HOME

TheInfoList



OR:

Extremely Reliable Operating System (EROS) is an
operating system An operating system (OS) is system software that manages computer hardware, software resources, and provides common services for computer programs. Time-sharing operating systems schedule tasks for efficient use of the system and may also in ...
developed starting in 1991 at the
University of Pennsylvania The University of Pennsylvania (also known as Penn or UPenn) is a private research university in Philadelphia. It is the fourth-oldest institution of higher education in the United States and is ranked among the highest-regarded universitie ...
, and then
Johns Hopkins University Johns Hopkins University (Johns Hopkins, Hopkins, or JHU) is a private university, private research university in Baltimore, Maryland. Founded in 1876, Johns Hopkins is the oldest research university in the United States and in the western hem ...
, and The EROS Group, LLC. Features include automatic data and process persistence, some preliminary
real-time Real-time or real time describes various operations in computing or other processes that must guarantee response times within a specified time (deadline), usually a relatively short time. A real-time process is generally one that happens in defined ...
support, and
capability-based security Capability-based security is a concept in the design of secure computing systems, one of the existing security models. A capability (known in some systems as a key) is a communicable, unforgeable token of authority. It refers to a value that refe ...
. EROS is purely a research operating system, and was never deployed in real world use. , development stopped in favor of a successor system,
CapROS Capability-based Reliable Operating System (CapROS) is an operating system incorporating pure capability-based security. It features automatic persistence of data and processes, even across system reboots. Capability systems naturally support th ...
.


Key concepts

The overriding goal of the EROS system (and its relatives) is to provide strong support at the operating system level for the efficient restructuring of critical applications into small communicating components. Each component can communicate with the others only through protected interfaces, and is isolated from the rest of the system. A ''protected interface'', in this context, is one that is enforced by the lowest level part of the operating system, the
kernel Kernel may refer to: Computing * Kernel (operating system), the central component of most operating systems * Kernel (image processing), a matrix used for image convolution * Compute kernel, in GPGPU programming * Kernel method, in machine learnin ...
. That is the only part of the system that can move information from one
process A process is a series or set of activities that interact to produce a result; it may occur once-only or be recurrent or periodic. Things called a process include: Business and management *Business process, activities that produce a specific se ...
to another. It also has complete control of the machine and (if properly constructed) cannot be bypassed. In EROS, the kernel-provided mechanism by which one component names and invokes the services of another is a capability, using
inter-process communication In computer science, inter-process communication or interprocess communication (IPC) refers specifically to the mechanisms an operating system provides to allow the processes to manage shared data. Typically, applications can use IPC, categori ...
(IPC). By enforcing capability-protected interfaces, the kernel ensures that all communications to a process arrive via an intentionally exported interface. It also ensures that ''no'' invocation is possible unless the invoking component holds a valid capability to the invoked component. Protection in capability systems is achieved by restricting the propagation of capabilities from one component to another, often through a security policy termed ''confinement''. Capability systems naturally promote component-based software structure. This organizational approach is similar to the programming language concept of
object-oriented programming Object-oriented programming (OOP) is a programming paradigm based on the concept of "objects", which can contain data and code. The data is in the form of fields (often known as attributes or ''properties''), and the code is in the form of pr ...
, but occurs at larger granularity and does not include the concept of
inheritance Inheritance is the practice of receiving private property, Title (property), titles, debts, entitlements, Privilege (law), privileges, rights, and Law of obligations, obligations upon the death of an individual. The rules of inheritance differ ...
. When software is restructured in this way, several benefits emerge: *The individual components are most naturally structured as event loops. Examples of systems that are commonly structured this way include
aircraft flight control system A conventional Fixed-wing aircraft, fixed-wing aircraft flight control system consists of flight control surfaces, the respective cockpit controls, connecting linkages, and the necessary operating mechanisms to control an aircraft's direction ...
s (see also DO-178B Software Considerations in Airborne Systems and Equipment Certification), and telephone switching systems (see 5ESS switch). Event-driven programming is chosen for these systems mainly because of simplicity and robustness, which are essential attributes in life-critical and mission-critical systems. *Components become smaller and individually testable, which helps to more readily isolate and identify flaws and bugs. *The isolation of each component from the others limits the scope of any damage that may occur when something goes wrong or the software misbehaves. Collectively, these benefits lead to measurably more robust and secure systems. The
Plessey System 250 Plessey System 250, also known as PP250, was the first operational computer to implement capability-based addressing, to check and balance the computation as a pure Church–Turing machine. Plessey built the systems for a British Army message r ...
was a system originally designed for use in telephony switches, which capability-based design was chosen specifically for reasons of robustness. In contrast to many earlier systems, capabilities are the ''only'' mechanism for naming and using resources in EROS, making it what is sometimes referred to as a ''pure'' capability system. In contrast,
IBM i IBM i (the ''i'' standing for ''integrated'') is an operating system developed by IBM for IBM Power Systems. It was originally released in 1988 as OS/400, as the sole operating system of the IBM AS/400 line of systems. It was renamed to i5/OS in ...
is an example of a commercially successful capability system, but it is not a pure capability system. Pure capability architectures are supported by well-tested and mature mathematical security models. These have been used to formally demonstrate that capability-based systems can be made secure if implemented correctly. The so-called "safety property" has been shown to be decidable for pure capability systems (see
Lipton Lipton is a British brand of tea, owned by Ekaterra. Lipton was also a supermarket chain in the United Kingdom, later sold to Argyll Foods, after which the company sold only tea. The company is named after its founder, Sir Thomas Lipton, who fo ...
). Confinement, which is the fundamental building block of isolation, has been formally verified to be enforceable by pure capability systems, and is reduced to practical implementation by the EROS ''constructor'' and the KeyKOS ''factory''. No comparable verification exists for any other primitive protection mechanism. There is a fundamental result in the literature showing that ''safety'' is mathematically undecidable in the general case (see HRU, but note that it is of course provable for an unbounded set of restricted cases). Of greater practical importance, safety has been shown to be ''false'' for all of the primitive protection mechanisms shipping in current commodity operating systems. Safety is a necessary precondition to successful enforcement of ''any'' security policy. In practical terms, this result means that it is not possible ''in principle'' to secure current commodity systems, but it is potentially possible to secure capability-based systems ''provided'' they are implemented with sufficient care. Neither EROS nor KeyKOS has ever been successfully penetrated, and their isolation mechanisms have never been successfully defeated by any inside attacker, but it is not known whether the two implementations were careful enough. One goal of the Coyotos project was to demonstrate that component isolation and security has been definitively achieved by applying software verification techniques. The L4.sec system, which is a successor to the
L4 microkernel family L4 is a family of second-generation microkernels, used to implement a variety of types of operating systems (OS), though mostly for Unix-like, ''Portable Operating System Interface'' (POSIX) compliant types. L4, like its predecessor microkernel ...
, is a capability-based system, and has been significantly influenced by the results of the EROS project. The influence is mutual, since the EROS work on high-performance invocation was motivated strongly by
Jochen Liedtke Jochen Liedtke (26 May 1953 – 10 June 2001) was a German computer scientist, noted for his work on microkernel operating systems, especially in creating the L4 microkernel family. Vita Education In the mid-1970s Liedtke studied for a di ...
's successes with the
L4 microkernel family L4 is a family of second-generation microkernels, used to implement a variety of types of operating systems (OS), though mostly for Unix-like, ''Portable Operating System Interface'' (POSIX) compliant types. L4, like its predecessor microkernel ...
.


History

The primary developer of EROS was Jonathan S. Shapiro. He was also the driving force behind Coyotos, which was an "evolutionary step" beyond the EROS operating system. The EROS project started in 1991 as a clean-room reconstruction of an earlier operating system,
KeyKOS KeyKOS is a persistent, pure capability-based operating system for the IBM S/370 mainframe computers. It allows emulating the environments of VM, MVS, and Portable Operating System Interface (POSIX). It is a predecessor of the Extremely Reliab ...
. KeyKOS was developed by Key Logic, Inc., and was a direct continuation of work on the earlier ''Great New Operating System In the Sky'' (
GNOSIS Gnosis is the common Greek noun for knowledge ( γνῶσις, ''gnōsis'', f.). The term was used among various Hellenistic religions and philosophies in the Greco-Roman world. It is best known for its implication within Gnosticism, where it ...
) system created by Tymshare, Inc. The circumstances surrounding Key Logic's demise in 1991 made licensing KeyKOS impractical. Since KeyKOS did not run on popular commodity processors in any case, the decision was made to reconstruct it from the publicly available documentation. By late 1992, it had become clear that processor architecture had changed significantly since the introduction of the capability idea, and it was no longer obvious that component-structured systems were practical.
Microkernel In computer science, a microkernel (often abbreviated as μ-kernel) is the near-minimum amount of software that can provide the mechanisms needed to implement an operating system (OS). These mechanisms include low-level address space management, ...
-based systems, which similarly favor large numbers of processes and IPC, were facing severe performance challenges, and it was uncertain if these could be successfully resolved. The
x86 x86 (also known as 80x86 or the 8086 family) is a family of complex instruction set computer (CISC) instruction set architectures initially developed by Intel based on the Intel 8086 microprocessor and its 8088 variant. The 8086 was introd ...
architecture was clearly emerging as the dominant architecture but the expensive user/supervisor transition latency on the 386 and 486 presented serious challenges for process-based isolation. The EROS project was turning into a research effort, and moved to the
University of Pennsylvania The University of Pennsylvania (also known as Penn or UPenn) is a private research university in Philadelphia. It is the fourth-oldest institution of higher education in the United States and is ranked among the highest-regarded universitie ...
to become the focus of Shapiro's dissertation research. By 1999, a high performance implementation for the
Pentium Pentium is a brand used for a series of x86 architecture-compatible microprocessors produced by Intel. The original Pentium processor from which the brand took its name was first released on March 22, 1993. After that, the Pentium II and Pe ...
processor had been demonstrated that was directly performance competitive with the
L4 microkernel family L4 is a family of second-generation microkernels, used to implement a variety of types of operating systems (OS), though mostly for Unix-like, ''Portable Operating System Interface'' (POSIX) compliant types. L4, like its predecessor microkernel ...
, which is known for its exceptional speed in IPC. The EROS confinement mechanism had been formally verified, in the process creating a general formal model for secure capability systems. In 2000, Shapiro joined the faculty of Computer Science at Johns Hopkins University. At Hopkins, the goal was to show how to ''use'' the facilities provided by the EROS kernel to construct secure and defensible servers at application level. Funded by the
Defense Advanced Research Projects Agency The Defense Advanced Research Projects Agency (DARPA) is a research and development agency of the United States Department of Defense responsible for the development of emerging technologies for use by the military. Originally known as the Adv ...
and the
Air Force Research Laboratory The Air Force Research Laboratory (AFRL) is a scientific research organization operated by the United States Air Force Materiel Command dedicated to leading the discovery, development, and integration of aerospace warfighting technologies, pl ...
, EROS was used as the basis for a trusted window system, a high-performance, defensible network stack, and the beginnings of a secure web browser. It was also used to explore the effectiveness of lightweight static checking. In 2003, some very challenging security issues were discovered that are intrinsic to ''any'' system architecture based on synchronous IPC primitives (notably including EROS and L4). Work on EROS halted in favor of Coyotos, which resolved these issues. , EROS and its successors are the only widely available capability systems that run on commodity hardware.


Status

Work on EROS and Coyotos by the original group has halted, but there is a successor system. The
CapROS Capability-based Reliable Operating System (CapROS) is an operating system incorporating pure capability-based security. It features automatic persistence of data and processes, even across system reboots. Capability systems naturally support th ...
system is building directly from the EROS code base. CapROS is expected to be released in various commercial deployments.


See also

*
Nanokernel In computer science, a microkernel (often abbreviated as μ-kernel) is the near-minimum amount of software that can provide the mechanisms needed to implement an operating system (OS). These mechanisms include low-level address space management ...


References


Journals

# #


External links

*
Coyotos home page
at the
Wayback Machine The Wayback Machine is a digital archive of the World Wide Web founded by the Internet Archive, a nonprofit based in San Francisco, California. Created in 1996 and launched to the public in 2001, it allows the user to go "back in time" and see ...
(archived September 2, 2016) *
Jonathan Shapiro's homepage

CapROS
{{Microkernel Microkernels Real-time operating systems Capability systems