
Processor Scheduling
Connection Management
Transfer Management
Memory Extent Management
Resident Memory Management
Clock/Device Services
Clock Mgmt Device Mgmt
User AddrSpace
User PortNamespace
VM
Clocks and Devices
Tasks, Threads, Resources
PC
![Page 10: MK++ A High Assurance Operating System Kernel Shai Guday David Black](https://reader036.vdocuments.us/reader036/viewer/2022082821/5697bfbd1a28abf838ca2053/html5/thumbnails/10.jpg)
Object Decomposition
![Page 11: MK++ A High Assurance Operating System Kernel Shai Guday David Black](https://reader036.vdocuments.us/reader036/viewer/2022082821/5697bfbd1a28abf838ca2053/html5/thumbnails/11.jpg)
Relationship Decomposition
![Page 12: MK++ A High Assurance Operating System Kernel Shai Guday David Black](https://reader036.vdocuments.us/reader036/viewer/2022082821/5697bfbd1a28abf838ca2053/html5/thumbnails/12.jpg)
Benefits of Object Oriented Layering
Lock Hierarchy based on Layer Hierarchy MK++ is fully preemptible and multithreaded
Simplified Initialization Run constructors in order from lowest layer to highest
layer Easy to determine what functionality is available at each
layer Significant Layer Enforcement at Compile time
Compiler rejects circular inheritance Header file discipline: don't include header files from
higher layers ... in addition to improved code structure and assurance
![Page 13: MK++ A High Assurance Operating System Kernel Shai Guday David Black](https://reader036.vdocuments.us/reader036/viewer/2022082821/5697bfbd1a28abf838ca2053/html5/thumbnails/13.jpg)
A Few Words About Performance
MK++ Performance is comparable to Mach Even on highly optimized Mach code paths Performance is more robust (no special case `fast
paths') Kernel microbenchmarks (IPC, page fault, task create)
Extensive use of inline methods MK++ has lots of tiny methods, but most of them are
inline Disciplined use of virtual methods Layering forces attention to this C++ is not slow in the hands of competent software
engineers!
![Page 14: MK++ A High Assurance Operating System Kernel Shai Guday David Black](https://reader036.vdocuments.us/reader036/viewer/2022082821/5697bfbd1a28abf838ca2053/html5/thumbnails/14.jpg)
Sharper Tools
Layer Verification Tool Enforce Layering Architecture
Covert Storage Channel Tool Find all storage channels But not timing channels
Tools find many problems missed by people Incremental execution would be very useful
Hook tools into source control system
![Page 15: MK++ A High Assurance Operating System Kernel Shai Guday David Black](https://reader036.vdocuments.us/reader036/viewer/2022082821/5697bfbd1a28abf838ca2053/html5/thumbnails/15.jpg)
Formal Methods
Generated runtime assertions based on Formal Model IPC subsystem invariant checks
The Good News: Found 4 serious problems missed by development
and review The Bad News:
Missed at least one more Kernel not exercised under all possible conditions
Test coverage is not a new problem Neither is it a solved problem
![Page 16: MK++ A High Assurance Operating System Kernel Shai Guday David Black](https://reader036.vdocuments.us/reader036/viewer/2022082821/5697bfbd1a28abf838ca2053/html5/thumbnails/16.jpg)
Conclusion
Assurance is only possible if software practitioners can reason about the software High assurance analysis and design necessary for high
assurance software Software engineering techniques exist for practical
development of high assurance software Complement of layering and object orientation support
decomposition of complex system software, e.g. MK++ microkernel
Need advances in the state of the art Object interface design Dependency decomposition and encapsulation Assured design patterns (aka frameworks) Framework composition rules