EROS (microkernel)

EROS
Developer	University of Pennsylvania ; Johns Hopkins University ; The EROS Group, LLC
Written in	C
OS family	Capability-based
Working state	Discontinued
Initial release	1991;31 years ago
Latest release	Final / 2005;17 years ago
Marketing target	Research
Available in	English
Update method	Compile from source code
Platforms	IA-32
Kernel type	Real-time microkernel
Default; user interface	Command-line interface
Preceded by	KeyKOS
Succeeded by	CapROS

Last updated May 15, 2022

Extremely Reliable Operating System (EROS) is an operating system developed starting in 1991 at the University of Pennsylvania, and then Johns Hopkins University, and The EROS Group, LLC. Features include automatic data and process persistence, some preliminary real-time support, and capability-based security. EROS is purely a research operating system, and was never deployed in real world use. As of 2005^[update], development stopped in favor of a successor system, CapROS.

Key concepts

The overriding goal of the EROS system (and its relatives) is to provide strong support at the operating system level for the efficient restructuring of critical applications into small communicating components. Each component can communicate with the others only through protected interfaces, and is isolated from the rest of the system. A protected interface, in this context, is one that is enforced by the lowest level part of the operating system, the kernel. That is the only part of the system that can move information from one process to another. It also has complete control of the machine and (if properly constructed) cannot be bypassed. In EROS, the kernel-provided mechanism by which one component names and invokes the services of another is a capability, using inter-process communication (IPC). By enforcing capability-protected interfaces, the kernel ensures that all communications to a process arrive via an intentionally exported interface. It also ensures that no invocation is possible unless the invoking component holds a valid capability to the invoked component. Protection in capability systems is achieved by restricting the propagation of capabilities from one component to another, often through a security policy termed confinement.

Capability systems naturally promote component-based software structure. This organizational approach is similar to the programming language concept of object-oriented programming, but occurs at larger granularity and does not include the concept of inheritance. When software is restructured in this way, several benefits emerge:

The individual components are most naturally structured as event loops. Examples of systems that are commonly structured this way include aircraft flight control systems (see also DO-178B Software Considerations in Airborne Systems and Equipment Certification), and telephone switching systems (see 5ESS switch). Event-driven programming is chosen for these systems mainly because of simplicity and robustness, which are essential attributes in life-critical and mission-critical systems.
Components become smaller and individually testable, which helps to more readily isolate and identify flaws and bugs.
The isolation of each component from the others limits the scope of any damage that may occur when something goes wrong or the software misbehaves.

Collectively, these benefits lead to measurably more robust and secure systems. The Plessey System 250 was a system originally designed for use in telephony switches, which capability-based design was chosen specifically for reasons of robustness.

In contrast to many earlier systems, capabilities are the only mechanism for naming and using resources in EROS, making it what is sometimes referred to as a pure capability system. In contrast, IBM i is an example of a commercially successful capability system, but it is not a pure capability system.

Pure capability architectures are supported by well-tested and mature mathematical security models. These have been used to formally demonstrate that capability-based systems can be made secure if implemented correctly. The so-called "safety property" has been shown to be decidable for pure capability systems (see Lipton). Confinement, which is the fundamental building block of isolation, has been formally verified to be enforceable by pure capability systems,^[1] and is reduced to practical implementation by the EROS constructor and the KeyKOS factory. No comparable verification exists for any other primitive protection mechanism. There is a fundamental result in the literature showing that safety is mathematically undecidable in the general case (see HRU, but note that it is of course provable for an unbounded set of restricted cases^[2]). Of greater practical importance, safety has been shown to be false for all of the primitive protection mechanisms shipping in current commodity operating systems. Safety is a necessary precondition to successful enforcement of any security policy. In practical terms, this result means that it is not possible in principle to secure current commodity systems, but it is potentially possible to secure capability-based systems provided they are implemented with sufficient care. Neither EROS nor KeyKOS has ever been successfully penetrated, and their isolation mechanisms have never been successfully defeated by any inside attacker, but it is not known whether the two implementations were careful enough. One goal of the Coyotos project was to demonstrate that component isolation and security has been definitively achieved by applying software verification techniques.

The L4.sec system, which is a successor to the L4 microkernel family, is a capability-based system, and has been significantly influenced by the results of the EROS project. The influence is mutual, since the EROS work on high-performance invocation was motivated strongly by Jochen Liedtke's successes with the L4 microkernel family.

History

The primary developer of EROS was Jonathan S. Shapiro. He was also the driving force behind Coyotos, which was an "evolutionary step"^[3] beyond the EROS operating system.^[4]

The EROS project started in 1991 as a clean-room reconstruction of an earlier operating system, KeyKOS. KeyKOS was developed by Key Logic, Inc., and was a direct continuation of work on the earlier Great New Operating System In the Sky (GNOSIS) system created by Tymshare, Inc. The circumstances surrounding Key Logic's demise in 1991 made licensing KeyKOS impractical. Since KeyKOS did not run on popular commodity processors in any case, the decision was made to reconstruct it from the publicly available documentation.

By late 1992, it had become clear that processor architecture had changed significantly since the introduction of the capability idea, and it was no longer obvious that component-structured systems were practical. Microkernel-based systems, which similarly favor large numbers of processes and IPC, were facing severe performance challenges, and it was uncertain if these could be successfully resolved. The x86 architecture was clearly emerging as the dominant architecture but the expensive user/supervisor transition latency on the 386 and 486 presented serious challenges for process-based isolation. The EROS project was turning into a research effort, and moved to the University of Pennsylvania to become the focus of Shapiro's dissertation research. By 1999, a high performance implementation for the Pentium processor had been demonstrated that was directly performance competitive with the L4 microkernel family, which is known for its exceptional speed in IPC. The EROS confinement mechanism had been formally verified, in the process creating a general formal model for secure capability systems.

In 2000, Shapiro joined the faculty of Computer Science at Johns Hopkins University. At Hopkins, the goal was to show how to use the facilities provided by the EROS kernel to construct secure and defensible servers at application level. Funded by the Defense Advanced Research Projects Agency and the Air Force Research Laboratory, EROS was used as the basis for a trusted window system,^[5] a high-performance, defensible network stack,^[6] and the beginnings of a secure web browser. It was also used to explore the effectiveness of lightweight static checking.^[7] In 2003, some very challenging security issues were discovered^[8] that are intrinsic to any system architecture based on synchronous IPC primitives (notably including EROS and L4). Work on EROS halted in favor of Coyotos, which resolved these issues.^{[ citation needed ]}

As of 2006^[update], EROS and its successors are the only widely available capability systems that run on commodity hardware.

Status

Work on EROS and Coyotos by the original group has halted, but there is a successor system.^[4] The CapROS system is building directly from the EROS code base. CapROS is expected to be released in various commercial deployments.^{[ citation needed ]}

Related Research Articles

GNU Hurd is a collection of microkernel servers written as part of GNU, for the GNU Mach microkernel. It has been under development since 1990 by the GNU Project of the Free Software Foundation, designed as a replacement for the Unix kernel, and released as free software under the GNU General Public License. When the Linux kernel proved to be a viable solution, development of GNU Hurd slowed, at times alternating between stasis and renewed activity and interest.

Microkernel Kernel that provides fewer services than a traditional kernel

In computer science, a microkernel is the near-minimum amount of software that can provide the mechanisms needed to implement an operating system (OS). These mechanisms include low-level address space management, thread management, and inter-process communication (IPC).

Mach is a kernel developed at Carnegie Mellon University by Richard Rashid and Avie Tevanian to support operating system research, primarily distributed and parallel computing. Mach is often mentioned as one of the earliest examples of a microkernel. However, not all versions of Mach are microkernels. Mach's derivatives are the basis of the operating system kernel in GNU Hurd and of Apple's XNU kernel used in macOS, iOS, iPadOS, tvOS, and watchOS.

The trusted computing base (TCB) of a computer system is the set of all hardware, firmware, and/or software components that are critical to its security, in the sense that bugs or vulnerabilities occurring inside the TCB might jeopardize the security properties of the entire system. By contrast, parts of a computer system outside the TCB must not be able to misbehave in a way that would leak any more privileges than are granted to them in accordance to the security policy.

QNX is a commercial Unix-like real-time operating system, aimed primarily at the embedded systems market. QNX was one of the first commercially successful microkernel operating systems.

L4 is a family of second-generation microkernels, used to implement a variety of types of operating systems (OS), though mostly for Unix-like, Portable Operating System Interface (POSIX) compliant types.

Inter-process communication How computer operating systems enable data sharing

In computer science, inter-process communication or interprocess communication (IPC) refers specifically to the mechanisms an operating system provides to allow the processes to manage shared data. Typically, applications can use IPC, categorized as clients and servers, where the client requests data and the server responds to client requests. Many applications are both clients and servers, as commonly seen in distributed computing.

Capability-based security is a concept in the design of secure computing systems, one of the existing security models. A capability is a communicable, unforgeable token of authority. It refers to a value that references an object along with an associated set of access rights. A user program on a capability-based operating system must use a capability to access an object. Capability-based security refers to the principle of designing user programs such that they directly share capabilities with each other according to the principle of least privilege, and to the operating system infrastructure necessary to make such transactions efficient and secure. Capability-based security is to be contrasted with an approach that uses traditional UNIX permissions and Access Control Lists.

K42 is a discontinued open-source research operating system (OS) for cache-coherent 64-bit multiprocessor systems. It was developed primarily at IBM Thomas J. Watson Research Center in collaboration with the University of Toronto and University of New Mexico. The main focus of this OS is to address performance and scalability issues of system software on large-scale, shared memory, non-uniform memory access (NUMA) multiprocessing computers.

KeyKOS is a persistent, pure capability-based operating system for the IBM S/370 mainframe computers. It allows emulating the environments of VM, MVS, and Portable Operating System Interface (POSIX). It is a predecessor of the Extremely Reliable Operating System (EROS), and its successor operating systems, CapROS, and Coyotos. KeyKOS is a nanokernel-based operating system.

In computer security, a sandbox is a security mechanism for separating running programs, usually in an effort to mitigate system failures and/or software vulnerabilities from spreading. It is often used to execute untested or untrusted programs or code, possibly from unverified or untrusted third parties, suppliers, users or websites, without risking harm to the host machine or operating system. A sandbox typically provides a tightly controlled set of resources for guest programs to run in, such as storage and memory scratch space. Network access, the ability to inspect the host system, or read from input devices are usually disallowed or heavily restricted.

A hybrid kernel is an operating system kernel architecture that attempts to combine aspects and benefits of microkernel and monolithic kernel architectures used in computer operating systems.

Capability-based Reliable Operating System (CapROS) is an operating system incorporating pure capability-based security. It features automatic persistence of data and processes, even across system reboots. Capability systems naturally support the principle of least authority, which improves security and fault tolerance. It is free and open-source software released under the GNU General Public License version 2 (GPLv2), and GNU Lesser General Public License version 2 (LGPLv2).

PikeOS is a commercial, hard real-time operating system (RTOS) that offers a separation kernel based hypervisor with multiple logical partition types for many other operating systems (OS), each called a GuestOS, and applications. It enables users to build certifiable smart devices for the Internet of things (IoT) according to the high quality, safety and security standards of different industries. For safety and security critical real-time applications on controller-based systems without memory management unit (MMU) but with memory protection unit (MPU) PikeOS for MPU is available.

Gernot Heiser is a Scientia Professor and the John Lions Chair for operating systems at the University of New South Wales (UNSW). He is also leader of the Software Systems Research Group (SSRG) at NICTA. In 2006, he cofounded Open Kernel Labs to commercialise his L4 microkernel technology.

JX is a microkernel operating system with both the kernel and applications implemented using the Java programming language.

A separation kernel is a type of security kernel used to simulate a distributed environment. The concept was introduced by John Rushby in a 1981 paper. Rushby proposed the separation kernel as a solution to the difficulties and problems that had arisen in the development and verification of large, complex security kernels that were intended to "provide multilevel secure operation on general-purpose multi-user systems." According to Rushby, "the task of a separation kernel is to create an environment which is indistinguishable from that provided by a physically distributed system: it must appear as if each regime is a separate, isolated machine and that information can only flow from one machine to another along known external communication lines. One of the properties we must prove of a separation kernel, therefore, is that there are no channels for information flow between regimes other than those explicitly provided."

The kernel is a computer program at the core of a computer's operating system and generally has complete control over everything in the system. It is the portion of the operating system code that is always resident in memory, and facilitates interactions between hardware and software components. A full kernel controls all hardware resources via device drivers, arbitrates conflicts between processes concerning such resources, and optimizes the utilization of common resources e.g. CPU & cache usage, file systems, and network sockets. On most systems, the kernel is one of the first programs loaded on startup. It handles the rest of startup as well as memory, peripherals, and input/output (I/O) requests from software, translating them into data-processing instructions for the central processing unit.

An embedded hypervisor is a hypervisor that supports the requirements of embedded systems.

Genode is a free and open-source software operating system (OS) framework consisting of a microkernel abstraction layer and a set of user space components. The framework is notable as one of the few open-source operating systems not derived from a proprietary OS, such as Unix. The characteristic design philosophy is that a small trusted computing base is of primary concern in a security-oriented OS.

References

↑ Shapiro, Jonathan S.; Weber, Samuel (October 29, 1999). Verifying the EROS Confinement Mechanism (Report). Archived from the original on March 3, 2016.
↑ Lee, Peter. "Proof-Carrying Code". Archived from the original on September 22, 2006.
↑ Shapiro, Jonathan (April 2, 2006). "Differences Between Coyotos and EROS: A Quick Summary". Archived from the original on 2012-07-31.
1 2 Shapiro, Jonathan S. (April 7, 2009). "Status of Coyotos". coyotos-dev (Mailing list). Archived from the original on July 24, 2014. Retrieved 16 March 2022. Active work on Coyotos stopped several months ago, and is unlikely to resume.
↑ Shapiro, Jonathan S.; Vanderburgh, John; Northup, Eric; Chizmadia, David. "Design of the EROS Trusted Window System". Archived from the original on March 3, 2016.
↑ Sinha, Anshumal; Sarat, Sandeep; Shapiro, Jonathan S. "Network Subsystems Reloaded: A High-Performance, Defensible Network Subsystem". Archived from the original on March 3, 2016.
↑ Chen, Hao; Shapiro, Jonathan S. "Using Build-Integrated Static Checking to Preserve Correctness Invariants" (PDF). Archived from the original (PDF) on March 3, 2016.
↑ Shapiro, Jonathan S. "Vulnerabilities in Synchronous IPC Designs". Archived from the original on March 3, 2016.

Journals

Lipton, R. J.; Snyder, L. (July 1977). "A Linear Time Algorithm for Deciding Subject Security". Journal of the ACM. 24 (3): 455–464.
Harrison, Michael A.; Ruzzo, W. L.; Ullman, Jeffrey D. (August 1976). "Protection in Operating Systems". Communications of the ACM. 19 (8): 461–471.

External links

EROS home page at the Wayback Machine (archived March 4, 2016)
Coyotos home page at the Wayback Machine (archived September 2, 2016)
KeyKOS home page at the Wayback Machine (archived January 4, 2016)
Jonathan Shapiro's homepage
CapROS

This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.

[1] Shapiro, Jonathan S.; Weber, Samuel (October 29, 1999). Verifying the EROS Confinement Mechanism (Report). Archived from the original on March 3, 2016.

[2] Lee, Peter. "Proof-Carrying Code". Archived from the original on September 22, 2006.

[3] Shapiro, Jonathan (April 2, 2006). "Differences Between Coyotos and EROS: A Quick Summary". Archived from the original on 2012-07-31.

[Coyotos-4] 1 2 Shapiro, Jonathan S. (April 7, 2009). "Status of Coyotos". coyotos-dev (Mailing list). Archived from the original on July 24, 2014. Retrieved 16 March 2022. Active work on Coyotos stopped several months ago, and is unlikely to resume.

[5] Shapiro, Jonathan S.; Vanderburgh, John; Northup, Eric; Chizmadia, David. "Design of the EROS Trusted Window System". Archived from the original on March 3, 2016.

[6] Sinha, Anshumal; Sarat, Sandeep; Shapiro, Jonathan S. "Network Subsystems Reloaded: A High-Performance, Defensible Network Subsystem". Archived from the original on March 3, 2016.

[7] Chen, Hao; Shapiro, Jonathan S. "Using Build-Integrated Static Checking to Preserve Correctness Invariants" (PDF). Archived from the original (PDF) on March 3, 2016.

[8] Shapiro, Jonathan S. "Vulnerabilities in Synchronous IPC Designs". Archived from the original on March 3, 2016.

[1]

[2]

[3]

[4]

[5]

[6]

[7]

[8]

v t e Object-capability security
Concepts	Principle of least privilege (PoLP) Confused deputy problem Ambient authority File descriptor C-list Object-capability model Capability-based security Capability-based addressing Zooko's triangle Petnames
Operating systems, kernels	Capsicum Fuchsia Genode GNOSIS → KeyKOS → EROS → CapROS Hydra iMAX 432 Midori NLTSS seL4
Programming languages	Cajita E Joe-E Joule
File systems	Tahoe-LAFS
Specialised hardware	BiiN Cambridge CAP Flex IBM System/38 Intel iAPX 432 Plessey System 250

v t e Real-time operating systems (RTOS)
Open-source	BeRTOS ChibiOS/RT Contiki eCos ERIKA Enterprise FreeRTOS FunkOS Huawei LiteOS µC/OS Mynewt Nano-RK NuttX RIOT RTAI RTEMS RTLinux RT-Thread seL4 TI-RTOS TRON Wombat Xenomai Zephyr
Proprietary	4690 OS DioneOS embOS Integrity Junos OS LynxOS MQX Nucleus RTOS OpenComRTOS OSE OS-9 OS2000 PikeOS QNX REAL/32 REX OS ScreenOS ThreadX TPF VRTX VxWorks Windows Embedded Compact
Discontinued	4680 OS ChorusOS Concurrent DOS DNIX DSOS EROS FlexOS Harmony MERT – UNIX-RT Multiuser DOS pSOS RMX RSX-11 RT-11 Sintran III Symbian THEOS Thoth UNOS VAXELN
Developers	Gordon Bell David Cheriton Dave Cutler Dan Dodge Adam Dunkels Ken Sakamura
Comparison Category